[ILUG] Good DNS in Ireland

Rick Moen rick at linuxmafia.com
Wed Aug 27 18:19:54 IST 2008 

Quoting paul at clubi.ie (paul at clubi.ie):

> On Wed, 27 Aug 2008, Pádraig Brady wrote:
> 
> >Perhaps it would be better to explicitly forward to opendns?

If you don't mind breaking the RFCs by eradicating NXDOMAIN, and also
giving some non-profit corporation in California minute information
about your personal affairs, sure.  (They're nice people, but why not
just run a nameserver locally?  It's not difficult, and has significant
performance and other advantages over shipping your queries around the
world.)

> Recursive servers open to clients you don't trust are a huge security 
> risk (they always have been - didn't Eircom or Esat's open NS get 
> poisoned in the 90s? or is my memory dodgy?), especially in the light 
> of the most recent round of spoofing attacks.
> 
> Until DNSSec is widely deployed (ha!), you really ought to run your 
> own recursive nameserver, as closely to the clients as possible (e.g. 
> on them).

I find it interesting to compare which recursive servers on *ix
anticipated the need to randomise source UDP ports long ago, and which 
were late in getting a clue:

Caching recursive resolvers:
o  BIND9:  Wasn't smart, recently patched to compensate
o  MaraDNS:  Author built in a custom RNG from the beginning
o  PowerDNS Recursor:  Retrofitted a custom RNG in March 2008, after
     someone filed a security bug anticipating the Kaminsky issue
o  djbdns/dnscache:  built in a custom RNG from the beginning, _and_
     the author made a point of warning everyone else of the pitfall
o  Unbound:  Author built in a custom RNG from the beginning

Caching forwarders:
o  pdnsd:  Author built in a custom RNG from the beginning
o  dnsmasq:  Wasn't smart, recently patched to compensate

Of the recursive servers, BIND9 and PowerDNS Recursor (often under
package name "pdns-recursor") are dead-easy to install and activate:
You just install it, it runs, and you make sure you have "nameserver
127.0.0.1" in /etc/resolv.conf to point to it.  Oh, and install package
"resolvconf" if you want to make sure that line in /etc/resolv.conf
ceases being overwritten by DHCP clients and other things.  Between the
two, BIND9 grabs RAM shamefully and is slow (completely aside from its
design problems).  pdns-recursor is fast, small, and runs like a dream.

MaraDNS is superb but often needs its mararc file tweaked after package
installation before it works (e.g., on *buntu).

Unbound is so new that many distros are just now starting to package it
(e.g., *buntu in the Intrepid Ibis beta).

Last, DJB's dnscache (from djbdns) is the sort of thing that will be
enjoyed by those who enjoy that sort of thing (as Mr. Lincoln said).
Might suit some folks after suitable source patching.


Bestiary:
http://linuxmafia.com/faq/Network_Other/dns-servers.html

More information about the ILUG mailing list