DNS handling

Björn Persson bjorn at xn--rombobjrn-67a.se
Thu Jun 21 20:31:51 UTC 2012

Paul Wouters wrote:
> Install dnssec-trigger, start the dnssec-trigger panel application and
> please give me feedback! Especially when you experience dns failures at
> hotspots. There are so many different kinds of broken dns out there, I'm
> sure we need to do more inventive things to make it work for everyone.

I installed DNSsec-trigger a few months ago and tried it out in a few 
networks. It seemed to work as advertised in all cases. A hotspot run by a 
nearby shopping center turned out to be a very hostile network where pretty 
much everything except HTTPS was blocked or mangled, and DNSsec-trigger 
correctly detected that it had to mask DNS as HTTPS.

The only problem I found was in how the local DNS cache interacts with 
internal domains on NATed networks. I have a DNS server at home that 
translates names in my own domain to private IPv4 addresses. Some of those 
names are also visible publicly, but then they all point to my one public IPv4 
address. When I moved from my own network to another Unbound still remembered 
the private addresses, which were of course not reachable from the other 
network, and when I moved back to my own network Unbound remembered the public 
address, which is the wrong address to use there. (With IPv6 I don't have this 
problem but IPv6 isn't exactly available in every hotspot...)

I'm not sure there is anything that DNSsec-trigger can do to work around this 
if you want it to be able to work from the cache when even HTTPS is blocked. 
Perhaps dual-view setups like mine should simply use a short TTL to minimize 
the problem.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120621/911af86e/attachment.sig>

More information about the devel mailing list