[HN Gopher] Why might you run your own DNS server?
___________________________________________________________________
Why might you run your own DNS server?
Author : 0xedb
Score : 162 points
Date : 2022-01-05 18:14 UTC (4 hours ago)
(HTM) web link (jvns.ca)
(TXT) w3m dump (jvns.ca)
| NKosmatos wrote:
| Silly question coming from someone not very experienced with DNS
| servers/resolvers, is there a way to download/cache/resolve all
| country specific domains (ccTLDs)? I know there are many sites
| that sell zone files, like https://zonefiles.io, but aren't the
| DNS records supposed to be something freely available?
| elliottinvent wrote:
| You can download zone files for lots of gTLDs using ICANN's
| Centralized Zone Data Service [0].
|
| For ccTLDs there's no centralised system and availability
| depends on the country registry. For example, Nominet make the
| UK zone file and others available for UK registrars for a fee I
| think.
|
| Another approach is to buy WHOIS files from providers like
| Whoxy [1], the registrant data shouldn't be used because of
| GDPR and other restrictions but as a domain list it can be
| useful.
|
| I've done a fair bit in this area so if anyone wants any help
| feel free to send an email - details in profile.
|
| 0. https://czds.icann.org/home 1. https://www.whoxy.com
| elliottinvent wrote:
| If anyone has any feedback on using zonefiles.io I'd be
| interested to hear it
| AndyMcConachie wrote:
| What precisely are you interested in?
|
| If you just want the NS records and glue for all the ccTLDs
| they're in the root zone.
|
| https://www.internic.net/domain/root.zone
|
| If you want the complete zone files from every ccTLD that is a
| much bigger ask. I'm not sure but I imagine you would have to
| look into each ccTLD and find out if they're available.
| sybercecurity wrote:
| Not expressly mentioned in the "user interface" bit: not all
| hosting services allow all possible RRTypes and you may want to
| deploy uncommon or newly specified RRTypes like TLSA or the
| possibly-soon-to-be-specified SVCB and HTTPS RRTypes.
| fareesh wrote:
| Hypothetically if some scary evil person were to register a
| domain with some accredited registrar - say GoDaddy or Tucows -
| could they arbitrarily seize it for "content policy" reasons?
| Like "your site has Dave Chapelle jokes which we don't like" so
| we took your domain.
|
| Or do they stand to lose something in a major way if they do
| this?
| Diederich wrote:
| The main reason I run my own name server is to support IP over
| DNS tunneling. Having direct and easy control over the normal
| records it serves is also nice.
| brian_cunnie wrote:
| Another reason you might want to run your own BIND server is to
| enable reverse-lookups for your internal machines. On my home
| network, a reverse-lookup for 10.0.9.30 resolves to tara.nono.io
| (i.e. `dig 30.9.0.10.in-addr.arpa ptr` - tara.nono.io.)
| Ologn wrote:
| I started running DNS servers 25 years ago so it doesn't take
| much mental effort for me. It is easy for me to do, and I have
| full control over it. I can do it in my sleep.
|
| The biggest effort for me was about 24 years ago, when BIND 8
| replaced BIND 4.
|
| Probably the last thing I had to learn was putting AAAA records
| in (easy enough) and putting SPF records (yes, I run my own
| personal postfix as well).
| bullen wrote:
| I don't agree that it's decentralized, it tries to be but it's
| really distributed with a few root servers with a few people that
| have keys to them.
|
| Eventually there will be a decentralized name system for probably
| a decentralized P2P radio system, and I'm trying to build that:
| http://radiomesh.org
|
| But it's proving more tricky than I could have ever dreamed,
| right now I have scrapped 433MHz LoRa on Rasperry Zero and I'm
| moving to 169MHz plain radio on Raspberry Pico.
|
| As for running your own it's very easy with these simplified
| lines of Java and dns4j (excluding port 53 UDP stuff):
| Message query = new Message(data); Header header =
| query.getHeader(); Record question = query.getQuestion();
| Message response = new Message(query.getHeader().getID());
| response.getHeader().setFlag(Flags.QR);
| response.addRecord(question, Section.QUESTION); Name name =
| question.getName(); int type = question.getType();
| int dclass = question.getDClass(); String host =
| name.toString(true).toLowerCase(); ...
