[dns-operations] On-board resolvers (was Re: NANOG threat on government-ordered DNS poisoning and DNSSEC.)

Marek Vavruša marek.vavrusa at nic.cz
Fri Nov 13 15:47:41 UTC 2015

Note: systemd-resolved is still a stub (but caching at least).

I see this as a good way out of the absolutely egregious ISP-level
recursive DNS service, because an own resolver can:

a) work around 53 interception and captcha portals (by either DNS/HTTP
or tunneling)
b) do DNSSEC + no need to secure last mile, as it runs locally
c) provide good local answers without hacks like client subnet

The a) and somewhat b) can also be done by local encrypting forwarders.
But then again, this presumes the provider lets encrypted DNS requests
through, and the remote recursive infrastructure is trustworthy.
Validating stub can do b) and while it can tell you when the resolver
is lying, it can't find you a correct answer.
So while I'm fighting for privacy, defense against censorship and all
that, it irks me to no end when the Internet stops working because of
poor recursive DNS service, and the validating stub can't do anything
for me.

There are of course difficulties:

a) increased latency when cold (mitigated by intelligent prefetching
and prediction)
b) how to detect interception and use tunneling opportunistically
c) possible privacy intrusion when not doing minimisation and encryption


On 13 November 2015 at 15:32, Frank Sweetser <fs at wpi.edu> wrote:
> On 11/13/2015 09:22 AM, Mark Jeftovic wrote:
>> On 2015-11-13 4:55 AM, Roland Dobbins wrote:
>>> <http://mailman.nanog.org/pipermail/nanog/2015-November/082310.html>
>>> From time to time I wonder why there has not been an impetus toward
>> on-board DNS resolvers: on the device, on the desktop, on the computer,
>> everything running it's own resolver. Especially on devices that move
>> around a lot (like laptops).
>> These could be made to be pretty lightweight. Smaller footprint than,
>> say, Angry Birds.
>> Then you don't need to worry about the ISP (or the hotel's crappy
>> NXDOMAIN redirection, MX-intercepting) resolvers, you run your own
>> on-board and if the ISP/crappy hotel etc is trying to block that you
>> just tunnel it (or use that nifty dns-over-http gateway which was
>> discussed here recently).
>> I have to confess I've been putting some thought into it again lately.
>> - mark
> You're not the only one:
> http://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
> As another bonus, this would also fix the absolutely horrible Linux behavior
> when the first nameserver listed in resolv.conf is down.
> --
> Frank Sweetser fs at wpi.edu    |  For every problem, there is a solution
> that
> Manager of Network Operations   |  is simple, elegant, and wrong.
> Worcester Polytechnic Institute |           - HL Mencken
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list