[dns-operations] A DNS and network security forced marriage

Joe St Sauver joe at oregon.uoregon.edu
Fri Mar 12 20:45:25 UTC 2010


Andrew mentioned:

#If it were true that ISPs easily accommodate users who want to opt
#out, then I'd be delighted.  

The key to customer opt-out being possible is avoiding wholesale ISP 
hijacking/blocking of all customer port 53 traffic to any name servers 
other than their own. (Or, at a minimum, the ISP at least needs to 
whitelist major legitimate third party recursive resolvers such as 
those from Google, those from OpenDNS, etc.)

#But in fact what happens is that you have to do extra work on the client 
#side every time you reconnect to the network, because the DHCP servers 
#handed out with your IP address are the ISP's DNS-mangling ones.

Most popular operating systems give persistent precedence to user-declared 
DNS preferences. See for example

http://code.google.com/speed/public-dns/docs/using.html

Regards,

Joe

----
Joe St Sauver (joe at oregon.uoregon.edu)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions strictly my own



More information about the dns-operations mailing list