| response.addRecord(new ARecord(name, dclass, 300, "someIP"),
| Section.ANSWER); ...
| response.getHeader().setFlag(Flags.AA); return
| response.toWire(512);
|
| Everyone should run their own DNS on the same process as their
| HTTP and SMTP servers... because without DNS nothing exists.
|
| There are few things more frustrating than having your DNS
| provider be down for hours without recourse!
| sumtechguy wrote:
| In a decentralized system how are you handling the bad actor
| problem? Such as 2 entities claiming they own a namespace?
| bullen wrote:
| Well it will probably be some sort of hashing on the old
| fiber internet but at a fixed very low energy rate per
| message, and a bit higher energy rate for names (in a first
| come, first served manner with some sort of public/private
| key signed distributed database, just trying to not use the
| b-word here and with spam protection I haven't choosen yet)
| so far I'm concentrating on the hardware and radio hopping
| protocol to make sure it could scale at all, that combined
| with reputation: because the system is relaying your
| messages, you can be increasingly punished as you missbehave;
| which makes it hard to abuse productively. But as with all
| radio you will be able to disturb locally, if you have a
| better suggestion I'm all ears.
| sumtechguy wrote:
| Ah ok. I was trying to figure out how you would fix say
| abc.xyz is announced by someone name squatting. Then the
| real abc.xyz comes along and says 'hey wait'. First come
| first serve fixes someone else coming along and stealing
| but not squatting. In all of the systems I come up with I
| always end up with some sort of central trusted
| authority/machine saying 'this is ok, that is not'.
| bullen wrote:
| Yes, but good point about the squatting, I know it's
| going to be a problem, eventually solved by the "market"
| but I would like something a bit leaner... thanks for
| stirring my noodles.
|
| Maybe a penalty for unused names with time, but that will
| just drive paid spam and energy "waste"... time solves
| everything, I'm sure a better solution will crop up
| eventually, it's not like I will be done next week!
|
| Unfortunately for us, everything is a pyramid scheme, you
| just have to make an as stable/fair pyramid as you can!
| dboreham wrote:
| I don't think you can do better than : you have to pay to
| rent in the namespace. This allows first-come first-
| served, and squatters, but they have to pay. Since the
| namespace is new, in theory there's no benefit to
| squatting because no particular name has any value yet.
|
| Of course often there's a desire to mirror some existing
| namespace (e.g. DNS, trademarks) where there is value in
| the name already. In that case the best you can do is to
| build some oracle mechanism that consumes proofs of
| namespace ownership. Similar to how LE/Acme works, but
| used to drive an oracle.
| m3047 wrote:
| Hi.
|
| The root servers use anycast, so you can figure there are
| "several" nameservers with the same address scattered around
| the 'tubes, and distinguished by the routes announced in
| different places.
|
| There are and have been alternate roots since the beginnings of
| internet time, notiwthstanding Mockapetris' opinion that people
| who advertise false root should be shot.
|
| Writing a decent recursive nameserver is nontrivial, I've
| written several for specific purposes but generally I use BIND.
|
| I concur that running a recursive server for your SMTP server
| is best practice because network intelligence is oftentimes
| utilized for spam / malware mitigation. I'm unclear why you
| need it for e.g. HTTP.
|
| > few root servers with a few people that have keys to them
|
| Well, kind of. As said, there are quite a few root servers
| although the control is in the hands of relatively few. Maybe
| you realize this, maybe you don't but yes there are keys for
| DNSSEC. I'm not sure exactly how it works, but several people
| have to cooperate to sign the root zone. They have key signing
| ceremonies which are televised online. During COVID I watched
| them drill a lockbox, because one of the keyholders couldn't
| make it to the ceremony; fun times.
