[conspire] Internet Privacy: today's vote and measures to take

Rick Moen rick at linuxmafia.com
Mon Apr 3 11:55:19 PDT 2017


Quoting Ehud Kaldor (ehud.kaldor at gmail.com):

> what about running a DNS in the home router, and forwarding to an open DNS,
> like the ones listed at openNIC?

[http://servers.opennicproject.org/]

That's _possibly_ an improvement, although you are still leaking detailed
lookup information to the 'open DNS' recursive nameserver in question,
and trusting to its security and performance.  Also, you suffer the same
long lagtime of submitting all of your recursive queries across the slow
uplink that you do when using ISP recursive nameservers.

Listing the characteristic drawbacks of (most) ISP recursive nameservers:

o  Long query & response lagtimes across uplink.  Ditto OpenNIC.
o  Doubtful security inherent in a shared public recursive nameserver.
   Ditto OpenNIC.
o  In many cases, terrible performance on account of underprovisioning
   and excessive load.  Possibly advantage to the OpenNIC server, 
   depending.

So, yay OpenNIC?  Sort of.

I'm perplexed, though, that this idea of forwarding your queries to an
outside third-party recursive nameserver keeps coming up in different
forms, e.g., you say (paraphrasing) 'How about outsourcing your outbound
DNS queries to OpenNIC Project recursive nameservers instead of ISP
ones?'  Because, sure, you can do that, by why outsource this to
_anyone_?

The obvious alternative is to operate a recursive nameserver _locally_
under one's own control on one's own host (with corresponding advantage
of performance and security),  Configure the 'DNS' (Dnsmasq
or whatever) in your home router to forward to _it_, not to any third
party's recursive nameserver but rather to yours.

I honestly don't understand why so many Linux users resist this idea and
keep insisting on outsourcing to someone elsewhere.  Sometimes when this
comes up, apparently there's an unvoiced objection that administering
the local recursive nameserver would be difficult -- which is really
amusing, because there's really nothing to administer.  You define in
its conffile what IPs are permitted to send the recursive namserver
daemon queries, you turn it on (launch it as a daemon), and that's it.
There aren't any complications; it's either a currently running daemon
process or it isn't.





More information about the conspire mailing list