[dns-operations] A DNS and network security forced marriage

Joe St Sauver joe at oregon.uoregon.edu
Fri Mar 12 20:45:25 UTC 2010

Andrew mentioned:

#If it were true that ISPs easily accommodate users who want to opt
#out, then I'd be delighted.  

The key to customer opt-out being possible is avoiding wholesale ISP 
hijacking/blocking of all customer port 53 traffic to any name servers 
other than their own. (Or, at a minimum, the ISP at least needs to 
whitelist major legitimate third party recursive resolvers such as 
those from Google, those from OpenDNS, etc.)

#But in fact what happens is that you have to do extra work on the client 
#side every time you reconnect to the network, because the DHCP servers 
#handed out with your IP address are the ISP's DNS-mangling ones.

Most popular operating systems give persistent precedence to user-declared 
DNS preferences. See for example




Joe St Sauver (joe at oregon.uoregon.edu)
Disclaimer: all opinions strictly my own

More information about the dns-operations mailing list