| bullen wrote:
| I don't like anycast because I think it requires BGP and
| backbone access or similar expensive stuff. DNS should have
| had regions in the main protocol so that people in EU don't
| use a DNS server in Asia f.ex. But it's too late for that
| now.
|
| I might use geolocation on my DNS replies, and unfortunately
| here is the 2nd flaw of DNS, the replies should follow the
| sent order, because as the protocol works now you either get
| round-robin redundancy or direct your users to the hopefully
| correct continent, you can't have both!
|
| As for my brute force workaround: I use IPs for connecting as
| often as I can, and the hostname is just for virtual hosting
| to work.
|
| So all my applications have euro., asia. and iowa. prefixes
| and when outside of a browser I can "hardcode" the IPs so
| that extra second of lookup never hits my users.
|
| Ofcourse that requires fixed IPs and open port 53 which is
| something every home fiber owner should ask for to distribute
| the internet again!
| toast0 wrote:
| Most recursive resolvers try to figure out which
| authoritative server for a domain responds fastest and use
| that one. If you've got enough DNS requests and enough DNS
| servers, it kind of works out ok without anycast. Although,
| I've been told that 4 authoritatives is the optimal number,
| which is limiting (you _can_ do more of course, but a
| random internet use recalls but can 't find a writeup
| suggesting more wasn't great in some semi-failure cases,
| and you can cargocult top X domains which seem to do 4 for
| the most part)
|
| Advanced protocols may be able to use SRV records to
| distribute further traffic, but web browsers can't, so kind
| of stuck for them.
| peanut-walrus wrote:
| I have lately started to call dns "a global distributed
| database", rather than decentralized. Decentralized implies some
| properties that the dns system most definitely does not have.
| acdha wrote:
| This seems like redefining the term: DNS is fully decentralized
| in normal operation -- the hierarchy has fewer parties
| involved, but no one entity owns the entire data set the way
| you'd have in most distributed databases.
| peanut-walrus wrote:
| In normal operation - true. However, from a technical
| perspective, any zone operator above yours has the capability
| to take over your domain(s). While I agree that the root zone
| operators abusing this power is highly unlikely, for TLD
| operators under some legal/government pressure this can be
| quite likely. In fact, domain name seizure is quite a common
| procedure around the world.
| acdha wrote:
| > However, from a technical perspective, any zone operator
| above yours has the capability to take over your domain(s).
|
| That doesn't mean it's not decentralized. If the .kz
| operator has a heavy hand, it affects people in their legal
| jurisdiction but not anyone else, and that's true of
| everything else as well. A system which doesn't allow
| enforcement of legal requirements will be blocked, and this
| isn't a technical problem with a technical solution no
| matter what the blockchain salespeople say.
| eatonphil wrote:
| Another interesting way subdomains leak is through TLS cert
| registration. I.e. you can plug a domain into this search [0] and
| find subdomains that have public TLS certs.
|
| I just noticed a full blog post on this topic is also on the
| front of HN right now. [1]
|
| [0]
| https://transparencyreport.google.com/https/certificates?hl=...
|
| [1] https://shkspr.mobi/blog/2022/01/should-you-use-lets-
| encrypt...
| HellsMaddy wrote:
| Tangentially related: I've wondered what would happen if you
| purchased a domain name that had previously been owned by
| someone else and they had obtained a TLS certificate from a CA
| with an expiration date beyond when your ownership began. This
| seems like a good tool to find such a certificate, but if you
| found one what would you do? Would the holder of the
| certificate be able to MITM or otherwise impersonate you? Would
| there be a way to revoke the certificate (I'm guessing you
| could contact the CA that issued it?)? Do CAs automatically
| revoke certificates when domain ownership changes?
| iancarroll wrote:
| There's been some research on this! https://insecure.design/
| Rygian wrote:
| How would you retrieve the private key for that certificate?
| HellsMaddy wrote:
| You wouldn't. But the CA that issued the certificate could
| still revoke it, correct? E.g.
| https://letsencrypt.org/docs/revoking/#using-a-different-
| aut...
