Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday October 28 2018, @03:31PM   Printer-friendly
from the do-you-know-where-you're-going-to? dept.

Paul Vixie has written a two-page article about the benefits of running DNS locally. He goes into a brief summary of DNS' history, a description of the current situation, ennumerates four areas of loss resulting from outsourcing DNS resolution, and points the direction out of the trap of outsourcing.

Operating one's own local DNS resolution servers is one of the simplest and lowest-cost things an IT administrator can do to monitor and protect their applications, services, and users from potential risks. These risks — including surveillance capitalism, unmanageable external dependencies, attacks carried via DNS, and attacks that could be detected via DNS — have a much higher potential cost than the mitigation strategy outlined here. Additionally, the DNS resolution service is so central to every other IT-related activity that any and all IT administrators who take the time to investigate and master this technology will amplify their effectiveness and the value they bring to their enterprise.

Do the all-too-common Microsoft shops these days even have DNS these days? Decommoditizing protocols has been one of their tactics for decades against FOSS and everyone else in general.


Original Submission

Related Stories

Paul Vixie Complains about Chromecast's Use of Google DNS 50 comments

'Google, this is bogus as hell' — one of the fathers of the internet blasts Google for how Chromecast behaves on his home network

"Google, this is bogus as hell," Paul Vixie ranted on Internet Engineering Task Force mail list this week. The IETF mail list is where the people who create the internet's technologies converse.

The post was noticed because Paul Vixie is an Internet Hall of Fame engineer known for his pioneering work on the modern Domain Name Service (DNS).

And it is how Google was using DNS in its Chromecast Ultra streaming device that ticked him off.

[...] [Vixie] bought a Google Chromecast. But when he went to set it up, he found it doing something no device in his network is allowed to do: It wouldn't use his own, private DNS server. It would only use Google's public server.

Related: Paul Vixie: New TLDs a Money Grab, and a Mistake
VLC 3.0.0 Released, With Better Hardware Decoding and Support for HDR, 360-Degree Video, Chromecast
Paul Vixie on the Benefits of Running DNS Services Locally


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Interesting) by Anonymous Coward on Sunday October 28 2018, @03:51PM (2 children)

    by Anonymous Coward on Sunday October 28 2018, @03:51PM (#754684)

    AD is DNS, but that is just small part it plays. It is also user authorizations, access lists (groups), site isolation (domains). To name a few. But being all things it also has issues with speed to resynchronize between servers. If time fails (NTP and "local" clock - happens with VMs) then systems security fails, to the point it is easier to build a new AD box, then try to fix the "broken" one.

    Personally, at home, I have been a local DNS for over 25yrs now. Helps black hole sites and keep network secure. My kids comment when they leave the house, they phone slow down because of all the ads they now get.

    • (Score: 4, Interesting) by zocalo on Sunday October 28 2018, @04:04PM (1 child)

      by zocalo (302) on Sunday October 28 2018, @04:04PM (#754689)
      That was my first thought too - you can't run AD without DNS since it stores so much information in DNS, but you *can* run AD/DNS without allowing it to become a fully recursive DNS server with access to the Internet. Frankly, given the vast amount of information contained within an AD DNS server and the potential for leakage if you mess up the configuration at any number of points, I'd be extremely reluctant to do that kind of deployment so maybe that is what is meant?

      In any event, my default AD/DNS configuration is to use some *NIX DNS servers (or DNS appliances) in a DMZ to handle all Internet DNS resolution, then let your AD servers forward any requests for domains they are not authoratative for to those for resolution. That way, you are free to explictly deny any inbound traffic from the Internet to the the AD/DNS without fear of breaking anything, reducing your attack surface significantly.
      --
      UNIX? They're not even circumcised! Savages!
      • (Score: 1, Interesting) by Anonymous Coward on Sunday October 28 2018, @05:02PM

        by Anonymous Coward on Sunday October 28 2018, @05:02PM (#754710)

        I do the same for DNSs... I use a one in DMZ that based on all external IP address for my domain. The internal one uses all internal IP for my domain. In this manor every peice of equipment can have 2 ips in the DNS. Make routing easier, also helps with firewall rules allowing for the two world to remain apart.

        Most likely helpful to development of new sites that I want ot show to a customer. I can build all the interconnections between pages with full "addresses" and it just works inside and outside of my network. does cause double entry though, but a fwe key scripts ... not problems.

  • (Score: -1, Flamebait) by Anonymous Coward on Sunday October 28 2018, @04:15PM (1 child)

    by Anonymous Coward on Sunday October 28 2018, @04:15PM (#754695)

    Paul's the kind of guy who will suck up to his friends to get free SCUBA lessons and then disappear to go diving with his rich buddies, from DECWRL, and abandon the very people who taught him SCUBA diving.

    Paul's good at brown-nosing and impressing older people, but now that he's old, it doesn't work so well.

