Fwd: Re: DNS versus NAT ?

[Eric Luehrsen via Unbound-users]

On 6/15/19 12:02 AM, Ronald F. Guilmette via Unbound-users wrote:
In message <20190614024738.c5395201547...@ary.qy>,
John Levine <jo...@taugh.com> wrote:
In article <alpine.deb.2.20.1906130953120.16...@grey.csi.cam.ac.uk> you write:
Ronald F. Guilmette via Unbound-users <unbound-users@nlnetlabs.nl> wrote:
And if that is the case, then will my SOHO router catch fire if and when
I elect to send out through it a set of 65536 or more separate DNS queries,
all in rapid succession? ...


IP addresses) or get a colo box for high volume DNS query traffic.

This sounds like a job for a $5/mo linux VPS at any of a zillion
hosting companies.  It gets its own static public IP address, no
NAT nonsense needed.

I am in agreement.  I had been doing my DNS research from a static IP
associated with an end luser broadband line, but I am re-jiggering
my entire network now and plan to get rid of -that- static IP.  And
that's what prompted my question(s).  Apparently, once I make this
change, I won't be able to just carry along as I had been doing before.
Instead, as it now seems, I'll have to move my DNS research to some
cloudish sort of place.


You may not need a "cloudish sort of place." It really depends your user 
count. A residence or small business doesn't generate that many "new" 
domain queries in 24 hours.

If you configure Unbound cache parameters correctly, it won't need to 
query much. One trick is setting minimum TTL 5-15 minutes to prevent 
misapplication of TTL for load balancing. Even for a guest-consumer 
network like a cafe or  small hotel, its google, facebook, instagram, 
twitter, and (repeat). If you install an adblock/malweb list in causes 
'local-domain: bad.example.com static', then you can really cut down on 
useless DNS. The same excessive video-scripted ads that bog your browser 
also bog DNS. I package Unbound for OpenWrt and it works okay on single 
core mips (Tplink Archer C7) and it works well on dual core ARM (Linksys 
WRT3200ACM). In this case, it also works to serve the router as the only 
DNS provider by announcing it in DHCP and RA, and also firewall all 
UDP/TCP 53 trying to cross WAN/LAN. Only allow the router to be a target 
in the firewall.

The "cloudish" option can also be DNS-over-TLS to cloudflare 1.1.1.1 or 
quad9 9.9.9.9. Then Unbound merely forwards the full query and these 
providers do all the heavy lifting. These services appear to have 
reasonable privacy policies at least worth reading. With TLS, your ISP 
cannot mingle some "extra information" into your DNS responses.