Posted on | July 10, 2008 | 6 Comments
If you don’t care what DNS (domain name service) is or why its important, you’ll find this post quite boring.
For those of you who do care, but don’t know, DNS is what translate domain names into IP addresses and vice versa. If you type ‘www.google.com’ in your browser, a DNS server (somewhere) is going to need to translate ‘www.google.com’ into an IP address so that a socket connection can be established.
The reverse of that (reverse DNS) translates an IP address into a meaningful name. For instance, ‘echoreply.us’ translates to 22.214.171.124, yet a direct lookup for the reverse (PTR) entry for that same IP translates to ‘s1.echoreply.us’ which is the name of the computer that hosts ‘echoreply.us’.
Whenever you load a page (especially for the first time), a significant amount of the waiting time is due to your browser needing to connect to some DNS server and do a lookup. To get around this, I just run my own DNS server on my desktop and use the OpenNIC root name servers so that I can resolve neat domain names like ‘echoreply.geek’
If you use a Unix-like desktop, here’s how to run your own. Later I will fully explain the benefits of doing so. As an example, I’ll illustrate how I set up my own Tier 2 DNS server with OpenNIC on my Ubuntu GNU/Linux desktop:
Step 1: Get the required programs
Make sure that BIND (version 9 is really preferable) is installed on your computer. Typically this package will be named ‘bind9′ or sometimes ‘bind-9′, check with your OS distributor to find out the exact name and installation method. You will also need the package named ‘dnsutils’ which provides the ‘dig’ program that will be used later. This is optional, but useful.
On my Ubuntu system, the following accomplishes both:
sudo apt-get install bind9 dnsutils
Step 2: (optional) Configure your DNS server for OpenNIC
By default, your spiffy new DNS server will dig the Internet’s default (IANA) servers to resolve domains. In order to resolve neat domains like .geek, you’re going to want to replace those roots with those that are provided by OpenNIC. Be sure to see the warning at the end of this post regarding the use of untrusted resolvers.
On most systems, the file that contains entries for the root name servers (and ‘primes’ your new dns server with information on how to resolve domains) is located in /etc/bind/db.root. This file might be in /etc/named, /var/named/ , /var/bind or other places depending on your distribution. Check with your distribution to be sure.
Back up and re-populate the db.root file with OpenNIC resolvers using the ‘dig’ tool to get the information from their primary resolver (ns0.opennic.glue) as such:
mv db.root db.root.backup
dig . ns @126.96.36.199 > db.root
We’re using the IP address of ns0.opennic.glue because you won’t be able to to resolve .glue until you’ve switched over to using the DNS server that you are now configuring.
At this point, re-start your DNS server:
sudo /etc/init.d/bind restart
On some systems, this might be ‘service named restart’ or ‘/etc/rc.d/init.d/named restart’, check with your distribution if you aren’t sure.
Step 3: Put your spiffy new DNS server to work!
Now, we need to tell your computer to use your newly configured DNS server. We’ll first make a backup of the existing configuration and then a simple line will put your server into use:
mv /etc/resolv.conf /etc/resolv.old
echo "nameserver 127.0.0.1" > /etc/resolv.conf
Test your installation by accessing echoreply.geek via ping or browser, whichever you prefer. You are now digging the root name servers directly to resolve .com .net .org (and other official TLDs) plus opening up the world of OpenNIC.
Benefits of using your own resolver:
There are several very good benefits of using your own resolvers, branching from speed to thwarting ISP data mining through DNS query logging. You can re-start your server to flush its cache (reducing the time it takes for DNS changes to propagate to you) since you no longer rely on your ISP for DNS resolution.
The flip side of this (for parents) is query logging, its very easy to monitor access to things like Myspace without having to configure more elaborate schemes.
Benefits of using OpenNIC:
OpenNIC is an entirely democratic naming system that also provides resolution of common top level domains. OpenNIC domains are free to register, anyone can have one and suggesting new top level domains is pretty much as easy as finding someone willing to manage it.
OpenNIC is entirely volunteer, its run by people who (often) maintain commercial DNS networks for a living and enjoy donating their time to a good program.
As an example, the .geek domain is becoming increasingly popular, sites that use it are usually very useful and chocked full of valuable information and tutorials. At the time of this writing , ‘.ing’ is soon to go live which would allow for sleep.ing, programm.ing, walk.ing, talk.ing or anything else that you can think of that ends in .ing. You’ll enjoy being able to resolve that and future domains adopted by OpenNIC.
Potential security risks to consider:
The official IANA root name servers are closely guarded. It is every cracker’s dream to gain illegal access to root name servers so that they could make the domain (example) ‘paypal.com’ resolve to a computer that they control. If you elected to use OpenNIC, pay careful attention to the following warnings.
Recently discussed vulnerabilities in the DNS protocol itself suggest that DNS is not a safe business to begin with, as such everyone should employ a bit of common sense (especially when using unofficial roots):
- Make sure you use SSL when connecting if your going to divulge any personal information over the internet. SSL certificates ensure the site is indeed the real thing. With the exception of very, very clever cross site scripting attacks, SSL certificates thwart dns ‘hijacks’ and ‘poisoning’. If an attacker finds a way to get around the certificate, DNS is the least of the problems.
- Do not use unencrypted terminal sessions, ensure your SSH client does strict RSA key checking to avoid man in the middle attacks.
- If you are not behind a NAT firewall, ensure that you disable recursion in your DNS server for the outside world. Otherwise, the whole world can use your new DNS server (and abuse it) which might lead to a denial of service attack. Check with your operating system distributor to learn how to do this.
I’ve taken a few precautions, such as writing a script that periodically checks that public name servers such as 188.8.131.52 and 184.108.40.206 return the same IP address for ‘paypal.com’ (and other attacker ‘sweet spots’), it alerts me if there is a discrepancy. You probably would not need to be so paranoid if you employ common sense while browsing.
Maintaining your new DNS server:
Luckily, DNS is pretty hassle free once you get it up and running. I really recommend at least a monthly update of the OpenNIC roots (if you used OpenNIC) by simply re-running the ‘dig’ command illustrated in step 2 and re-starting the service. This ensures your kept up to date with the latest and greatest.
Hopefully this was of some use to you, see you on the .geek side!