[dns-operations] DNS deluge for x.p.ctrc.cc

Peter Dambier peter at peter-dambier.de
Fri Mar 3 21:40:06 UTC 2006

> # Other than that there is a trust issue. No matter where I go or at what
> # point I get on the internet my computer always uses my dns servers because I
> # control them. He who controls the dns server you use controls you, so you
> # better trust them.

> isn't this why we developed TSIG?  did you know that your laptop (even if
> it runs windows) can run BIND9 as a forwarder, and that the forwarded queries
> can be protected with TSIG on their way back to your home recursive caching
> name server?  you can learn more about this at:
> 	http://www.ietf.org/rfc/rfc2845.txt
> 	http://www.isc.org/sw/bind/
> note that this isn't for everybody.  only someone smart enough to know they'd
> prefer to talk to their own nameserver, and someone smart enough to know how
> to keep DHCP from overriding their choice of nameserver, could (or would) do
> this.

I am glad this is not the Bind forum. Excuse me naming another nameserver,
djbdns. It is a pain installing and patching ...

Nevertheless you gain a completely different nameserver that does not
believe anything that does not come from an authoritative nameserver. So
you have to run dnscache as resolver. But do you believe in the root-servers?
Do you have information nobody else has?

With Bind 9 it is easy. Build a zonefile and load it. Done.

With dnscache you really have to build your own root-server before you can
introduce a zone of your own. So you need tinydns too, the authoritative
only server. Can be done. You have to run bsd, linux, solaris on your
notebook. MAC OS-X? If you are into Sado Maso - why not?

Let us get rid of public resolvers!

As a company you can run your own nameservers within your premises.
Nobody from outside will see them.

If you belong to the magicans, you can run your own resolver even on
your laptop.

If you are one of the losers who believe in computers for illiterals
you are a looser anyhow. Buy a router with builtin DNS-resolver.

Who needs public resolvers?

I learned the hard way. The DHCPed resolvers you get from your ISP
are not worth a penny:

; <<>> DiG 9.1.3 <<>> @www-proxy.F2.srv.t-online.de peter-dambier.de
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5815
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;peter-dambier.de.              IN      A

peter-dambier.de.       6000    IN      A

;; Query time: 2079 msec
;; WHEN: Fri Mar  3 22:04:13 2006
;; MSG SIZE  rcvd: 50

; <<>> DiG 9.1.3 <<>> @ns1.tiscali.nl peter-dambier.de
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5341
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;peter-dambier.de.              IN      A

peter-dambier.de.       10800   IN      A

peter-dambier.de.       86398   IN      NS      ns16.schlund.de.
peter-dambier.de.       86398   IN      NS      ns15.schlund.de.

ns15.schlund.de.        43746   IN      A
ns16.schlund.de.        43746   IN      A

;; Query time: 2095 msec
;; WHEN: Fri Mar  3 22:04:58 2006
;; MSG SIZE  rcvd: 128

My old IBM 486-SLC/2 with 66 MHz and 16 MB of RAM can do it faster.

I dont know if that is a europe only problem. Some days (every
2 month ?) I read in the problem reports of german ISPs that
DSL does not work because of DNS issues. I never have.

Companies who have not outsourced their brains do run their own
nameservers, mostly Bind 9.

Companies who have outsourced their brains do believe in computers
for illiterates and hire monkeys to do what nonsense they want to be
done. Those are the spam pilotes. Switch of all public resolvers
and you have got them all. The infested bots will no longer find
their base to download their spam from.

Problem solved?  :) :) :)

Might even get us employment - at least temporaryly

Peter and Karin Dambier

Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list