[dns-operations] On-board resolvers (was Re: NANOG threat on government-ordered DNS poisoning and DNSSEC.)

Mark Andrews marka at isc.org
Sun Nov 15 23:47:12 UTC 2015

In message <81959A52-7AC0-4D21-8E1C-513870C1848C at fl1ger.de>, "Ralf Weber" writes:
> Moin!
> So this is not a direct answer to Marek but an answer to lots of points
> brought up in this thread.
> This thread started because some governments wanted to do force ISPs to
> use the DNS to block stuff. Now this is pretty common all around the
> world for various reasons, and has been for probaly at least a decade.
> What strikes me is that the known cases usually come up in what I would
> consider democratic countries and that most of the people think that
> going around that is the way to go. Now take aside that this might be
> illeagal, if just the energy invested in going around would be directed
> to the democratic process it would be probably doable to change the law.
> But that might not just be that cool....
> Now lets talk about the alternatives.
> What about putting the resolver in the CPE. Oh sure thats the most and
> best engineered code out there. If would get a penny/cent for every 
> mis or weird behaving CPE I would sit on an island and not write this 
> mail. A lot of the traffic ISP resolvers have to deal with is crap send
> by the CPEs (sure you have to ask for pool.ntp.org every second), and
> in a lot of countries ISP are not allowed to block or remove these 
> devices from the network and the CPE vendors don't care about there
> stuff once it is sold (there are notable exceptions here, but still
> most ISPs I know have to deal with a lot of crap)

Lots of the CPE vendors are picking up OpenWRT, fixing OpenWRT is
something everyone on this list can contribute to.  Identify what
is wrong and at a minimum log a bug report.

Complain to you local polly to get minimum standards for electronic
devices improved.  In lots jusristictions one should just be
complaining that manufactures aren't already meeting the minimum

TVs, CPEs and all consumer electronics that connect to the Internet
should be field repairable and should have regular maintainence
releases made available from their vendors.  We have enough evidence
that no one is shipping bug free devices at the current price points.
When you are shipping millions of devices a dollar per device pays
for a lot of future maintainence.

Consumer affairs bodies should be asking "Why hasn't there been a
maintainence release?  Did you get no bug reports about this device?"
and if the answer to that is no then the next question should be
"What is wrong with your bug reporting proceedures if you are getting
no bug reports?".

TVs, CPEs and other consumer devices are really no different to
Windows, OS X, Linux, etc.  They all have bugs.  They all require
maintainence releases.

While there is a race to the bottom, one can set what the bottom is.

> So what about putting the resolver in the end devices. Granted Apple,
> Google, Microsoft and the OS community can write better code than $50
> CPE vendors, but I assume if the would push that out tomorrow most of
> the authoritative servers in the world would die as they couldn't take
> the traffic.

You can still use the ISP's recursive servers with DNSSEC.  If you
get a SERVFAIL or validation failure you can switch back to iterative
resolution of that name.

> Also with DNS not being encrypted and even if it was
> the IP relations and packet sizes would tell you a lot. I don't think
> that would increase privacy and the big question then is who do you 
> call if you can't resolve something. Also the performance would be 
> worse as you can't take advantage of someone else asking the same
> question before and on local subnet a lot of the authoritaive world
> currently is build around the fact that there are large resolvers,
> so you might not get an answer at all if you ask from a ISPs DSL
> pool if that range was e.g used in an attack.
> Ok so lets do it via some non ISP public resolver. Well the first
> point there is that you have to trust them. Your ISP usualy is in
> the same country jurisdication and usually regulated or under
> control of an governement entity that you are in and in case of a
> democracy have some control over. An public resolver out of another
> country or jurisidcation you may have no influence whatsover what
> they block or what they do with your data. However in order to
> provide a good service the resolvers have to be near to you. When
> Google rolled out their public resolver they had this tool called
> namebench. While it really didn't measure resolvers it was a good
> tool to measure network latency and the server that came out on 
> top always was the one with the best RTT. So it is likely that your
> public DNS provider is running a server in your jurisidcation and
> thus would be also subject to the governement blocking, so you
> would not have gained anything. 
> So I think in most cases your ISP resolver will be the best you 
> can do with regards to privacy as lots of people use it so most
> of the time your query can't be tracked back to you. Also you 
> have a contract with them and they want to serve you. The better
> ones also have beside privacy policy an acceptable use policy.
> And all of this is enforcable because of the contract.
> Your ISP resolver probably will provide you the fastest answer
> as it network wise is neareast to you and probably has the record
> you ask for cached anyway. Also often if ISP resolvers block 
> something they do it for a good reason or do you thin it is 
> neccassary to download that malware/trojan to your computer and
> make it part of a botnet?

And sometimes they do it to monitize NXDOMAIN results or because
it is the competition.

It is also possible provide both the answer and the intelligence.
We just need to standise a common method.

* We could tag the answer with the intelligence.
* We could tag the intelligence with the answer.

> And in contrast to a lot of the 
> "alternative solutions" described above they have a hotline you
> can call and will help you. And a lot of the alternative 
> solutions are doable by the skilled people on that list, but
> certainly not by the other 9x% that use the Internet. 
> So while bashing ISPs may be en vogue on some of these lists
> there are a lot of people out there that do work hard at ISPs 
> to deliver a first class DNS and Internet service.

The do a lot of good work but they have also tarnished their
> And full disclosure I worked most of my professional career at
> ISPs providing DNS service and now work for a vendor that provides
> software to ISPs to provide DNS service, but I just couldn't
> go into the weekend without writing this.
> Have a nice weekend and so long
> -Ralf
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list