| remram wrote:
| Yes, from that same link you can see that whoever
| controls the domain can revoke those certificates (by
| asking Let's Encrypt to revoke it). All you need is the
| certificate itself (which you can get from the
| transparency logs e.g. crt.sh), not the private key.
| [deleted]
| quesera wrote:
| This is a good summary.
|
| I run both authoritative (nsd) and resolving (unbound)
| nameservers. They require literally zero maintenance. Before nsd,
| I ran djbdns, which also required zero maintenance. I've run
| BIND, back in the dark ages. Rumor has it that BIND doesn't suck
| any more, but I've seen no reason to confirm.
|
| If you are able keep sshd up and running on your hosted or
| colo'ed server, you have the skills required to run a nameserver
| reliably. It's that easy. I recommend nsd and/or unbound.
|
| If the article does not persuade you that you want to do so, then
| don't bother. But if you do want to, don't be dissuaded by
| assuming it will be difficult.
| remram wrote:
| How much difficulty is added by DNSSEC?
| petee wrote:
| Not much but you should have a good grasp first, and the
| implications (easy to add, tougher to remove)
|
| There are tools to automate resigning, but personally I just
| do it manually once a year for fun.
| hsbauauvhabzb wrote:
| In late 2019 I scanned Fortune 500 for DNSSEC on their top
| domain, exactly one entity was using it. At the time azures
| stance on dnssec support was that https certs should suffice.
|
| I think it's a dead tech.
| rhizome wrote:
| Less than the amount of difficulty added to driving a car
| that can only be adjusted by poking at a TV mounted some
| place where you aren't looking at the road.
|
| Sure, fixing that squeaky door is "easy," but have you ever
| heard the adage that every home project involves three trips
| to the hardware store? There may be technical aspects that
| few of us can implement from scratch and on the first try,
| but at the same time I also don't know how to build a good
| broom. These concerns are not insurmountable, especially with
| the network effects of people being in the same boat. How
| easy is it to find a good handyman without asking anybody?
| _You don 't have to._
| remram wrote:
| The question was about DNSSEC.
| brian_cunnie wrote:
| I don't know how difficult it is to set up DNSSEC, but I do
| know I had to disable it on my internal BIND DNS server
| because it wasn't resolving google.com ("query failed (broken
| trust chain) for www.google.com/IN/A at query.c"):
|
| I had to modify my default BIND options to disable DNSSEC:
|
| options { dnssec-enable no;
| dnssec-validation no;
| m3047 wrote:
| If you want DNSSEC to work, be sure you set up NTP and that
| it's working properly.
| tadfisher wrote:
| Also, NAT64 breaks DNSSEC (by design), so some exclusion
| rules are needed.
| pgporada wrote:
| What version of unbound are you running? With our traffic load
| we restart unbound 1.13.x daily to "fix" a memory leak.
| citrin_ru wrote:
| I've run relatively loaded unbound in the past - I would
| suggest to use minimum num-threads with which a single thread
| uses less than 50% CPU at peaks. And set number of slab to
| the same value (if it is power of 2) or lower. High number of
| slabs increases memory usage (may be it can grow over long
| time because of fragmentation, but I've not noticed this).
| Unbound Howto Optimize [1] suggests to set num-threads equal
| to number of cores but IMHO it makes sense only if: server
| runs no other software except Unbound (even in this case some
| cores will be utilized by the kernel so better give to
| Unbound less than total core count) and it has more than
| enough RAM so possible memory fragmentation is not a concern.
|
| [1] https://www.nlnetlabs.nl/documentation/unbound/howto-
| optimis...
| quesera wrote:
| unbound-1.14.0 (newest).
|
| But I should have qualified -- I run a caching resolver for
| use by half a dozen users (so about 20 devices). Load is
| negligible, but it works perfectly! YMMV.
|
| As an added benefit, my unbound instance is also faster than
| 1.1.1.1, 8.8.8.8, or my ISP's resolver farm.
| mads wrote:
| I was hacked one single time in my entire 25 year long career.
| Someone hacked a bind server I was running and installed some
| sort of bot node. That was in the 90'ies.
