Posted on by packetcat

The Path to DNS Independence (Part 1)

In this post I would like to explore the concept of DNS independence by looking at two types of DNS usage that are common in our daily highly connected lives.

The two types of DNS usage:

  • Recursive/Iterative DNS (first part)
  • Authoritative DNS (second part)

Recursive/Iterative DNS

Your internet connected device want to reach something on the internet, as an example – nullrouted.space via HTTP. The first thing your browser does is a DNS lookup which looks something like this:

root@molly:~# dig nullrouted.space

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> nullrouted.space
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39088
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;nullrouted.space.               IN      A

;; ANSWER SECTION:
nullrouted.space.        201     IN      A       23.92.21.10

;; AUTHORITY SECTION:
nullrouted.space.        17159   IN      NS      ns4.hopcount.nl.
nullrouted.space.        17159   IN      NS      ns2.hopcount.nl.
nullrouted.space.        17159   IN      NS      ns3.hopcount.nl.
nullrouted.space.        17159   IN      NS      ns1.hopcount.nl.

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri May 30 21:14:05 2014
;; MSG SIZE  rcvd: 132

That is a recursive query. The hierarchy should go like this:

Your host -> Root servers -> .com authoritative servers -> nullrouted.space authoritative servers -> answer.

But for most people it doesn’t, there is an added step in that hierarchy:

Your host -> ISP’s resolver -> .com authoritative servers -> nullrouted.space authoritative servers -> answer.

There is the dependence, instead of talking to the root servers directly which are highly available and redundant you are talking to an intermediary that is never as available and redundant. I propose to remove that dependence by running your own resolvers in your network centrally or even per host!

Advantages:

  • Independence from your ISP’s resolver (no NXDOMAIN hijacking or unnecessary downtime)
  • Control over your own cache.
  • Geek cred. (:P)

Disadvantages:

  • Administrative overhead of running local resolvers.
  • Smaller cache (not sure if this really is a disadvantage)

Software:

Practicing what you preach

At home, I run unbound on my Raspberry Pi which provides recursive DNS service for the LAN.

On my servers I run either unbound or BIND for recursive depending on if the server is serving authoritative queries as well (unbound is recursive only).