Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
louwrentius 4 days ago

If you decide not to use a forwarder, the DNS server will be truly independent.

The DNS server will contact the Root servers for the TLD namesevers of a domain, the TLD nameservers and then the actual authoritative nameserver for the particular domain.

No forwarder needed.

This means you bypass any DNS based filtering any DNS ‘forwarder’ may have in place.

zamadatix 4 days ago | parent | next [-]

I've always felt it makes sense to either use a forwarder you trust or just operate the root zone yourself. Going to the root zone dynamically is certainly the most technically correct, but if your goals involve either "independence" or "retaining some measure of the performance of using forwarders while still resolving things directly yourself" then you can just pull the root zone daily and operate your own root server https://www.iana.org/domains/root/files. Of course, IANA would rather you just use DNS as technically correct as possible because, well, that's what they exist for, but they don't attempt to roadblock operating your own copy of the root.

It's hard to go much deeper than that in practice as the zonefiles for TLDs are massively larger, massively more dynamic (i.e. syncing once a day isn't usually enough), and much harder to get ahold of (if it all, sometimes).

Regardless of how you go about not using a forwarder, if that's the path you choose then I also heavily recommend considering setting up some additional things like cached entry prefetching so recently used expiring entries don't get "hitches" in latency.

JdeBP 4 days ago | parent | next [-]

There's an unofficial list of the ones that one can officially replicate.

* https://news.ycombinator.com/item?id=44318136

There are actually several additional subdomains of arpa. that one can also replicate, not on that list, which are largely invariant.

And really it's not about technical correctness. It has been known how to set up private roots since the 20th century. Some of us have had them for almost that long. Even the IETF has glacially slowly now come around to the view that idea is a good one, with there now being an RFC on the subject.

The underlying problem for most of that time has been that they're difficult to do with BIND, at least a lot more difficult to do than with other content DNS server softwares, if one clings, as exhibited even here in the headlined article, to a single server vainly wearing all of the hats at once.

All of the people commenting here that they use unbound and nsd, or dnscache and tinydns, or PowerDNS and the PowerDNS Recursor, have already overcome the main BIND Think obstacle that makes things difficult.

zamadatix 4 days ago | parent [-]

Fantastic all-in-one resource!

It's technically incorrect in that IANA would like you to have your DNS server use the DNS protocol's built in system of record querying and expiry rather than pull a static file at your own interval (IIRC I don't think root servers support AXFR for performance reasons?) as there is no predefined fixed schedule for root zone updates. Practically, root zone update changes are absolutely glacial and minuscule (the "real" root servers only get 1-2 updates per day anyways) so pulling the file once per day is effectively good enough to never care it's not as DNS would intend you to get the record updates.

Setting this up in bind should be no more difficult than adding a `zone "."` entry pointing to this file, the named.conf need not be more than ~a dozen lines long. It's easy to make bind config complicated though (much like this article), but I'm not sure that was the barrier vs just being comfortable enough about DNS to be aware the endeavour is even something one could seek to do - let alone set out to.

pumplekin 3 days ago | parent [-]

The general root servers generally don't support AXFR, but if you want to AXFR the root, you can do so from lax.xfr.dns.icann.org or iad.xfr.dns.icann.org.

icedchai 3 days ago | parent | prev [-]

Root hints are enough for most use cases. In 30 years of running my own DNS servers, I never once needed to replicate the the root zone. Unless you have a totally crap internet connection you're not going to notice those extra lookups.

craftkiller 4 days ago | parent | prev [-]

I used to do that, but that has the downside of sending all your DNS requests unencrypted over the network. By using a forwarder you have the option to use DoT or DoH.

pumplekin 4 days ago | parent [-]

There is work coming at the IETF to help with this.

- Draft: DELEG (a new way of doing delegations, replacing the NS/DS records).

- A draft to follow: Using the extensible mechanisms of DELEG to allow you to specify alternative transports for those nameservers (eg: DoH/DoT/DoQ).

This would allow a recursive server to make encrypted connections to everything it talks to (that has those DELEG records and supports encrypted transports) as part of resolution.

Of course, traffic analysis still exists. If you are talking to the nameservers of bigtittygothgirls.com, and the only domains served by those name servers are bigtittygothgirls ...