[dns-operations] Getting rid of ISP's recursive DNS servers? (Was: Eircom "DNS Attacks" ?

Stefan Schmidt stefan.schmidt at freenet.ag
Sun Jul 19 21:10:35 UTC 2009

On Sun, Jul 19, 2009 at 08:22:57PM +0200, Peter Dambier wrote:
> Stephane Bortzmeyer wrote:
> > 
> > Because, if any SOHO (and, why not, residential users) suddenly
> > starts to have its own complete resolver, the load on root name
> > servers (and TLD name servers) will increase (see Bill Manning's
> > article for actual measurements).
> > 
> I have seen configurations for djbdns at least that do not need
> the root-servers at all. Just ftp the file once per week and
> prepare it so your dnscache directly queries the tld-servers.

While djbdns surely has its fans it is not seeing significant deployment
in the SOHO or residential markets. What is common here is cable or DSL
routers with very tight RAM restrictions at least for the current/last
versions hence they are commonly found forwarding DNS queries to the
ISPs recursing nameservers.

Seeding recursive nameservers with a copy of the root-zone helps quries
against the root-nameservers but at the same time totally defies the point.
The roots provide a central yet scalable and yes, flexible point to
gather TLD delegation data from, replacing that with a non-DNS way only
obfuscates the protocol and well, just think about the scalability issues
you'd run into with the central ftp-server you're proposing.

> The tld-servers and the other authoritative servers might see
> more traffic.

They _will_ see that anyway.

> On the other hand the problem we face is every european nation
> does introduce censoring right now with the isp's resolvers.
> So more and more people say goodby to foreign resolvers and
> resolve on their own.

I don't think this will happen for two reasons:
Firstly most people do not know what a nameserver is.
Secondly most poeple do not have a slightest clue on how to run a proper
recursive nameservice so they would run into all kinds of problems and
thus in the long run give it up again and rely on the services of others
who have at least some expertise in this.

> I suspect that very cachepoisoning did result from badly configured
> censoring nameservers in the first place. They said it resulted
> from their own misconfiguration partly at least.

I would think that highly unlikely as none of the ways for adding
false data to a recursive nameservers answers i know actually messes
with the cache.

There is hopeful symbolism in the fact that flags don't wave in a vacuum.
- Arthur C. Clark 

More information about the dns-operations mailing list