[conspire] Internet Privacy: today's vote and measures to take

Rick Moen rick at linuxmafia.com
Mon Apr 3 19:26:44 PDT 2017 

Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):

> On 04/04/2017 12:22 AM, Rick Moen wrote:
> >Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):
> >
> >>My reasons are:
> >>1) bind and unbound are far more complicated to configure and
> >>convince to work with a dhcp than dnsmasqd
> 
> >This is wrong.
> 
> >BIND is complicated for reasons having nothing to do with its recursive
> >functionality, which is simple.  Unbound is extremely simple.
> >
> >You would not seek to _replace_ Dnsmasqd.  You would merely make
> >Dnsmasqd point to your recursive server.  After all, you need to make
> >Dnsmasqd point to _some_ recursive server, somewhere, otherwise it won't
> >function, because it cannot do that job.  So, all I'm suggesting is
> >to point it to _your_ recursive server rather than outsourcing.
> 
> As I already said in my previous email I could actually keep on
> running dnsmasqd.

There's no reason why you shouldn't be.  The only question I raised is
where you have it send all of its recursive queries.  I gather that you,
like most people, outsource it to an ISP or other network-distant
recursive nameserver.  What I suggested was instead to send them to a
local nameserver under your control.

> Still I'd like to run an authoritative DNS as well because I plan to
> manage my home zone even for the internet.

Sure.  For _local_ authoritative DNS (i.e., not served up to the public
at large), Dnsmasq more than suffices, as I'm sure you know.  Oddly
enough, Unbound can also serve up what it calls "stub-zones", too.

For serving up real _public_ authoritative DNS, i.e., for the public's
resolution of your and other people's domains, you really should use
your choice of:

o  BIND9
o  djbdns's tinydns utility
o  MaraDNS
o  NSD
o  PowerDNS Authoritative Server
o  YADIFA

> Still things sum up. A recursive DNS, an authoritative DNS and dnsmasqd.

Try out Unbound and NSD before assuming their resource requirements are
anything above 'so tiny as not worth thinking about'.  I think you'll be
pleasantly surprised.

> I see one minor problem, unbound and dnsmasqd will run on the same
> host/ip, so I guess they should listen on different ports.
> Correct?
> I bet making unbound listen on a different port is easy, making
> dnsmasqd seems a bit trickier.

If you're making Unbound answer Dnsmasq's queries, you could change
in /etc/unbound/unbound.conf

port 53

to 

port 5353


And, in dnsmasq.conf, the matching line:

server=127.0.0.1#5353

> Probably
> server=127.0.0.1#[port]

Yep.

> rpi could surely handle unbound and few other stuff and it is cheap,
> but it has just 100Mbit ports and it doesn't seem suited to handle
> any other task on my home network.

Yes, and I consider RPi inappropriate for any task requiring sensitive
security because, like all ARM devices currently, it cannot run a
kernel.org kernel.  Therefore, if a kernel security problem arises, you
need to wait for the RPi special-snowflake out-of-tree patchset to get
updated.

Sorry, no, unacceptable, IMO.  I'd rather splurge a couple of more watts
on a tiny x86_64 host w/SSD.

More information about the conspire mailing list