Quoting paul at clubi.ie (paul at clubi.ie):
> On Wed, 27 Aug 2008, Pádraig Brady wrote:
>> >Perhaps it would be better to explicitly forward to opendns?
If you don't mind breaking the RFCs by eradicating NXDOMAIN, and also
giving some non-profit corporation in California minute information
about your personal affairs, sure. (They're nice people, but why not
just run a nameserver locally? It's not difficult, and has significant
performance and other advantages over shipping your queries around the
world.)
> Recursive servers open to clients you don't trust are a huge security
> risk (they always have been - didn't Eircom or Esat's open NS get
> poisoned in the 90s? or is my memory dodgy?), especially in the light
> of the most recent round of spoofing attacks.
>> Until DNSSec is widely deployed (ha!), you really ought to run your
> own recursive nameserver, as closely to the clients as possible (e.g.
> on them).
I find it interesting to compare which recursive servers on *ix
anticipated the need to randomise source UDP ports long ago, and which
were late in getting a clue:
Caching recursive resolvers:
o BIND9: Wasn't smart, recently patched to compensate
o MaraDNS: Author built in a custom RNG from the beginning
o PowerDNS Recursor: Retrofitted a custom RNG in March 2008, after
someone filed a security bug anticipating the Kaminsky issue
o djbdns/dnscache: built in a custom RNG from the beginning, _and_
the author made a point of warning everyone else of the pitfall
o Unbound: Author built in a custom RNG from the beginning
Caching forwarders:
o pdnsd: Author built in a custom RNG from the beginning
o dnsmasq: Wasn't smart, recently patched to compensate
Of the recursive servers, BIND9 and PowerDNS Recursor (often under
package name "pdns-recursor") are dead-easy to install and activate:
You just install it, it runs, and you make sure you have "nameserver
127.0.0.1" in /etc/resolv.conf to point to it. Oh, and install package
"resolvconf" if you want to make sure that line in /etc/resolv.conf
ceases being overwritten by DHCP clients and other things. Between the
two, BIND9 grabs RAM shamefully and is slow (completely aside from its
design problems). pdns-recursor is fast, small, and runs like a dream.
MaraDNS is superb but often needs its mararc file tweaked after package
installation before it works (e.g., on *buntu).
Unbound is so new that many distros are just now starting to package it
(e.g., *buntu in the Intrepid Ibis beta).
Last, DJB's dnscache (from djbdns) is the sort of thing that will be
enjoyed by those who enjoy that sort of thing (as Mr. Lincoln said).
Might suit some folks after suitable source patching.
Bestiary:
http://linuxmafia.com/faq/Network_Other/dns-servers.html
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
