[dns-operations] Prevalence of nameserver software Was: Re: DNS Operations

Lyle Giese lyle at lcrcomputer.net
Mon Mar 4 23:25:37 UTC 2024

Don't forget (Aside from DoH or DoHS) that DNS uses udp AND tcp port 53.

Lyle Giese

On 3/4/24 11:27, Jared Mauch wrote:
>> On Mar 3, 2024, at 12:26 PM, Fred Morris <m3047 at m3047.net> wrote:
>> Speaking to the message not the (ChetGPT) "massage"...
>> On Sun, 3 Mar 2024, Turritopsis Dohrnii Teo En Ming wrote:
>>> [...]
>>> I define most popular as the largest number of DNS server installed throughout the whole world.
>> I think this is a valid point. DNS is not synonymous with the Internet; neither is operations.
>> Internal DNS servers exist, and with guidance concerning the need for network segmentation there should be a lot more of them. I have had several requests and inquiries over the past few years specifically concerning a desire to log the addresses of clients making requests.
>> These requests persistently refuse to accept that DNS is an application level protocol, and that a request (or response) is recast by every nameserver it passes through even if it is merely "forwarding": "there must be a way!" People go to great lengths, there's a lot of language lawyering and playing with EDNS involved in these attempts.
>> Invariably my answer (for all but the most technical questions) is install a real DNS server with visibility inside of the NAT horizon (if there is one; there usually is), and that the general-purpose "logging" solution is Dnstap.
>> My admittedly cynical response to the question posed here is that the most common server software is probably a lightweight forwarder (e.g. dnsmasq) or something which only coincidentally does DNS (e.g. Active Directory).
> I think based on the surveys that I had done before, there’s quite a number of not only forwarders, eg: dnsmasq but also iptables rules that perform forwarding as a service, eg: take all udp/53 hitting the host and forward the packets (only sometimes with source address rewritten) to the configured DNS server(s).
> It’s likely much harder to determine this as you could practically put something behind DoH w/ HTTP basic auth preventing any queries from occurring without authorization.  If there were a stable standards based way to deliver the credentials, I could see this being done as part of a captive portal or pay-as-you-go service even.
> - Jared
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list