[conspire] Internet Privacy: today's vote and measures to take

Rick Moen rick at linuxmafia.com
Fri Mar 31 23:23:38 PDT 2017


Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> It should be noted that like other ISP's, Sonic prevents access to their
> nameservers from IP address ranges they do not control, including their
> own customers who get AT&T addresses.

(When you say 'their namservers', you mean their recursive nameservers.  
Restricting authoritative nameservers in this fashion would sabotage
their function.)

And there are two individually compelling reasons for this:  One is that
recursive DNS is simply not a service they are offering to the public at
large, and offering it to outsiders would just cost them bandwidth for
no gain to them.  The other is that the wider a circle of users a
recurisve nameserver is exposed to, the greater the likelihood of it
suffering cache poisoning.  (That second reason is one of the main
causes of ISP recursive nameservers having bad security and the a
specific reason why using your own instead is an advantage.)

> Also, Sonic has separate IPv6 and
> IPv4 nameservers, with the IPv4 ones not serving up AAAA records or
> other things for the IPv6 Internet, and the IPv6 ones are not served up
> by DHCP or 6RD nor are they accessible from IPv4 at all.

Are you sure you're talking about their recursive nameservers?

> As for the recommendation to run a local nameserver, it's exceedingly
> rare in 2017 to be connected to the Internet without a router of some
> kind or other at the last mile, at the vast majority of these internally
> run a nameserver of one sort or other. 

I'm sorry, but 'a nameserver of one sort or other' is so excessively
broad a category as to be almost meaningless.  All you can say that is
true of all examples of 'a nameserver of one sort or other' is that they
all do caching (except for authoritative-only ones, which obviously don't).

Your point is a bit unclear, but if it is what I think it is, then
you're drawing a mostly non-sequitur conclusion.  But let's press on.

> There is no pressing need to rely on that, but the real-time logging
> potential you mentioned is mostly a thing of the past, because even
> ISP-issued routers were running dnsmasq more than a decade ago.

That is a mostly non-sequitur conclusion.

Dnsmasq is merely a small caching forwarder with no recursive abilities
of its own at all, only able to hand off iterative queries to the outside
IP address of a recursive nameserver elsewhere.  (It also locally serves
optional local authoritative service for a group of NATted / IPmasqued
machines.) 

The caching does serendipitously reduce some of the repeated real-time
query data otherwise loggable by your upstream connection, but that's
the only improvement it gives to your information security.  A local
_recursive_ nameserver would ensure a great deal less information
leakage.





More information about the conspire mailing list