Privacy enhanded DNS server

17/11/2017 8:32 pm Lutz Donnerhacke

Google's Public-DNS using 8.8.8.8 became the standard for resolving DNS problems. Now other companies try to join. Currently 9.9.9.9 is catching the visitors eye. But this idea generates massive trouble:lawfully and technically.

Competition law

First if all, the is a dramatic shortage on easy memorable IP addresses. There are only 220 usable addresses matching x.x.x.x.

Some companies are already using those IPs for DNS services:

  • 8.8.8.8 PTR google-public-dns-a.google.com.
  • 9.9.9.9 PTR dns.quad9.net.
  • 75.75.75.75 PTR cdns01.comcast.net.
  • 79.79.79.79 PTR public-dns-a.as9105.net.
  • 99.99.99.99 PTR dnsr4.sbcglobal.net.
  • 108.108.108.108 PTR 108-108-108-108.pools.spcsdns.net.
  • 114.114.114.114 PTR public1.114dns.com.

Others are apply them to their own name servers:

  • 77.77.77.77 PTR ns3.hiweb.ir.
  • 93.93.93.93 PTR ns.ngenix.net.
  • 199.199.199.199 PTR NS1.Shane.co.
  • 208.208.208.208 PTR ns1648.ztomy.com.

A few have other ideas:

  • 16.16.16.16 PTR ldtools.gre.hp.com.
  • 23.23.23.23 PTR select.zone.
  • 76.76.76.76 PTR lo0-rtc-svw.nco.riseb.net.
  • 145.145.145.145 PTR Multicast-RendezvousPoint.surf.net.
  • 192.192.192.192 PTR medmgmt-192.tajen.edu.tw.

But most of them just hand out the addresses to ordinary customers. 69 do provide an approbriate reverse DNS entry.

Assuming a valuable business in DNS services running on such addresses, the incredible shortage of this ressouce needs to be addressed in order to keep the entry level for innovative competitors low and the doors open.

Of course, the responsible national agency will say: No chance, this need to be regulated or auctionated.

Do it youself

The immediate consequence of the 9.9.9.9 hype is to keep going on. I did assign the IP 10.10.10.10 for DNS anycast and started with the service.

$ dig AAAA lutz.donnerhacke.de @10.10.10.10 +dnssec +multiline
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 727
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 1

;; ANSWER SECTION:
lutz.donnerhacke.de.    CNAME   pro.donnerhacke.de.
lutz.donnerhacke.de.    RRSIG   CNAME 5 3 57600 ...
pro.donnerhacke.de.     AAAA    2001:4bd8:1:1:209:6bff:fe49:79ea
pro.donnerhacke.de.     RRSIG   AAAA 5 3 57600 ...

;; AUTHORITY SECTION:
donnerhacke.de.         NS      avalon.iks-jena.de.
donnerhacke.de.         NS      broceliande.iks-jena.de.
donnerhacke.de.         RRSIG   NS 5 2 57600 ...

;; Query time: 11 msec
;; SERVER: 10.10.10.10#53(10.10.10.10)
;; WHEN: Fri Nov 17 21:04:34 CET 2017
;; MSG SIZE  rcvd: 672

The answer contains an AD flag, which indicates a DNSSEC validated result. This way Security is completed.

Because 10.0.0.0/8 is private IP space, which can not be publically accessed, the customer can't reach out for an name server far far away. On contrary the question will always be answered locally, at the local IP level. So the customer can't be kidnapped by Internet routing tricks. He does act within contractual limits, and his ISP can be held liable for problems.

Using a local server allows the server operator to skip handing out customer information. A secondary effect is, that every cached answer matches every request for any customer. Together with low round trip times DNS responses come back faster.

Local server tend to point to topological near CDN instances, which cause a much smoother Surf feeling. Accessing regional servers decrease the load of ISP peerings, which results in smoother internet for other customers, too.

The remaining problem is to tell the hotline to hand out 10.10.10.10 instead of 8.8.8.8 as before. But it will take time. In the same way the field engineers need to learn to debug DNS problems, and if they fail, to use 10.10.10.10.

There might be a collision with customers using this private IP space internally. They may use 100.100.100.100 instead, I will grant it.

You are not one of our customers? Yell at your ISP to build the same service! Let's make it Best Current Practice to use those IPs all over the world.

Avatar
Donnerhacke 23/11/2017 4:32 pm
Steht ja auch drin ... 10.10.10.10 ist einer mehrer DNS Server die ausgeteilt werden. Der Fallback ist also da. Demnächst kommt 100.100.100.100 noch dazu.
Avatar
Stefan 21/11/2017 3:45 am
Dieser Hack geht solange gut, insoweit man 10.10.10.10 als Host-Route in die CPE pushen kann, die CPE vollständig vom ISP verwaltet wird, und der Kunde nicht im Routing lokal rumfummeln kann. Denn gerade im Unternehmensumfeld oder auch bei mir zuhause kriegt der erste Router auf den der Kunde Zugriff hat, drei Blackhole-Routen für RFC1918:
10.0.0.0/8 -> null0
172.16.0.0/12 -> null0
192.168.0.0/16 -> null0
So ist sicher gestellt, dass unbekannter RFC1918-Traffic eben nicht zum ISP geleitet wird.

Zumal ich eh meine, dass man bei IPv4 die direkte Kommunikation im Providernetz zwischen öffentlichen und RFC1918-Adressen vermeiden sollte. Führt bloß unnötig zu 'möglichen' Kollisionen der Adressen.
Avatar
Daniel 'hackbyte' Mitzlaff 18/11/2017 1:56 am
Heh, das ist ein recht cooler hack, würde ich mal sagen.

Da ich selbst ein 10.x.x.x/24 netz nutze ist der aufwand zur adaption nicht so gigantisch. Aber ok, mein ISP (o2) hat eigenes zeugs.

Überhaupt, wie lange is das her, das ein ISP/POP per default einen eigenen resolver anbot?

Ich habe _ECHT_ keinerlei ahnung da ich schon seit frühester zeit an (Compaq 486dx30 als ISDN router) immer eine eigene isc-dhcpd+bind(9) kombi am laufen habe ..... Und ja, der bind fragt natürlich selbst nach, zumindest gelegentlich. ;)

Gruß,

hacky

Total 3 comments

Post a comment

Related content