[conspire] Internet Privacy: today's vote and measures to take

Ivan Sergio Borgonovo mail at webthatworks.it
Mon Apr 3 18:30:46 PDT 2017


On 04/04/2017 12:22 AM, Rick Moen wrote:
> Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):
>
>> My reasons are:
>> 1) bind and unbound are far more complicated to configure and
>> convince to work with a dhcp than dnsmasqd

> This is wrong.

> BIND is complicated for reasons having nothing to do with its recursive
> functionality, which is simple.  Unbound is extremely simple.
>
> You would not seek to _replace_ Dnsmasqd.  You would merely make
> Dnsmasqd point to your recursive server.  After all, you need to make
> Dnsmasqd point to _some_ recursive server, somewhere, otherwise it won't
> function, because it cannot do that job.  So, all I'm suggesting is
> to point it to _your_ recursive server rather than outsourcing.

As I already said in my previous email I could actually keep on running 
dnsmasqd.
Still I'd like to run an authoritative DNS as well because I plan to 
manage my home zone even for the internet.

>> 2) they are more resource demanding and can't be put on a cheap
>> replaceable piece of hardware

> Unbound takes ridiulously little in the way of machine resources.
> Actually, nameservers in general require only a ridiculous pittance of
> RAM and CPU.  You could use a 386 with 16 MB of RAM if you could find an
> *ix still about to run on that and if you could trust creaky old
> hardware.

> BIND9 is relatively speaking a hog because BIND has always been a hog.
> (That is one of the reasons to cease using it.)

Still things sum up. A recursive DNS, an authoritative DNS and dnsmasqd.

>> 3) I'm lazy
>
> Anything is more difficult than doing absolutely nothing, true.

> Here is how you set up Unbound:
>
> 1.  apt-get install unbound
> 2.  Review the ACLs in /etc/unbound/unbound.conf to make sure your
>     IPs can reach it.
> 3.  Point what uses recursive DNS (Dnsmasq in your case) to it.

> No administration required.

You've nearly sold it to me.

It looks even simpler than dnsmasqd alone since I don't have to 
configure a list of dns for dnsmasqd and probably I don't have to touch 
acls since dnsmasqd will be the only client running on the same host.
I see one minor problem, unbound and dnsmasqd will run on the same 
host/ip, so I guess they should listen on different ports.
Correct?
I bet making unbound listen on a different port is easy, making dnsmasqd 
seems a bit trickier.

Probably
server=127.0.0.1#[port]
Unfortunately this setting doesn't seem to be exposed by the openwrt web 
interface. This makes things a bit messy.

And once I'll have a recursive and an authoritative DNS things will get 
more complicated since the authoritative will be exposed etc... as you 
explained in another post (nice one).

rpi could surely handle unbound and few other stuff and it is cheap, but 
it has just 100Mbit ports and it doesn't seem suited to handle any other 
task on my home network.
It will have to be powered and network connected. I'll still need a 
router and an access point (currently my router) and a NAS/git 
server/web server/db server (currently running on a micro HP server).

As many services as possible should run on cheap, easily replaceable 
hardware.

-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it http://www.borgonovo.net





More information about the conspire mailing list