hngopher.com

       [HN Gopher] More mysterious DNS root query traffic from a large ...
       ___________________________________________________________________
        
       More mysterious DNS root query traffic from a large cloud/DNS
       operator (2022)
        
       Author : mooreds
       Score  : 51 points
       Date   : 2025-03-11 12:04 UTC (10 hours ago)
        
 (HTM) web link (blog.apnic.net)
 (TXT) w3m dump (blog.apnic.net)
        
       | Lammy wrote:
       | I wonder if this is related to the massive increase (quadrupling)
       | in DNS traffic just to my own domains as of January 2020 that has
       | become the new normal ever since. Figure 2 in the article lines
       | up with mine exactly: https://i.imgur.com/5yuQ6rY.png
       | 
       | Mildly annoying because I was only paying my DNS host for 1
       | million queries-per-month and had to increase my plan. I only get
       | aggregate statistics so I am unable investigate blame.
        
         | arccy wrote:
         | how much could you be paying... even in big clouds it's pretty
         | cheap at $0.40 / million
        
           | Lammy wrote:
           | I did say "mildly" although this is still double what it used
           | to be before DigiCert (read: Clearlake Capital wearing a
           | DigiCert skin suit) bought DNSME:
           | https://i.imgur.com/zhMjaFp.png
        
         | aberoham wrote:
         | projectdisovery's timeline matches
         | https://github.com/projectdiscovery/shuffledns
        
       | Polizeiposaune wrote:
       | What's surprising to me is that this sort of query traffic from
       | Google to the root nameservers would imply that Google isn't
       | running with its own copy of the DNS root - something which I
       | would think would be trivial for them to do. The root zone file
       | is around 2.5MB in portable text format and 1.75MB in bind 9's
       | "raw" form, is entirely public, and is available by DNS zone
       | transfer from a subset of the root name servers.
       | 
       | BTW, if you run your own local DNS resolver and want to do this,
       | see RFC8806 (https://datatracker.ietf.org/doc/html/rfc8806). I
       | use the setup operated by localroot.isi.edu (register with them
       | and they send you a TSIG-protected DNS NOTIFY when the root zone
       | changes).
        
         | acuozzo wrote:
         | > BTW, if you run your own local DNS resolver
         | 
         | Can you share some more information on this? I've been thinking
         | of doing so with my OpenBSD server, but my DNS knowledge is
         | limited to the client side.
        
           | formerly_proven wrote:
           | knot-resolver
        
             | 77pt77 wrote:
             | Can vouch.
             | 
             | It just works and has low resource utilization.
        
           | quesera wrote:
           | Running a local resolver is very simple.
           | 
           | If you know the steps -- install software, download root
           | hints file, glance at default config (probably no changes
           | needed), set packet filter rules, start daemon, update DHCP
           | config -- you can be up and running in less than 10 minutes.
           | 
           | If it's your first time, but all of those steps are
           | conceptually clear, I'd allot an hour or so.
           | 
           | I'd recommend Unbound[0] or Knot Resolver[1]. Either will
           | give you fast local caching and private DNS history, with
           | zero maintenance requirements. I literally have not touched
           | my (Unbound) config in ten years.
           | 
           | Though, now that I think about it, there have probably been
           | root hints[2] updates that I should download. (30 sec later:
           | Done!)
           | 
           | 0: https://www.nlnetlabs.nl/projects/unbound/about/
           | 
           | 1: https://www.knot-resolver.cz/
           | 
           | 2: https://www.internic.net/domain/named.root
        
           | nubinetwork wrote:
           | Install bind, make your zone files, start it, and change your
           | dhcp to give your computers the new DNS server address...
           | shouldn't take longer than a half hour to set it all up.
           | 
           | An additional bit of setup can also integrate the equivalent
           | of pihole using rpz.
        
           | plagiat0r wrote:
           | The best document to properly run a private root zone dns
           | server is this: https://datatracker.ietf.org/doc/html/rfc8806
           | 
           | Just read it quickly and you're good to go.
        
           | 3np wrote:
           | I've tried most of the popular ones on Linux, these are the
           | ones Ive got working all right with little enough hassle to
           | recommend checking out:
           | 
           | unbound
           | 
           | knot-resolver
           | 
           | Technitium
           | 
           | Yadifa
           | 
           | (I find BIND tiresome and would only recommend core-dns if
           | you know why you want it)
           | 
           | unbound would be my go-to.
           | 
           | ---
           | 
           | General advice: Keep your resolver(s) for public DNS
           | dedicated and as isolated as reasonable. Don't point your
           | clients directly to it or configure any custom zones on it.
           | Instead have your existing (I assume, otherwise spin up
           | dnsmasq) DNS servers forward and cache all your actual
           | lookups.
        
       | 486sx33 wrote:
       | Google up to something evil
        
       ___________________________________________________________________
       (page generated 2025-03-11 23:01 UTC)