Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have configured local Unbound to use four different open DNS provideds, round-robin, the rationale being each one gets 1/4th of requests. On the other hand, I am sending requests to four providers instead of one, so I have to trust four providers instead of one. What’s better?


You can set up recursive resolver to query directly the DNS root servers.

https://www.iana.org/domains/root/servers


> What’s better?

4 providers, at the same time, all times.

It is wasteful but you can run the alarms when responses don't match.


But responses will not match for legitimate reasons of dynamic configuration at specific domains.


This isn't a concrete software recommendation, but the DNS would lend itself exceptionally well to a distributed p2p resolver that would prevent most queries from hitting centralized servers in the first place - it's just a simple distributed database. You'd need some sort of multiparty trust metric to avoid tampering (or DNSSEC), but modulo that peers could just freely pass around records.

There would be a little more complexity these days with large companies changing answers based on the address of the requester, but that doesn't seem too hard to account for or even just ignore. And to reduce traffic even further, you could take some liberties with TTLs, for records that actually don't change often.


What about remote address correlation? DNS is transmitted in plaintext. Transit providers could evasedrop on your traffic and short circuit your work.


They could sniff but not tamper as long as you are using DNSSEC.


At least you've removed one single point of failure for DNS lookups.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: