[dns-operations] practical alternatives?

Glenn Wiltse iggy at merit.edu
Mon Mar 6 15:27:19 UTC 2006


   Forgive my  ignorance about what is actualy possible
or practical to do at this time... But if we were to assume
that there is a real need for people to use remote name servers
to do recursive lookups for them. Then we also assume it's not
practicle to have people run name servers on their local machines
that in turn would use TSIG.  (because it take significant amounts
of user configuration that your typical internet user isn't ready
for)...

   Is there a way to configure a name server to only allow recursive
querys to be initiated by using only TCP? and/or would this help
with the issue of DDOS?

   Or, would it be possible to allow recursive querys to be done only
after some minimal amount of acknowlegment from the requester?

   I can see the value to the continued ablity to use remote name
servers that are 'trusted' rather then merely trusting those that
are given to us by DHCP. It would be nice if there was some options
for this short of running your own name server and/or TSIG.

   Maybe if someone had a painless way to configure localhost name
server that was able to do TSIG with some other name server this
would be accpeptable, but at this point runing BIND doesn't seem
like a practical option.

Glenn Wiltse

On Fri, 3 Mar 2006, Paul Vixie wrote:

> # Other than that there is a trust issue. No matter where I go or at what
> # point I get on the internet my computer always uses my dns servers because I
> # control them. He who controls the dns server you use controls you, so you
> # better trust them.
>
> isn't this why we developed TSIG?  did you know that your laptop (even if
> it runs windows) can run BIND9 as a forwarder, and that the forwarded queries
> can be protected with TSIG on their way back to your home recursive caching
> name server?  you can learn more about this at:
>
> 	http://www.ietf.org/rfc/rfc2845.txt
> 	http://www.isc.org/sw/bind/
>
> note that this isn't for everybody.  only someone smart enough to know they'd
> prefer to talk to their own nameserver, and someone smart enough to know how
> to keep DHCP from overriding their choice of nameserver, could (or would) do
> this.
>



More information about the dns-operations mailing list