| qwertyuiop_ wrote:
| The pi-hole I was running on Raspberry Pi got hacked. I only
| noticed the traffic when something unusual showed up on my
| node app console
| lnxg33k1 wrote:
| I also used to run bind back in the time, but now reading this
| article I just got up a container with powerdns seems quite
| easy to maintain
| ur-whale wrote:
| > Before nsd, I ran djbdns
|
| Curious to know what made you switch (I still run djbdns).
| quesera wrote:
| No technical reason, djbdns is great and I wouldn't hesitate
| to run it again.
|
| I did tire of building my own djbdns and daemontools
| packages. When I switched from qmail to Postfix, the others
| were collateral damage.
| ur-whale wrote:
| Ah, yeah, I was never a fan of daemontools either.
|
| I actually run djbdns (both cache and authoritative) under
| systemd (not my fave thing, but the thing my OS comes
| equipped with) and it works fine.
|
| The lack of native support for some record types (eg. IPV6)
| is a little bit of a pain, but it's manageable.
| fugue88 wrote:
| I still run djbdns as well, as both an authoritative server
| and a caching resolver.
|
| The biggest downside to djbdns, to me, is its lack of DNSSEC
| support. There are patches available for that, but my distro
| doesn't package them and I haven't gotten around to making my
| own package to include them.
|
| The next biggest is related: djbdns lacks direct support for
| some newer Resource Records (like type 257 CAA) in its data
| file. However, the data file does allow you to encode
| arbitrary records directly, it's just a hassle to do it and
| to verify correctness.
| commandlinefan wrote:
| > it's almost 40 years old
|
| I was shocked that DNS was _only_ almost 40 years old - I would
| have guessed it was at least older than me, but she 's right.
| According to https://datatracker.ietf.org/doc/html/rfc882 it's
| almost 10 years younger...
| betterunix2 wrote:
| The Internet is not much older; it is reasonable to say that
| _the_ Internet started in 1982 when TCP /IP was first
| standardized, though some would say that the Internet started a
| few years later with the creation of NSFNet and its
| interconnection with other networks.
| KronisLV wrote:
| One use case that i can think of is split DNS, when you'd like to
| return different data to different clients, about which i wrote
| on my blog: https://blog.kronis.dev/tutorials/how-to-run-a-split-
| dns-ser...
|
| That said, outside of serious enterprise settings, you can do all
| sorts of things without hosting your own DNS servers - even odd
| ones, like making records on public DNS servers for your internal
| network. Sometimes using a dynamic DNS client (e.g. ddclient) is
| actually easier than caring about setting static IP addresses (if
| you just want to let DHCP handle everything), when you don't care
| about that sort of data being exposed. Of course, that's not to
| say that people should actually do stuff like that, just that
| they can.
|
| On a more practical note, if you use the DNS servers of someone
| like NameCheap or GoDaddy, you might run into limits for how many
| records for a domain you can create. For example, NameCheap
| allows up to 150 records (https://www.namecheap.com/support/knowl
| edgebase/article.aspx...).
| [deleted]
| 3np wrote:
| > I wrote a custom DNS server for mess with dns
|
| Weird flex but ok
| Terry_Roll wrote:
| > why is it good that DNS is decentralized?
|
| >One reason is scalability - the decentralized design of DNS
| makes it easier to scale and more resilient to failures. I find
| it really amazing that DNS is still scaling well even though it's
| almost 40 years old. This is very important but it's not what
| this post is about.
|
| Well lets brush over the limited nature of IPv4 and focus on IPv6
| for this to apply.
| acdha wrote:
| > Well lets brush over the limited nature of IPv4 and focus on
| IPv6 for this to apply.
|
| Can you explain what you think would be different if IPv4 was
| gone or IPv6 never existed? I can't think of a situation where
| that would matter: you'd be resolving AAAA records instead of A
| but the logical DNS hierarchy would be exactly the same.
| ceejayoz wrote:
| IPv4 vs IPv6 doesn't change anything in this regard.
