[dns-operations] A DNS and network security forced marriage
Joe St Sauver
joe at oregon.uoregon.edu
Fri Mar 12 20:45:25 UTC 2010
Andrew mentioned:
#If it were true that ISPs easily accommodate users who want to opt
#out, then I'd be delighted.
The key to customer opt-out being possible is avoiding wholesale ISP
hijacking/blocking of all customer port 53 traffic to any name servers
other than their own. (Or, at a minimum, the ISP at least needs to
whitelist major legitimate third party recursive resolvers such as
those from Google, those from OpenDNS, etc.)
#But in fact what happens is that you have to do extra work on the client
#side every time you reconnect to the network, because the DHCP servers
#handed out with your IP address are the ISP's DNS-mangling ones.
Most popular operating systems give persistent precedence to user-declared
DNS preferences. See for example
http://code.google.com/speed/public-dns/docs/using.html
Regards,
Joe
----
Joe St Sauver (joe at oregon.uoregon.edu)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions strictly my own
More information about the dns-operations
mailing list