    • (Score: 0) by Anonymous Coward on Monday October 29 2018, @12:38AM

      by Anonymous Coward on Monday October 29 2018, @12:38AM (#754849)

      You have some history together?

  • (Score: 2) by bzipitidoo on Sunday October 28 2018, @05:36PM (3 children)

    by bzipitidoo (4388) on Sunday October 28 2018, @05:36PM (#754717) Journal

    I haven't tried running my own DNS server. Maybe I should. Most I've done is download a long list of spam sites in an /etc/hosts file. That does work, but I've never been entirely satisfied with the method. Like, you can't use wildcards to block similar names with one line, have to list them all in their own lines. I fear that it doesn't scale well, and as it grows to 100,000 plus lines, it itself becomes a slow point.

    • (Score: 5, Interesting) by zocalo on Sunday October 28 2018, @06:05PM (1 child)

      by zocalo (302) on Sunday October 28 2018, @06:05PM (#754727)
      Despite APK's claims, this is where DNS makes life much easier than hosts file. I have a single zonefile that basically acts as a /dev/null for any hosts, etc. in that domain, or sub-domains, which makes it very easy to sinkhole multiple zones very efficiently. All you need do is add as many zon entries to your main config file as you like, pretending your local DNS is authoratative for the domain, and pointing them at the file, which just contains the following records:

      @ IN NS <IP or FQDN of your DNS server>.
      * IN A 127.0.0.1
      * IN MX 127.0.0.1


      The daemon config file then just contains multiple entries like this, as many as you feel are required:

      zone "bad_domain_1.com" in { type master; file "devnull.zone"; };
      zone "bad_domain_2.net" in { type master; file "devnull.zone"; };


      If you wanted to, you could add in specific records to whitelist safehosts (e.g. www) to their actual IPs, but that's a management headache and I tend to only use this approach on domains I want nothing to do with. Finally, if you run your own mailserver, then once you've got that up and running it's also worth looking into deploying your own DNSBL as well - makes it very easy to boost the spam weightings, or even block outright, any domains/ISPs that you don't expect/want email from.
      --
      UNIX? They're not even circumcised! Savages!
    • (Score: 0) by Anonymous Coward on Sunday October 28 2018, @08:45PM

      by Anonymous Coward on Sunday October 28 2018, @08:45PM (#754770)

      Use the Squid proxy between you and the Internet. Add something like
      this in squid.conf :

      acl blockedsites url_regex "/usr/local/squid/etc/blockedsites.txt"
      http_access deny blockedsites

      This supports regex site listing.

  • (Score: 2, Interesting) by Anonymous Coward on Sunday October 28 2018, @09:08PM (2 children)

    by Anonymous Coward on Sunday October 28 2018, @09:08PM (#754780)

    Been thinking about running a recursive DNS in a VM for security and privacy.

    An additional idea for privacy, run Tor on a VM and configure it to serve up port 53. This allows DNS requests to traverse the Tor network, hiding where requests originate.

    • (Score: 0) by Anonymous Coward on Monday October 29 2018, @01:42PM (1 child)

      by Anonymous Coward on Monday October 29 2018, @01:42PM (#755078)

      maybe ports below 1024 need root to run the program to be able to open them.
      thus run tor as non-root and use port 5300 and add a iptables rule that redirects incoming 53 udp request to port 5300?

      • (Score: 0) by Anonymous Coward on Monday October 29 2018, @03:59PM

        by Anonymous Coward on Monday October 29 2018, @03:59PM (#755155)

        The Tor server runs as "nobody" and still services port 53 on "localhost". The only downside activating DNS within the torrc configuration file is it only listens for UDP traffic.

         

  • (Score: 1, Informative) by Anonymous Coward on Monday October 29 2018, @12:46PM

    by Anonymous Coward on Monday October 29 2018, @12:46PM (#755051)

    Pihole - it's a DNS server you run on your raspberry pi that automatically filters out adverts across your whole network (assuming you set up dhcp right to use it as your DNS server).

    You could probably also do other cool stuff with it.

  • (Score: 0) by Anonymous Coward on Monday October 29 2018, @02:02PM (1 child)

    by Anonymous Coward on Monday October 29 2018, @02:02PM (#755090)

    I started doing my own DNS on an LRP box which is now http://http//leaf.sourceforge.net/ [http]. At the time, I was running it on 486 and it beat the pants off (performance wise) any of the big MS servers. Stick this in your /etc/named.conf and you'll never look back...

    zone "doubleclick.net" IN { type master; file "poison/hosts.zone"; };

    • (Score: 0) by Anonymous Coward on Tuesday October 30 2018, @11:39AM

      by Anonymous Coward on Tuesday October 30 2018, @11:39AM (#755581)

      Current URL seems to be leaf.zetam.org [zetam.org].

(1)