<div dir="ltr">what about running a DNS in the home router, and forwarding to an open DNS, like the ones listed at openNIC?<div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Mar 31, 2017 at 11:25 PM Rick Moen <<a href="mailto:rick@linuxmafia.com">rick@linuxmafia.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Quoting Daniel Gimpelevich (<a href="mailto:daniel@gimpelevich.san-francisco.ca.us" class="gmail_msg" target="_blank">daniel@gimpelevich.san-francisco.ca.us</a>):<br class="gmail_msg">
<br class="gmail_msg">
> It should be noted that like other ISP's, Sonic prevents access to their<br class="gmail_msg">
> nameservers from IP address ranges they do not control, including their<br class="gmail_msg">
> own customers who get AT&T addresses.<br class="gmail_msg">
<br class="gmail_msg">
(When you say 'their namservers', you mean their recursive nameservers.<br class="gmail_msg">
Restricting authoritative nameservers in this fashion would sabotage<br class="gmail_msg">
their function.)<br class="gmail_msg">
<br class="gmail_msg">
And there are two individually compelling reasons for this: One is that<br class="gmail_msg">
recursive DNS is simply not a service they are offering to the public at<br class="gmail_msg">
large, and offering it to outsiders would just cost them bandwidth for<br class="gmail_msg">
no gain to them. The other is that the wider a circle of users a<br class="gmail_msg">
recurisve nameserver is exposed to, the greater the likelihood of it<br class="gmail_msg">
suffering cache poisoning. (That second reason is one of the main<br class="gmail_msg">
causes of ISP recursive nameservers having bad security and the a<br class="gmail_msg">
specific reason why using your own instead is an advantage.)<br class="gmail_msg">
<br class="gmail_msg">
> Also, Sonic has separate IPv6 and<br class="gmail_msg">
> IPv4 nameservers, with the IPv4 ones not serving up AAAA records or<br class="gmail_msg">
> other things for the IPv6 Internet, and the IPv6 ones are not served up<br class="gmail_msg">
> by DHCP or 6RD nor are they accessible from IPv4 at all.<br class="gmail_msg">
<br class="gmail_msg">
Are you sure you're talking about their recursive nameservers?<br class="gmail_msg">
<br class="gmail_msg">
> As for the recommendation to run a local nameserver, it's exceedingly<br class="gmail_msg">
> rare in 2017 to be connected to the Internet without a router of some<br class="gmail_msg">
> kind or other at the last mile, at the vast majority of these internally<br class="gmail_msg">
> run a nameserver of one sort or other.<br class="gmail_msg">
<br class="gmail_msg">
I'm sorry, but 'a nameserver of one sort or other' is so excessively<br class="gmail_msg">
broad a category as to be almost meaningless. All you can say that is<br class="gmail_msg">
true of all examples of 'a nameserver of one sort or other' is that they<br class="gmail_msg">
all do caching (except for authoritative-only ones, which obviously don't).<br class="gmail_msg">
<br class="gmail_msg">
Your point is a bit unclear, but if it is what I think it is, then<br class="gmail_msg">
you're drawing a mostly non-sequitur conclusion. But let's press on.<br class="gmail_msg">
<br class="gmail_msg">
> There is no pressing need to rely on that, but the real-time logging<br class="gmail_msg">
> potential you mentioned is mostly a thing of the past, because even<br class="gmail_msg">
> ISP-issued routers were running dnsmasq more than a decade ago.<br class="gmail_msg">
<br class="gmail_msg">
That is a mostly non-sequitur conclusion.<br class="gmail_msg">
<br class="gmail_msg">
Dnsmasq is merely a small caching forwarder with no recursive abilities<br class="gmail_msg">
of its own at all, only able to hand off iterative queries to the outside<br class="gmail_msg">
IP address of a recursive nameserver elsewhere. (It also locally serves<br class="gmail_msg">
optional local authoritative service for a group of NATted / IPmasqued<br class="gmail_msg">
machines.)<br class="gmail_msg">
<br class="gmail_msg">
The caching does serendipitously reduce some of the repeated real-time<br class="gmail_msg">
query data otherwise loggable by your upstream connection, but that's<br class="gmail_msg">
the only improvement it gives to your information security. A local<br class="gmail_msg">
_recursive_ nameserver would ensure a great deal less information<br class="gmail_msg">
leakage.<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
conspire mailing list<br class="gmail_msg">
<a href="mailto:conspire@linuxmafia.com" class="gmail_msg" target="_blank">conspire@linuxmafia.com</a><br class="gmail_msg">
<a href="http://linuxmafia.com/mailman/listinfo/conspire" rel="noreferrer" class="gmail_msg" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br class="gmail_msg">
</blockquote></div>