| m3047 wrote:
| Run your own recursive server and instrument the crap out of it:
| https://github.com/m3047/rear_view_rpz You can't get local
| knowledge from anywhere else.
|
| The latest BIND has DoT (DNS over TLS) out of the box, or you can
| put nginx in front of any decent DNS server to terminate TLS just
| like you do with a web server (this is fundamentally TCP not UDP
| however).
| asimops wrote:
| Some warning. Please do not put a resolver directly onto the
| internet. As nice as it might be to have a DNS ad-blocker or your
| own names reachable all over the internet, the server _will_ be
| part of DDOS attacks through traffic amplification and you don 't
| want that.
| zinekeller wrote:
| > Please do not put a resolver directly onto the internet.
|
| Consider using DoT or DoH instead, or at the very least disable
| UDP queries (there's a slight penalty though).
| gitgrump wrote:
| If anyone wants to learn more, here's why open recursive
| resolvers are a bad idea:
| https://www.cloudflare.com/learning/dns/what-is-recursive-dn...
| cozzyd wrote:
| I thought more common would just be a caching server (e.g.
| dnsmasq) for small networks with slow connections to the outside
| world (and this also helps with local hostnames).
| gorgoiler wrote:
| Have you ever wanted to build a toy nameserver that returns funny
| programmatic results? Then have a look at Python's dnslib.
|
| Example where the magic happens in ~40 lines of code:
|
| https://github.com/paulc/dnslib/blob/master/dnslib/shellreso...
|
| Hurricane Electric can sit in front of it if you like (and your
| records are dynamically generated but bounded to a known finite
| set), god bless them _< salute>_:
|
| https://dns.he.net/
|
| Example where you might want this: you wrote a nameserver that
| runs arbitrary shell commands!
| _paulc wrote:
| dnslib author here - wasn't expecting to see this so thanks for
| the reference.
|
| Key thing I learnt writing dnslib (which was originally to
| provide a DNS API for an application) is that DNS is actually a
| very dynamic protocol but the complexity of mainstream servers
| like BIND makes it hard to do a lot of the things that you can
| actually do. There are a lot of problems (in particular in the
| service discovery space) which can be solved much more easily
| using DNS rather than inventing something separate.
|
| As an aside if you want an authoritative DNS server I would
| look at KnotDNS [1] - you can avoid all the zone file cruft and
| interact with it using a sensible API. If you want to write a
| dynamic DNS app I would look at @miekg's excellent Go library
| [2]
|
| [1] https://www.knot-dns.cz/
|
| [2] https://github.com/miekg/dns
| gorgoiler wrote:
| Thank you for your work, _paulc!
|
| I used your library to broadcast weather readings via DNS in
| the park where I live. It was really nice to have all the
| protocol work done for me, leaving me to focus on my
| meteoprocrastination :)
|
| There's a special place in my heart for tools where you learn
| by following examples, rather than by having to read abstract
| documentation.
| vesinisa wrote:
| Another good reason to run your own private DNS resolver is
| censorship. I originally set it up after my ISP was sued to block
| access to thepiratebay.com. The court was satisfied that a DNS
| blackhole was good enough..
| 1vuio0pswjnm7 wrote:
| reason: you want to route application traffic through a local
| daemon but the computing device will not allow you to access
| /etc/hosts or run a firewall like iptables/nftables/pf
|
| One way to redirect application traffic to a local daemon, e.g.,
| something like sslsplit or stunnel, is using firewall rules.
| Another way is to use DNS.
|
| Running DNS for oneself with a custom root.zone allows one to
| redirect traffic, for example, to a loopback address where the
| daemon is listening. The DNS server can run locally on a loopback
| or private address (for use while at home/office), or remotely on
| a public address (for use when travelling).
|
| For example, I use a local proxy server instead of remote DNS
| lookups. When I visit example.com, there is a local DNS lookup to
| a local DNS server listening on the loopback. No DNS packets
| leave the computer. The local DNS server returns the loopback
| address of the proxy. The proxy, which has the remote address of
| example.com stored in memory, then accesses example.com.
