[LinuxBender]

I prefer to use my own server as I can optimize cache hit ratios for the things I request. This makes the internet perceptibly faster for me and others on my network. I can also pull statistics from my server whereas I would have to beg someone at the ISP for that data as a one-off request. This also gives me the option to block domain names used for dark patterns or outright malevolent behavior. I also have control over the upper and lower limits of cache and I can flush to cache if a website is still relying upon DNS failover vs BGP Anycast but I have not run into that for about a decade.

Speaking of stats, I can also see what IoT/Cell devices are requesting to keep an eye on their behavior and look for interesting patterns of DNS requests.

I have honestly never used the ISP DNS servers so I don't know what their performance is like. It's just muscle memory for me to set up my own home Linux router to be a DNS server. I highly doubt they could top the performance of Unbound and cron-jobs that request commonly used records on an hourly basis. I do know that my performance is better than talking to the DoH/DoT servers on the internet. The cached record response time is in microseconds vs 23ms for CF and non cached response time is generally between 50ms and 70ms vs 80ms to 160ms for CF not-cached.

Another nifty option in Unbound is to cache the "Infrastructure" records and to "Keep Probing" multiple nodes. This combines into a nice balance of speed and resilience especially if someones name server is having a moment but their status page is green.

    unbound-control dump_infra|wc -l
    1235

These numbers are thrown off a bit by my cron jobs that are requesting things that I am not visiting all the time and when the authoritative record is sub 3600 seconds. They are requested hourly. Some of the government domains in my cron job seem to be throwing off the curve, I will reach out to them.

    total.num.cachehits=20949
    total.num.cachemiss=8010
    total.num.prefetch=753
    total.recursion.time.median=0.0698958

[lxgr]

Interesting, thank you!

Yeah, local caching is a good point if your operating system(s) doesn't already do it in the DNS client.

> This also gives me the option to block domain names used for dark patterns or outright malevolent behavior.

I wonder how long this will actually remain possible, given that with DoH it now seems entirely feasible for websites to provide their own application-level DNS resolver?

[LinuxBender]

Interesting, thank you!

You're quite welcome!

I wonder how long this will actually remain possible, given that with DoH it now seems entirely feasible for websites to provide their own application-level DNS resolver?

For me, forever. Applications can not bypass my DNS unless they are hard coding IP addresses in the application. Windows Update does have some hard coded IP addresses it can fall back on.

It is often said that DoH can't be blocked because in theory it can be hosted on any generic CDN IP pool but to my knowledge this has never been the case. It's quite the opposite, most DoH/DoT providers try to use vanity IP addresses. I null route them and NXDOMAIN the canary domain use-application-dns.net which is entirely optional but a nice gesture to applications to behave. Some vendor may decide one day to host their own DoH/DoT servers but I suspect I would learn about them. I would likely just avoid buying/using that device/application.

Perhaps some day a DoH provider may be so bold as to use a generic CDN pool and I will have to address that issue when it arises. I suspect this would be more challenging for the provider as the app/device will need a way to discover this pool DNS name, HTTP headers, API calls, etc... unless they hard code IP's. Either way I could dynamically null route them.

[shagie]

Tangentially related: My Chromecast Ultra would not start until I began answering 8.8.8.8 --- https://news.ycombinator.com/item?id=19170671 (2019; 509 comments)

The original post for that is https://mailarchive.ietf.org/arch/msg/dnsop/WCVv57IizUSjNb2R... from Paul Vixie

Also:

An Internet Born In a Threat-Free Environment - https://www.recordedfuture.com/podcast-episode-201 (2021)

Paul Vixie and Peter Lowe on Why DoH is Politically Motivated - https://www.dnsfilter.com/blog/paul-vixie-and-peter-lowe-on-... (also from 2021)

[LinuxBender]

That is a good write-up on Paul's comments. I think he has an account here on HN. I recall discussing similar concerns here on HN when the protocol was first being discussed but I think most of my concerns were largely ignored. People were enamored by the idea of DoH but I see it as exacerbating a few problems.

It does not really address the issue of privacy unless one is only making DNS requests and not doing anything with said DNS results, as encrypted SNI is still not widely adopted. I guess I would call that cart before the horse. It does not prevent an abusive ISP from blocking access to a site as they can just block all the DoH resolvers or just NXDOMAIN the canary domain which also turns it off by default on most browsers. The bigger issue to me is that it doubles the number of organizations that can track behavior. Now my ISP gets this data and so does Cloudflare if I am the type to leave things default as most people are and they know it. CF may not wish to block something but should they receive a court order from any country they do business in then most people will lose access to something. That could be a future phase we have not yet reached due to mass adoption not reaching a set goal at this time. This is also a one-stop-shop for law enforcement to gather browsing data vs. having to issue a court order to each ISP.

