[dns-operations] Kaminsky: Protect IP Act Would Break DNS

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Jul 17 09:32:52 UTC 2011

[Authoritative DNS servers operator hat on.]

On Sat, Jul 16, 2011 at 07:29:24AM -0500,
 Joe Greco <jgreco at ns.sol.net> wrote 
 a message of 74 lines which said:

> Also, in the past decade, what was once considered a heavy duty
> server is now available in the form factor of my cell phone.  The
> resources to do resolution locally exist.

The hardware resources. For the software, there are still a few
improvments to make. For instance, to have a local resolver on your
Ubuntu box, you need to:

* install the server ('aptitude install unbound')
* edit the DHCP config so ::1 is put before the DHCP-learned servers
* work around the brokenness of middleboxes

The first two point are not a big deal for a dns-operations subscriber
but still too complicated for the average user. The third point is
really more complicated (there was a good talk at the SATIN conference
this year about this issue, Wesley Hardaker "Enabling DNSSEC in
Applications", which described the many broken things that lie between
the user's machine and the authoritative name servers).

For my cell phone (an Android CyanogenMod), I'm not sure there is a
software solution ready.

> So, my question is this: Why aren't we pushing the recurser closer
> to the user at this point?

If we imagine a world where every laptop, pad and cell phone, has a
full resolver, we have to think of the consequences on the
authoritative name servers (increased traffic). Like David Conrad, I
think it may be possible but we lack hard data. More research would be

May be using the ISP's resolver as a forwarder would help. BTW, the 
point was already discussed here 
> Your average CPE device is already offering DHCP and maybe some
> basic content filtering services to LAN clients.  The CPU (but maybe
> not the RAM) on these guys is sufficient for doing modest amounts of
> recursion work for local clients.

Does not work for the roaming machine, which has no CPE except itself.
> If we remain married to this idea of centralized control over
> recursion, that control is going to remain a tempting target for
> policymakers who want to impose a fix for their Big Problem Of The
> Day.

The problem exists, yes (for instance, in France, in the censorship
law, LOPPSI), but I'm not sure local resolvers will help: it is too
easy to block port 53 outbound. Some ISP already do it, to be sure
users go through their lying resolver.

More information about the dns-operations mailing list