"Google, this is bogus as hell," Paul Vixie ranted on Internet Engineering Task Force mail list this week. The IETF mail list is where the people who create the internet's technologies converse.
The post was noticed because Paul Vixie is an Internet Hall of Fame engineer known for his pioneering work on the modern Domain Name Service (DNS).
And it is how Google was using DNS in its Chromecast Ultra streaming device that ticked him off.
[...] [Vixie] bought a Google Chromecast. But when he went to set it up, he found it doing something no device in his network is allowed to do: It wouldn't use his own, private DNS server. It would only use Google's public server.
Related: Paul Vixie: New TLDs a Money Grab, and a Mistake
VLC 3.0.0 Released, With Better Hardware Decoding and Support for HDR, 360-Degree Video, Chromecast
Paul Vixie on the Benefits of Running DNS Services Locally
(Score: 5, Interesting) by Anonymous Coward on Sunday February 17 2019, @09:37AM (5 children)
I do this at home.
My gateway is a linux router running iptables and what not with unbound as a resolver.
All you do is add 8.8.8.8 as an interface to the router and get unbound to respond on that address. I probably should add 8.8.4.4 as well.
Everything works fine.
I also hard block any device from using a DNS outside my network and turned on DNSSEC validation.
(Score: 0) by Anonymous Coward on Sunday February 17 2019, @12:02PM (2 children)
Just route all DNS queries to your own resolver. DNSSEC validation does nothing to protect you from DNS queries MITM. It only protects signed domains from being spoofed.
But now browsers are turning on DNS over HTTPS is a standard as RFC 8484, which kind of fucks up the decentralized nature of DNS.
(Score: 2) by opinionated_science on Sunday February 17 2019, @03:20PM (1 child)
I'm curious - with bandwidth a "better" thing (I finally got 1000Mbps theoretical...), how easy would it be to have all the DNS updated like a package?
What is the delta/month/day/hour?
Just wondered if someone has run the numbers...?
(Score: 0) by Anonymous Coward on Sunday February 17 2019, @05:03PM
Even if the bandwidth is available, and the compressed text files aren't obscenely large, I'd point out that zone transfers to untrusted hosts have (hopefully) been totally disabled globally by now.
It was quite a common thing to go fishing through a domain's dns files looking for 'interesting' looking names to go play with...I know that's how a miscreant found one of our Sun servers back in the early '90s (we had no control over network, there were no firewalls..As TPTB wouldn't implement one, I cobbled together the hardware at my own expense to get a copy of Texas A&M's Drawbridge up and running to protect my machines..)
Seems like only yesterday when you could dump the dns records for .mil sites, the whole of the .uk, etc. etc. (fsck me, where have the years gone?)
(Score: 2) by zocalo on Sunday February 17 2019, @02:44PM (1 child)
Maybe the Chromecast isn't fully validating everything, or maybe that since 8.8.8.8 and 8.8.4.4 are just resolvers (Google.com's four authoratative DNS servers are on the IPs 216.239.3[2468].10) they've failed to properly and fully validate the chain of trust and/or Vixie worked around that too (local copy of anchor keys?).
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Sunday February 17 2019, @03:02PM
As who says that DNS traffic is actaully getting to 8.8.8.8, why not DNS-over-https? SourceFire is pushing that... weaponize http coding to bypass us, that hate tracking.