In this post I would like to explore the concept of DNS independence by looking at two types of DNS usage that are common in our daily highly connected lives.
The two types of DNS usage:
- Recursive/Iterative DNS (first part)
- Authoritative DNS (second part)
Your internet connected device want to reach something on the internet, as an example – nullrouted.space via HTTP. The first thing your browser does is a DNS lookup which looks something like this:
root@molly:~# dig nullrouted.space ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> nullrouted.space ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39088 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;nullrouted.space. IN A ;; ANSWER SECTION: nullrouted.space. 201 IN A 18.104.22.168 ;; AUTHORITY SECTION: nullrouted.space. 17159 IN NS ns4.hopcount.nl. nullrouted.space. 17159 IN NS ns2.hopcount.nl. nullrouted.space. 17159 IN NS ns3.hopcount.nl. nullrouted.space. 17159 IN NS ns1.hopcount.nl. ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri May 30 21:14:05 2014 ;; MSG SIZE rcvd: 132
That is a recursive query. The hierarchy should go like this:
Your host -> Root servers -> .com authoritative servers -> nullrouted.space authoritative servers -> answer.
But for most people it doesn’t, there is an added step in that hierarchy:
Your host -> ISP’s resolver -> .com authoritative servers -> nullrouted.space authoritative servers -> answer.
There is the dependence, instead of talking to the root servers directly which are highly available and redundant you are talking to an intermediary that is never as available and redundant. I propose to remove that dependence by running your own resolvers in your network centrally or even per host!
- Independence from your ISP’s resolver (no NXDOMAIN hijacking or unnecessary downtime)
- Control over your own cache.
- Geek cred. (:P)
- Administrative overhead of running local resolvers.
- Smaller cache (not sure if this really is a disadvantage)
Practicing what you preach
At home, I run unbound on my Raspberry Pi which provides recursive DNS service for the LAN.
On my servers I run either unbound or BIND for recursive depending on if the server is serving authoritative queries as well (unbound is recursive only).