[conspire] Internet Privacy: today's vote and measures to take

Ehud Kaldor ehud.kaldor at gmail.com
Mon Apr 3 10:38:26 PDT 2017 

what about running a DNS in the home router, and forwarding to an open DNS,
like the ones listed at openNIC?


On Fri, Mar 31, 2017 at 11:25 PM Rick Moen <rick at linuxmafia.com> wrote:

> Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):
>
> > It should be noted that like other ISP's, Sonic prevents access to their
> > nameservers from IP address ranges they do not control, including their
> > own customers who get AT&T addresses.
>
> (When you say 'their namservers', you mean their recursive nameservers.
> Restricting authoritative nameservers in this fashion would sabotage
> their function.)
>
> And there are two individually compelling reasons for this:  One is that
> recursive DNS is simply not a service they are offering to the public at
> large, and offering it to outsiders would just cost them bandwidth for
> no gain to them.  The other is that the wider a circle of users a
> recurisve nameserver is exposed to, the greater the likelihood of it
> suffering cache poisoning.  (That second reason is one of the main
> causes of ISP recursive nameservers having bad security and the a
> specific reason why using your own instead is an advantage.)
>
> > Also, Sonic has separate IPv6 and
> > IPv4 nameservers, with the IPv4 ones not serving up AAAA records or
> > other things for the IPv6 Internet, and the IPv6 ones are not served up
> > by DHCP or 6RD nor are they accessible from IPv4 at all.
>
> Are you sure you're talking about their recursive nameservers?
>
> > As for the recommendation to run a local nameserver, it's exceedingly
> > rare in 2017 to be connected to the Internet without a router of some
> > kind or other at the last mile, at the vast majority of these internally
> > run a nameserver of one sort or other.
>
> I'm sorry, but 'a nameserver of one sort or other' is so excessively
> broad a category as to be almost meaningless.  All you can say that is
> true of all examples of 'a nameserver of one sort or other' is that they
> all do caching (except for authoritative-only ones, which obviously don't).
>
> Your point is a bit unclear, but if it is what I think it is, then
> you're drawing a mostly non-sequitur conclusion.  But let's press on.
>
> > There is no pressing need to rely on that, but the real-time logging
> > potential you mentioned is mostly a thing of the past, because even
> > ISP-issued routers were running dnsmasq more than a decade ago.
>
> That is a mostly non-sequitur conclusion.
>
> Dnsmasq is merely a small caching forwarder with no recursive abilities
> of its own at all, only able to hand off iterative queries to the outside
> IP address of a recursive nameserver elsewhere.  (It also locally serves
> optional local authoritative service for a group of NATted / IPmasqued
> machines.)
>
> The caching does serendipitously reduce some of the repeated real-time
> query data otherwise loggable by your upstream connection, but that's
> the only improvement it gives to your information security.  A local
> _recursive_ nameserver would ensure a great deal less information
> leakage.
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20170403/7fd473aa/attachment.html>

More information about the conspire mailing list