| [deleted]
| z3t4 wrote:
| reason: You want to use dynamic wildcard SSL certificates via
| Letsencrypt. Because they need to be validated via DNS.
|
| reason: You want to use anycast (rent cheap VPS servers that
| support BGP)
|
| The anycast managed services that exist will takes days to sync
| all servers, thus you can't use DNS validation with Letsencrypt.
| Solution: Run your own Anycast ...
|
| That said, anycast is overkill, because DNS has caching built in
| to it's protocol, if the user has looked up your IP once, it will
| be cached on the user machine next time he/she looks it up. And
| if you have a fairly popular domain, it will also be cached at
| the ISP or whatever DNS resolver the user has.
| bauruine wrote:
| Another point I would add is DNSSEC. With your own authoritative
| server you actually own the keys and don't have to trust another
| company.
|
| What's also not mentioned is the possibility to run your own
| hidden master and use a DNS provider (or multiple!) as slaves.
| This way you have full control over your zone but you don't have
| to run your own network of nameservers.
| SamuelAdams wrote:
| There are some fairly good arguments against using DNSSEC. I
| think the author of this post is on HN.
|
| https://sockpuppet.org/blog/2015/01/15/against-dnssec/
| tptacek wrote:
| Since almost nobody runs DNSSEC (try a list of popular domains,
| like the Moz 500, and `dig ds $domain +short`), this is
| unlikely to be a big issue for most people. There's also
| practically no upside to running DNSSEC, and a lot of downside
| (see: Slack disappearing from the Internet for a whole day).
| Hello71 wrote:
| I don't run DNSSEC either, but as you know, the Slack issue
| was caused by haphazard implementation, followed by apparent
| panicked incorrect rollback. They would have had basically
| the same issue if they had added incorrect AAAA records with
| long expiry. There may well be reasons not to deploy IPv6,
| but I don't think this is a good one. Similarly, while I
| agree that DNSSEC offers few upsides, I don't think this
| particular example is a good one against DNSSEC itself.
| jtl999 wrote:
| To quote from the Slack engineering report
|
| > This indicated there was likely a problem with the
| '*.slack.com' wildcard record since we didn't have a
| wildcard record in any of the other domains where we had
| rolled out DNSSEC on
|
| I'm not going to stick my hand in either camp for the sake
| of this discussion, but dynamic/wildcard DNS records are
| exactly the type of thing I'd suspect DNSSEC to have
| trouble with
| emptybottle wrote:
| On my LAN the only DNS server I'm running are resolvers. I have a
| pihole instance that is backed by stubby to filter out
| ads/trackers and send queries outside my network via DNS-over-
| TLS.
| 1vuio0pswjnm7 wrote:
| reason: you want to route application traffic through a local
| daemon but the computing device will not allow you to access
| /etc/hosts or run a firewall like iptables/nftables/pf
|
| One way to redirect application traffic to a local daemon, e.g.,
| something like sslsplit or stunnel, is using firewall rules.
| Another way is to use DNS.
|
| Running DNS for oneself with a custom root.zone allows one to
| redirect traffic, for example, to a loopback address where the
| daemon is listening. The DNS server can run locally on a loopback
| or private address (for use while at home/ofice), or remotely on
| a public address (for use when travelling).
|
| For example, I use a local proxy server instead of remote DNS
| lookups. When I visit example.com, there is a local DNS lookup to
| a local DNS server listening on the loopback. No DNS packets
| leave the computer. The local DNS server returns the loopback
| address of the proxy. The proxy, which has the remote address of
| example.com stored in memory, then accesses example.com.
|
| The remote address for example.com was retrieved sometime in the
| past, extracted from public scan files. (Alternatively it can be
| obtained from bulk DNS lookups, along with hundreds of other
| addresses, using DoH and HTTP/1.1. pipelining.) There is no
| remote DNS lookup of example.com immediately before example.com
| is accessed. Variable DNS lookup delay is eliminated.
|
| "What if the address of example.com changes?" In theory, that
| sounds like a problem. In practice, for this user, example.com's
| address almost never changes. It is going to be 93.184.216.34 for
| at least the next 365 days, more likely for the next three years.
