Privacy enhanded DNS server

Google's Public-DNS using became the standard for resolving DNS problems. Now other companies try to join. Currently is catching the visitors eye. But this idea generates massive trouble:lawfully and technically.

Competition law

First if all, the is a dramatic shortage on easy memorable IP addresses. There are only 220 usable addresses matching x.x.x.x.

Some companies are already using those IPs for DNS services:

  • PTR
  • PTR
  • PTR
  • PTR
  • PTR
  • PTR
  • PTR

Others are apply them to their own name servers:

  • PTR
  • PTR
  • PTR
  • PTR

A few have other ideas:

  • PTR
  • PTR
  • PTR
  • PTR
  • PTR

But most of them just hand out the addresses to ordinary customers. 69 do provide an approbriate reverse DNS entry.

Assuming a valuable business in DNS services running on such addresses, the incredible shortage of this ressouce needs to be addressed in order to keep the entry level for innovative competitors low and the doors open.

Of course, the responsible national agency will say: No chance, this need to be regulated or auctionated.

Do it youself

The immediate consequence of the hype is to keep going on. I did assign the IP for DNS anycast and started with the service.

$ dig AAAA @ +dnssec +multiline
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 727
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 1

;; ANSWER SECTION:    CNAME    RRSIG   CNAME 5 3 57600 ...     AAAA    2001:4bd8:1:1:209:6bff:fe49:79ea     RRSIG   AAAA 5 3 57600 ...

;; AUTHORITY SECTION:         NS         NS         RRSIG   NS 5 2 57600 ...

;; Query time: 11 msec
;; WHEN: Fri Nov 17 21:04:34 CET 2017
;; MSG SIZE  rcvd: 672

The answer contains an AD flag, which indicates a DNSSEC validated result. This way Security is completed.

Because is private IP space, which can not be publically accessed, the customer can't reach out for an name server far far away. On contrary the question will always be answered locally, at the local IP level. So the customer can't be kidnapped by Internet routing tricks. He does act within contractual limits, and his ISP can be held liable for problems.

Using a local server allows the server operator to skip handing out customer information. A secondary effect is, that every cached answer matches every request for any customer. Together with low round trip times DNS responses come back faster.

Local server tend to point to topological near CDN instances, which cause a much smoother Surf feeling. Accessing regional servers decrease the load of ISP peerings, which results in smoother internet for other customers, too.

The remaining problem is to tell the hotline to hand out instead of as before. But it will take time. In the same way the field engineers need to learn to debug DNS problems, and if they fail, to use

There might be a collision with customers using this private IP space internally. They may use instead, I will grant it.

You are not one of our customers? Yell at your ISP to build the same service! Let's make it Best Current Practice to use those IPs all over the world.

Donnerhacke 23/11/2017 4:32 pm
Steht ja auch drin ... ist einer mehrer DNS Server die ausgeteilt werden. Der Fallback ist also da. Demnächst kommt noch dazu.
Stefan 21/11/2017 3:45 am
Dieser Hack geht solange gut, insoweit man als Host-Route in die CPE pushen kann, die CPE vollständig vom ISP verwaltet wird, und der Kunde nicht im Routing lokal rumfummeln kann. Denn gerade im Unternehmensumfeld oder auch bei mir zuhause kriegt der erste Router auf den der Kunde Zugriff hat, drei Blackhole-Routen für RFC1918: -> null0 -> null0 -> null0
So ist sicher gestellt, dass unbekannter RFC1918-Traffic eben nicht zum ISP geleitet wird.

Zumal ich eh meine, dass man bei IPv4 die direkte Kommunikation im Providernetz zwischen öffentlichen und RFC1918-Adressen vermeiden sollte. Führt bloß unnötig zu 'möglichen' Kollisionen der Adressen.
Daniel 'hackbyte' Mitzlaff 18/11/2017 1:56 am
Heh, das ist ein recht cooler hack, würde ich mal sagen.

Da ich selbst ein 10.x.x.x/24 netz nutze ist der aufwand zur adaption nicht so gigantisch. Aber ok, mein ISP (o2) hat eigenes zeugs.

Überhaupt, wie lange is das her, das ein ISP/POP per default einen eigenen resolver anbot?

Ich habe _ECHT_ keinerlei ahnung da ich schon seit frühester zeit an (Compaq 486dx30 als ISDN router) immer eine eigene isc-dhcpd+bind(9) kombi am laufen habe ..... Und ja, der bind fragt natürlich selbst nach, zumindest gelegentlich. ;)



Total 3 comments

Post a comment

Related content