Privacy enhanded DNS server
Google's Public-DNS using 188.8.131.52 became the standard for resolving DNS problems. Now other companies try to join. Currently 184.108.40.206 is catching the visitors eye. But this idea generates massive trouble:lawfully and technically.
First if all, the is a dramatic shortage on easy memorable IP addresses. There are only 220 usable addresses matching x.x.x.x.
Some companies are already using those IPs for DNS services:
- 220.127.116.11 PTR google-public-dns-a.google.com.
- 18.104.22.168 PTR dns.quad9.net.
- 22.214.171.124 PTR cdns01.comcast.net.
- 126.96.36.199 PTR public-dns-a.as9105.net.
- 188.8.131.52 PTR dnsr4.sbcglobal.net.
- 184.108.40.206 PTR 108-108-108-108.pools.spcsdns.net.
- 220.127.116.11 PTR public1.114dns.com.
Others are apply them to their own name servers:
- 18.104.22.168 PTR ns3.hiweb.ir.
- 22.214.171.124 PTR ns.ngenix.net.
- 126.96.36.199 PTR NS1.Shane.co.
- 188.8.131.52 PTR ns1648.ztomy.com.
A few have other ideas:
- 184.108.40.206 PTR ldtools.gre.hp.com.
- 220.127.116.11 PTR select.zone.
- 18.104.22.168 PTR lo0-rtc-svw.nco.riseb.net.
- 22.214.171.124 PTR Multicast-RendezvousPoint.surf.net.
- 126.96.36.199 PTR medmgmt-192.tajen.edu.tw.
But most of them just hand out the addresses to ordinary customers. 69 do provide an approbriate reverse DNS entry.
Assuming a valuable business in DNS services running on such addresses, the incredible shortage of this ressouce needs to be addressed in order to keep the entry level for innovative competitors low and the doors open.
Of course, the responsible national agency will say: No chance, this need to be regulated or auctionated.
Do it youself
The immediate consequence of the 188.8.131.52 hype is to keep going on. I did assign the IP 10.10.10.10 for DNS anycast and started with the service.
$ dig AAAA lutz.donnerhacke.de @10.10.10.10 +dnssec +multiline ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 727 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 1 ;; ANSWER SECTION: lutz.donnerhacke.de. CNAME pro.donnerhacke.de. lutz.donnerhacke.de. RRSIG CNAME 5 3 57600 ... pro.donnerhacke.de. AAAA 2001:4bd8:1:1:209:6bff:fe49:79ea pro.donnerhacke.de. RRSIG AAAA 5 3 57600 ... ;; AUTHORITY SECTION: donnerhacke.de. NS avalon.iks-jena.de. donnerhacke.de. NS broceliande.iks-jena.de. donnerhacke.de. RRSIG NS 5 2 57600 ... ;; Query time: 11 msec ;; SERVER: 10.10.10.10#53(10.10.10.10) ;; WHEN: Fri Nov 17 21:04:34 CET 2017 ;; MSG SIZE rcvd: 672
The answer contains an AD flag, which indicates a DNSSEC validated result. This way Security is completed.
Because 10.0.0.0/8 is private IP space, which can not be publically accessed, the customer can't reach out for an name server far far away. On contrary the question will always be answered locally, at the local IP level. So the customer can't be kidnapped by Internet routing tricks. He does act within contractual limits, and his ISP can be held liable for problems.
Using a local server allows the server operator to skip handing out customer information. A secondary effect is, that every cached answer matches every request for any customer. Together with low round trip times DNS responses come back faster.
Local server tend to point to topological near CDN instances, which cause a much smoother Surf feeling. Accessing regional servers decrease the load of ISP peerings, which results in smoother internet for other customers, too.
The remaining problem is to tell the hotline to hand out 10.10.10.10 instead of 184.108.40.206 as before. But it will take time. In the same way the field engineers need to learn to debug DNS problems, and if they fail, to use 10.10.10.10.
There might be a collision with customers using this private IP space internally. They may use 100.100.100.100 instead, I will grant it.
You are not one of our customers? Yell at your ISP to build the same service! Let's make it Best Current Practice to use those IPs all over the world.
Total 3 comments