[dns-operations] resolvers considered harmful

Phillip Hallam-Baker phill at hallambaker.com
Thu Oct 23 18:25:14 UTC 2014


On Thu, Oct 23, 2014 at 1:36 PM, Paul Vixie <paul at redbarn.org> wrote:

> i encourage anyone who thinks full resolvers can run inside end hosts
> which currently run stub resolvers, to try it.
>
> BIND9 runs fine on windows and macos laptops. so, without even touching
> the real growth area of the edge (which is mobile devices like smart
> phones), you can get a sense of how rarely you'll be able to perform dns
> lookups, if you just switch to 127.0.0.1 as your name server (override
> this in your dhcp settings) and run a recursive dns server there.
>
> until you have done this and have results to report, you'd be wise not
> to make any claims about this possibility.
>
> (i've done this for over a decade, but, i always have a VPN open, which
> can use TCP/80 as a backup carriage path, and the VPN is absolutely
> necessary in my experience, and, that is a rather high bar for making
> localhost do dns recursion and iteration at scale.)
>

I was running that for a couple of months.

It appeared to work fine but I dropped it as soon as I discovered that I
was still getting Verizon sitefinder ads placed when I got NXDOMAIN. And
the same happens on 8.8.8.8

Bottom line is that if you try to use port 53 for client-recursive you will
find yourself under MITM attack much of the time. And its not even all
malicious. A lot of ISPs are MITM the DNS traffic so they don't get one of
the big TLDs onto their case for allowing their customers to do DDoS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141023/26e1da91/attachment.html>


More information about the dns-operations mailing list