Some people mention it protects against rogue nations but they are by far the last people that DoH would be useful for. Rogue / bad / totalitarian nations will just null route anything they suspect to be a DNS servers not in their control and will extract people from their homes to re-educate them. In a way I can see DoH as being a risk to people in such situations. Meaning they could be accused of bypassing some state level control and may not even realize they were.

In my opinion DoH/DoT should have been highly customizable in a GUI before it was ever implemented and default-off, default opt-out settings and instead if the browser or ideally the OS recognizes it is in a shared WiFi then maybe prompt the person to temporarily enable DoH. That's another issue, it's in the browser and not the OS. So the browser gets protection but nothing else does at least for the last few years. That is coming soon to some operating systems. Curious if they make it obvious what DNS partnership is in place.

[lxgr]

> Applications can not bypass my DNS unless they are hard coding IP addresses in the application.

That's what I mean: What if websites and applications just start querying IP addresses for the hostnames they want to connect to over DoH (to api.someapp.com, so you can't distinguish it from a regular API call that you want to allow for the app to work), and then connect to the resolved IP directly?

[kxrm]

I reroute all DNS queries attempting to leave my network to my DNS server. It won't work in scenarios where there is DoH without user consent, however at that point I should reconsider purchasing such hostile devices.

[Bender]

The heavy-handed solution looks like this:

    local-zone: "api.someapp.com." always_nxdomain

Then I reach out to them and say something to the effect of, "Hey, nice application/device you have there! In order for anyone on my network to utilize this app/device the DNS would need to be put back into your DNS servers and removed from the API records." Of course they will laugh at me but that is fine given that 100% of the internet and internet connected devices are entirely optional for me. It is unlikely that a statistically significant number of people would use this heavy handed approach. Or perhaps I am OK with their API method and make use of their API that bypasses DNS. This probably depends on if this is malicious or not. i.e. serving ads or malware

Another heavy-handed option would be to force all traffic through a MITM proxy which I have done in the past. Any device that can't have my CA cert loaded would be a paperweight and thus returned to Amazon with less than 5 stars and a review that details the DNS implementation which most customers would not care about or understand but my fellow cranky network admins may find useful. If it's a website then I would just not use it. Some businesses take this approach. There are both commercial and open source solutions for this. Look for Squid SSL-Bump MITM proxy if one is curious. This requires bypasses for domains still using public key pinning which is an insignificant number of them. Most have moved away from HPKP due to the induced fragility and risks.

There are other methods but they come with security implications such as decompiling applications, shimming something into it or pre-loading libraries to do the same thing but this usually requires rooting a device and potentially compromising security as the vendor signing may be removed. I'm sure some of the mobile developers here have more elegant and secure methods.

I doubt many would do any of this of course, but you asked.

[fsmv]

But your home DNS server has to talk to some other server to get the IPs right? Usually it's like DNSMasq configured to cache and forward requests to 8.8.8.8 or whatever.

Is there some other option where you talk directly to the top level DNS root and the nameservers directly??

Edit: my bad you said you talk to the root servers directly. Not sure how to delete comments

[LinuxBender]

Edit: my bad you said you talk to the root servers directly. Not sure how to delete comments

It's still a valid question. You are right, one has to bootstrap the root servers. There are a few ways to do this. Assuming one had working DNS server at some point in the past they can

    dig @e.root-servers.net +nocookie +tries=4 +retry=4 +time=8 . ns | grep -Ev "^;|^$" > /etc/unbound/named_hints.tmp # sanity check this

and then do sanity checks on the output prior to loading it as hints in Unbound DNS. The 3K or so root servers are Anycast IP addresses and rarely change so this file will not be stagnant for a very long time thus making thumb drives a valid way to store and transfer this file.

[icedchai]

Why not use the root.hints file available for this purpose? https://www.iana.org/domains/root/files

Generally it is already included with most DNS servers, such as BIND.

[LinuxBender]

That is useful for the initial bootstrapping but should be updated or at least validated a few times a year. If package maintainers are updating it a few times a year that works too.

[icedchai]

Root DNS server IP's do change. However, the old ones stay active for years. Updating your root.hints a few times a year is absolutely not necessary.