[conspire] Internet Privacy: today's vote and measures to take

Ehud Kaldor ehud.kaldor at gmail.com
Mon Apr 3 11:59:59 PDT 2017


so, what you're saying is that if i have Bind9 running as a local DNS, i
can just remove the 'forward' section and be done with it? or do i need
something else?


On Mon, Apr 3, 2017 at 11:56 AM Rick Moen <rick at linuxmafia.com> wrote:

> Quoting Ehud Kaldor (ehud.kaldor at gmail.com):
>
> > what about running a DNS in the home router, and forwarding to an open
> DNS,
> > like the ones listed at openNIC?
>
> [http://servers.opennicproject.org/]
>
> That's _possibly_ an improvement, although you are still leaking detailed
> lookup information to the 'open DNS' recursive nameserver in question,
> and trusting to its security and performance.  Also, you suffer the same
> long lagtime of submitting all of your recursive queries across the slow
> uplink that you do when using ISP recursive nameservers.
>
> Listing the characteristic drawbacks of (most) ISP recursive nameservers:
>
> o  Long query & response lagtimes across uplink.  Ditto OpenNIC.
> o  Doubtful security inherent in a shared public recursive nameserver.
>    Ditto OpenNIC.
> o  In many cases, terrible performance on account of underprovisioning
>    and excessive load.  Possibly advantage to the OpenNIC server,
>    depending.
>
> So, yay OpenNIC?  Sort of.
>
> I'm perplexed, though, that this idea of forwarding your queries to an
> outside third-party recursive nameserver keeps coming up in different
> forms, e.g., you say (paraphrasing) 'How about outsourcing your outbound
> DNS queries to OpenNIC Project recursive nameservers instead of ISP
> ones?'  Because, sure, you can do that, by why outsource this to
> _anyone_?
>
> The obvious alternative is to operate a recursive nameserver _locally_
> under one's own control on one's own host (with corresponding advantage
> of performance and security),  Configure the 'DNS' (Dnsmasq
> or whatever) in your home router to forward to _it_, not to any third
> party's recursive nameserver but rather to yours.
>
> I honestly don't understand why so many Linux users resist this idea and
> keep insisting on outsourcing to someone elsewhere.  Sometimes when this
> comes up, apparently there's an unvoiced objection that administering
> the local recursive nameserver would be difficult -- which is really
> amusing, because there's really nothing to administer.  You define in
> its conffile what IPs are permitted to send the recursive namserver
> daemon queries, you turn it on (launch it as a daemon), and that's it.
> There aren't any complications; it's either a currently running daemon
> process or it isn't.
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20170403/ebefd74b/attachment.html>


More information about the conspire mailing list