[dns-operations] Prevalence of nameserver software Was: Re: DNS Operations

Jared Mauch jared at puck.nether.net
Mon Mar 4 17:27:49 UTC 2024

> On Mar 3, 2024, at 12:26 PM, Fred Morris <m3047 at m3047.net> wrote:
> Speaking to the message not the (ChetGPT) "massage"...
> On Sun, 3 Mar 2024, Turritopsis Dohrnii Teo En Ming wrote:
>> [...]
>> I define most popular as the largest number of DNS server installed throughout the whole world.
> I think this is a valid point. DNS is not synonymous with the Internet; neither is operations.
> Internal DNS servers exist, and with guidance concerning the need for network segmentation there should be a lot more of them. I have had several requests and inquiries over the past few years specifically concerning a desire to log the addresses of clients making requests.
> These requests persistently refuse to accept that DNS is an application level protocol, and that a request (or response) is recast by every nameserver it passes through even if it is merely "forwarding": "there must be a way!" People go to great lengths, there's a lot of language lawyering and playing with EDNS involved in these attempts.
> Invariably my answer (for all but the most technical questions) is install a real DNS server with visibility inside of the NAT horizon (if there is one; there usually is), and that the general-purpose "logging" solution is Dnstap.
> My admittedly cynical response to the question posed here is that the most common server software is probably a lightweight forwarder (e.g. dnsmasq) or something which only coincidentally does DNS (e.g. Active Directory).

I think based on the surveys that I had done before, there’s quite a number of not only forwarders, eg: dnsmasq but also iptables rules that perform forwarding as a service, eg: take all udp/53 hitting the host and forward the packets (only sometimes with source address rewritten) to the configured DNS server(s).

It’s likely much harder to determine this as you could practically put something behind DoH w/ HTTP basic auth preventing any queries from occurring without authorization.  If there were a stable standards based way to deliver the credentials, I could see this being done as part of a captive portal or pay-as-you-go service even.

- Jared

More information about the dns-operations mailing list