On Thu, Oct 23, 2014 at 1:36 PM, Paul Vixie <[email protected]> wrote:
> i encourage anyone who thinks full resolvers can run inside end hosts > which currently run stub resolvers, to try it. > > BIND9 runs fine on windows and macos laptops. so, without even touching > the real growth area of the edge (which is mobile devices like smart > phones), you can get a sense of how rarely you'll be able to perform dns > lookups, if you just switch to 127.0.0.1 as your name server (override > this in your dhcp settings) and run a recursive dns server there. > > until you have done this and have results to report, you'd be wise not > to make any claims about this possibility. > > (i've done this for over a decade, but, i always have a VPN open, which > can use TCP/80 as a backup carriage path, and the VPN is absolutely > necessary in my experience, and, that is a rather high bar for making > localhost do dns recursion and iteration at scale.) > I was running that for a couple of months. It appeared to work fine but I dropped it as soon as I discovered that I was still getting Verizon sitefinder ads placed when I got NXDOMAIN. And the same happens on 8.8.8.8 Bottom line is that if you try to use port 53 for client-recursive you will find yourself under MITM attack much of the time. And its not even all malicious. A lot of ISPs are MITM the DNS traffic so they don't get one of the big TLDs onto their case for allowing their customers to do DDoS.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