| This is true for almost all websites I read. There are exceptions
| but they tend to be few and far between. As such, changes to the
| DNS data I have stored are minimal. From this user's perspective,
| most DNS data remains static. Not to mention that frequent
| changes in DNS, e.g. so-called "fast flux", are often (but not
| always) a red flag something nefarious may be going on.
|
| Anyway, running personal DNS means I do not need to worry about
| having access to pf/ipf/iptables/nftables in order to redirect
| application traffic.
| samcrawford wrote:
| We use the excellent gdnsd (https://github.com/gdnsd/gdnsd),
| mainly for its geo-DNS configurability. Have been using it for
| probably 5-6 years now, handling hundreds of millions of queries
| per day, and never had an issue with it.
| encryptluks2 wrote:
| DNS is decentralized about as well as TLDs are decentralized...
| they're not. You'd specifically have to run your own DNS to make
| it decentralized and use other upstream providers that allow the
| use of open TLDs.
| acdha wrote:
| What is your definition of decentralized? There's no one system
| which controls of the DNS records or makes changes to them, and
| the root TLDs are run by an international consortium which has
| limited ability to force changes. Even if the U.S. government
| gets in a shooting war with Russia, there's no plausible
| outcome where .ru records come under the control of the U.S.
| government or vice versa.
|
| That's about as decentralized as a real system gets while still
| being usable.
| samgranieri wrote:
| I'm enjoying running a pi-hole on my local network that also has
| unbound running on it for resolving dns queries. Works like a
| charm, and it's nice and quick.
| avgDev wrote:
| Pi-hole is awesome. It did give me some issues with a few
| streaming services that I think used google ads.
| samgranieri wrote:
| Yeah, it borked paramount plus and I think hbo max on my
| apple tv. I just exempted that device and it's fine.
|
| Why'd I exempt my apple tv from the pi-hole? I don't want to
| screw things up when my wife or visitors are watching tv :)
| FPGAhacker wrote:
| > Why'd I exempt my apple tv from the pi-hole? I don't want
| to screw things up when my wife or visitors are watching tv
| :)
|
| Very wise. There are a lot of cool things I'd like to
| setup, but keeping things simple for guests and spouses
| matters.
| JonathanBuchh wrote:
| I also use Pi-hole[1] and unbound[2]. You can even use
| tailscale[3] as a quick and easy way to use Pi-hole on all
| other networks through a WireGuard VPN tunnel.
|
| [1]: https://pi-hole.net
|
| [2]: https://docs.pi-hole.net/guides/dns/unbound/
|
| [3]: https://tailscale.com/kb/1114/pi-hole/
| withinrafael wrote:
| The blog post indicates running a resolver would have privacy
| enhancing benefits. Am I misunderstanding something here? Isn't
| the resolver mostly unusable without an upstream source that
| could then log all queries? Or is there a records bulk download
| option?
| petee wrote:
| In the end you need to ask an authoritative server anyway, but
| this let's you skip your ISP being the middleman for all your
| general queries. Unbound is nice because you can have it verify
| dnssec
| raggi wrote:
| Lost me at wanting to run BIND. BINDs security track record is
| poor and does not show promise of improvement. Run something
| else. There are plenty of systems that can consome or convert
| from bind format if thats what you want.
| brian_cunnie wrote:
| I've been running BIND on the internet for a quarter century
| (ns-he.nono.io, ns-digitalocean.nono.io). Sure, I got burned 20
| years ago with, IIRC, a zone-transfer exploit, but in those
| days BIND ran as root (remember: the internet was new then).
| Nowadays BIND runs as a non-privileged user in a chroot'ed
| environment, so even if it's compromised the blast radius is
| tightly constrained.
|
| And I like BIND. I like editing zone files by hand. It never
| fails to make me happy.
| psim1 wrote:
| BIND has a track record because it has existed for decades. At
| present, what's wrong with it?
___________________________________________________________________
(page generated 2022-01-05 23:00 UTC)