[dns-operations] On-board resolvers (was Re: NANOG threat on government-ordered DNS poisoning and DNSSEC.)

Ralf Weber dns at fl1ger.de
Fri Nov 13 19:36:14 UTC 2015


So this is not a direct answer to Marek but an answer to lots of points
brought up in this thread.

This thread started because some governments wanted to do force ISPs to
use the DNS to block stuff. Now this is pretty common all around the
world for various reasons, and has been for probaly at least a decade.
What strikes me is that the known cases usually come up in what I would
consider democratic countries and that most of the people think that
going around that is the way to go. Now take aside that this might be
illeagal, if just the energy invested in going around would be directed
to the democratic process it would be probably doable to change the law.
But that might not just be that cool....

Now lets talk about the alternatives.

What about putting the resolver in the CPE. Oh sure thats the most and
best engineered code out there. If would get a penny/cent for every 
mis or weird behaving CPE I would sit on an island and not write this 
mail. A lot of the traffic ISP resolvers have to deal with is crap send
by the CPEs (sure you have to ask for pool.ntp.org every second), and
in a lot of countries ISP are not allowed to block or remove these 
devices from the network and the CPE vendors don't care about there
stuff once it is sold (there are notable exceptions here, but still
most ISPs I know have to deal with a lot of crap)

So what about putting the resolver in the end devices. Granted Apple,
Google, Microsoft and the OS community can write better code than $50
CPE vendors, but I assume if the would push that out tomorrow most of
the authoritative servers in the world would die as they couldn't take
the traffic. Also with DNS not being encrypted and even if it was
the IP relations and packet sizes would tell you a lot. I don't think
that would increase privacy and the big question then is who do you 
call if you can't resolve something. Also the performance would be 
worse as you can't take advantage of someone else asking the same
question before and on local subnet a lot of the authoritaive world
currently is build around the fact that there are large resolvers,
so you might not get an answer at all if you ask from a ISPs DSL
pool if that range was e.g used in an attack.

Ok so lets do it via some non ISP public resolver. Well the first
point there is that you have to trust them. Your ISP usualy is in
the same country jurisdication and usually regulated or under
control of an governement entity that you are in and in case of a
democracy have some control over. An public resolver out of another
country or jurisidcation you may have no influence whatsover what
they block or what they do with your data. However in order to
provide a good service the resolvers have to be near to you. When
Google rolled out their public resolver they had this tool called
namebench. While it really didn't measure resolvers it was a good
tool to measure network latency and the server that came out on 
top always was the one with the best RTT. So it is likely that your
public DNS provider is running a server in your jurisidcation and
thus would be also subject to the governement blocking, so you
would not have gained anything. 

So I think in most cases your ISP resolver will be the best you 
can do with regards to privacy as lots of people use it so most
of the time your query can't be tracked back to you. Also you 
have a contract with them and they want to serve you. The better
ones also have beside privacy policy an acceptable use policy.
And all of this is enforcable because of the contract.

Your ISP resolver probably will provide you the fastest answer
as it network wise is neareast to you and probably has the record
you ask for cached anyway. Also often if ISP resolvers block 
something they do it for a good reason or do you thin it is 
neccassary to download that malware/trojan to your computer and
make it part of a botnet? And in contrast to a lot of the 
"alternative solutions" described above they have a hotline you
can call and will help you. And a lot of the alternative 
solutions are doable by the skilled people on that list, but
certainly not by the other 9x% that use the Internet. 

So while bashing ISPs may be en vogue on some of these lists
there are a lot of people out there that do work hard at ISPs 
to deliver a first class DNS and Internet service.

And full disclosure I worked most of my professional career at
ISPs providing DNS service and now work for a vendor that provides
software to ISPs to provide DNS service, but I just couldn't
go into the weekend without writing this.

Have a nice weekend and so long

More information about the dns-operations mailing list