Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


John Abreau wrote:
>'re thinking that the correct thing to do is to use Verizon's 
> DNS, and that end users are not supposed to touch the root
> nameservers. The opposite is actually the case.
> To use the Internet the way it was designed, you're supposed to run
> your own local nameservers that talk to the root nameservers
> directly. The ISP's nameservers are there for people who are either
> unable or unwilling to operate their own local network.

I don't think that's correct. It subverts the intent of DNS being a
distributed database.

The logic you describe makes perfect sense at a time when an "end-user"
meant an organization the size of a university.

If you are willing/able to run a DNS server locally, my recommendation
is that you should run a caching proxy, that in turn talks to several
recursive servers, unless you have an organization with hundreds of users.

Specifically I recommend Dnsmasq, which in additions to providing an
optimized caching proxy, and includes the ability to serve local names,
and has an integrated DHCP server, making management of a small LAN's IP
and names far easter. It'll also give you protection against DNS
rebinding attacks. This is the DNS proxy/DHCP solution used by all the
3rd party router firmwares. (I don't really get why anyone with bother
with running Bind, unless they were using it in a large enterprise or as
a public authoritative server.)

If it were true that it was hard to find a public recursive server that
was fast, reliable, and didn't monkey with the records, then running
your own recursive resolver would make sense. But that's not the case.

Also, on this topic, GRC recently released a DNS benchmark tool:

It's designed for Windows, but supposedly runs under Wine. (I haven't
tried it. The Python tool previously mentioned on the list does the job
adequately for me. But the GRC tool does have a bunch of additional
features, like testing the servers for redirects on bad names, whether
they filter out rebinding attacks, and DNSSEC compliance.)


Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile:

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /