NO CARRIER

Computers, Science, Technology, Xen Virtualization, Hosting, Photography, The Internet, Geekdom And More

Why I use my own DNS resolvers

Posted on | July 10, 2008 | 6 Comments

If you don’t care what DNS (domain name service) is or why its important, you’ll find this post quite boring.

For those of you who do care, but don’t know, DNS is what translate domain names into IP addresses and vice versa. If you type ‘www.google.com’ in your browser, a DNS server (somewhere) is going to need to translate ‘www.google.com’ into an IP address so that a socket connection can be established.

The reverse of that (reverse DNS) translates an IP address into a meaningful name. For instance, ‘echoreply.us’ translates to 216.146.142.235, yet a direct lookup for the reverse (PTR) entry for that same IP translates to ‘s1.echoreply.us’ which is the name of the computer that hosts ‘echoreply.us’.

Whenever you load a page (especially for the first time), a significant amount of the waiting time is due to your browser needing to connect to some DNS server and do a lookup. To get around this, I just run my own DNS server on my desktop and use the OpenNIC root name servers so that I can resolve neat domain names like ‘echoreply.geek’ :)

If you use a Unix-like desktop, here’s how to run your own. Later I will fully explain the benefits of doing so. As an example, I’ll illustrate how I set up my own Tier 2 DNS server with OpenNIC on my Ubuntu GNU/Linux desktop:

Step 1: Get the required programs

Make sure that BIND (version 9 is really preferable) is installed on your computer. Typically this package will be named ‘bind9′ or sometimes ‘bind-9′, check with your OS distributor to find out the exact name and installation method. You will also need the package named ‘dnsutils’ which provides the ‘dig’ program that will be used later. This is optional, but useful.

On my Ubuntu system, the following accomplishes both: sudo apt-get install bind9 dnsutils

Step 2: (optional) Configure your DNS server for OpenNIC

By default, your spiffy new DNS server will dig the Internet’s default (IANA) servers to resolve domains. In order to resolve neat domains like .geek, you’re going to want to replace those roots with those that are provided by OpenNIC. Be sure to see the warning at the end of this post regarding the use of untrusted resolvers.

On most systems, the file that contains entries for the root name servers (and ‘primes’ your new dns server with information on how to resolve domains) is located in /etc/bind/db.root. This file might be in /etc/named, /var/named/ , /var/bind or other places depending on your distribution. Check with your distribution to be sure.

Back up and re-populate the db.root file with OpenNIC resolvers using the ‘dig’ tool to get the information from their primary resolver (ns0.opennic.glue) as such: mv db.root db.root.backup dig . ns @75.127.96.89 > db.root

We’re using the IP address of ns0.opennic.glue because you won’t be able to to resolve .glue until you’ve switched over to using the DNS server that you are now configuring.

At this point, re-start your DNS server: sudo /etc/init.d/bind restart

On some systems, this might be ‘service named restart’ or ‘/etc/rc.d/init.d/named restart’, check with your distribution if you aren’t sure.

Step 3: Put your spiffy new DNS server to work!

Now, we need to tell your computer to use your newly configured DNS server. We’ll first make a backup of the existing configuration and then a simple line will put your server into use: mv /etc/resolv.conf /etc/resolv.old echo "nameserver 127.0.0.1" > /etc/resolv.conf

Test your installation by accessing echoreply.geek via ping or browser, whichever you prefer. You are now digging the root name servers directly to resolve .com .net .org (and other official TLDs) plus opening up the world of OpenNIC.

Benefits of using your own resolver:

There are several very good benefits of using your own resolvers, branching from speed to thwarting ISP data mining through DNS query logging. You can re-start your server to flush its cache (reducing the time it takes for DNS changes to propagate to you) since you no longer rely on your ISP for DNS resolution.

The flip side of this (for parents) is query logging, its very easy to monitor access to things like Myspace without having to configure more elaborate schemes.

Benefits of using OpenNIC:

OpenNIC is an entirely democratic naming system that also provides resolution of common top level domains. OpenNIC domains are free to register, anyone can have one and suggesting new top level domains is pretty much as easy as finding someone willing to manage it.

OpenNIC is entirely volunteer, its run by people who (often) maintain commercial DNS networks for a living and enjoy donating their time to a good program.

As an example, the .geek domain is becoming increasingly popular, sites that use it are usually very useful and chocked full of valuable information and tutorials. At the time of this writing , ‘.ing’ is soon to go live which would allow for sleep.ing, programm.ing, walk.ing, talk.ing or anything else that you can think of that ends in .ing. You’ll enjoy being able to resolve that and future domains adopted by OpenNIC.

Potential security risks to consider:

The official IANA root name servers are closely guarded. It is every cracker’s dream to gain illegal access to root name servers so that they could make the domain (example) ‘paypal.com’ resolve to a computer that they control. If you elected to use OpenNIC, pay careful attention to the following warnings.

Recently discussed vulnerabilities in the DNS protocol itself suggest that DNS is not a safe business to begin with, as such everyone should employ a bit of common sense (especially when using unofficial roots):

  • Make sure you use SSL when connecting if your going to divulge any personal information over the internet. SSL certificates ensure the site is indeed the real thing. With the exception of very, very clever cross site scripting attacks, SSL certificates thwart dns ‘hijacks’ and ‘poisoning’. If an attacker finds a way to get around the certificate, DNS is the least of the problems.
  • Do not use unencrypted terminal sessions, ensure your SSH client does strict RSA key checking to avoid man in the middle attacks.
  • If you are not behind a NAT firewall, ensure that you disable recursion in your DNS server for the outside world. Otherwise, the whole world can use your new DNS server (and abuse it) which might lead to a denial of service attack. Check with your operating system distributor to learn how to do this.

I’ve taken a few precautions, such as writing a script that periodically checks that public name servers such as 4.2.2.2 and 4.2.2.3 return the same IP address for ‘paypal.com’ (and other attacker ‘sweet spots’), it alerts me if there is a discrepancy. You probably would not need to be so paranoid if you employ common sense while browsing.

Maintaining your new DNS server:

Luckily, DNS is pretty hassle free once you get it up and running. I really recommend at least a monthly update of the OpenNIC roots (if you used OpenNIC) by simply re-running the ‘dig’ command illustrated in step 2 and re-starting the service. This ensures your kept up to date with the latest and greatest.

Hopefully this was of some use to you, see you on the .geek side!

Comments

6 Responses to “Why I use my own DNS resolvers”

  1. The .ing domain has landed : Echoreply
    July 24th, 2008 @ 11:00 am

    [...] settings so that you can resolve these extended domains. If you are a *nix / *bsd user you can also use your own name server. Share this post Hide [...]

  2. Ashish Shukla
    July 29th, 2008 @ 5:38 am

    A common issue with running your own resolver from a DSL network, is that couple of DNS servers don’t respond to DNS queries from you.

    abbe [~] chateau % for i in dig +short ns afraid.org; do print resolving from $i && dig +short afraid.org @$i ; done resolving from ns2.afraid.org. 67.19.72.203 resolving from ns3.afraid.org. 67.19.72.203 resolving from ns4.afraid.org. ;; connection timed out; no servers could be reached resolving from ns1.afraid.org. ;; connection timed out; no servers could be reached

  3. tinkertim
    July 29th, 2008 @ 10:18 am

    I run into that issue but pretty infrequently. I’m soon going to set up a couple of Tier 2 name servers in my data center, I’ll need them anyway when I set up my search engine.

  4. grockwel: Research Notes » Blog Archive » Alternative DNS roots
    November 8th, 2008 @ 4:02 am

    [...] said, Guy pointed me to a blog entry on Why I use my own DNS resolvers that explains why one might want to run your own DNS service (speed) and how you can then use [...]

  5. Quale
    November 12th, 2009 @ 6:47 am

    Not sure how this would speed things up as your local resolver still has to resolve the names via OpenNIC, just as your PC would if you didn’t have a local resolver set up and pointed it directly to OpenNIC. Also, if you clear the cache on your local resolver, it will still re-obtain the same cached data from OpenNIC’s servers, just like your PC would if it was set up to resolve via OpenNIC directly. Nice idea though.

  6. Getting a Slice of the Internet | jarbled
    April 25th, 2014 @ 11:10 am

Leave a Reply





  • Monkey Plus Typewriter
  • Stack Overflow

  • Me According To Ohloh

  • Meta