default local DNS caching name server

Chuck Anderson cra at WPI.EDU
Sat Apr 12 14:16:46 UTC 2014 

On Sat, Apr 12, 2014 at 04:03:14PM +0200, Reindl Harald wrote:
> 
> 
> Am 12.04.2014 15:31, schrieb Chuck Anderson:
> > On Sat, Apr 12, 2014 at 02:09:19PM +0800, P J P wrote:
> >>> On Saturday, 12 April 2014 11:11 AM, William Brown wrote:
> >>> Say I have freshly installed my fedora system at home. I then boot it up
> >>> and start to use it. My laptop is caching DNS results all the while from
> >>> the "unreliable" ISP.
> >>>
> >>> I then go to work and suddenly things don't work.
> >>>
> >>> Having a DNS cache doesn't fix your unreliable ISP: You need to lodge a
> >>> complaint with your ISP.
> >>
> >>   What, no! that was the case for having local cache and not forwarding queries to the ISP's name servers at all. Because those are not reliable.
> > 
> > I disagree.  You can still do DNSSEC validation with a local caching
> > resolver and configure that local resolver to forward all queries to
> > the ISP.  That should be tried first, and only bypassed and become a
> > full interative recursive querier bypassing the ISP resolvers if that
> > fails.  We need to respect the DNS caching infrastructure by default.
> 
> nonsense - there are so much ISP nameservers broken out there
> responding with wildcards and so on that you can not trust them
> and you will realize that if not before after you started to run
> a production mailserver which relies on NXDOMAIN responses for
> proper operations

I don't disagree that there is lots of broken DNS out there.  But
realistically, we still need to default to using the DHCP-provided DNS
servers as forwarders because there are unfortunately lots of
circumstances where this is required to resolve corporate DNS names or
to allow captive portals to work.  If the local caching resolver is
intelligent enough, it can handle the common use cases (corporate DNS
resolution, VPN into corporate, captive portals) and work around the
common failure modes (automatic cache flushing, switching to iterative
mode to bypass upstream nameservers when necessary, using both the
upstream nameservers AND iterative queries and combining the results)
for us.

What we cannot do is have the default be to bypass the upstream DNS
resolvers without some way to handle the above cases.  If mainstream
operating systems started doing that by default, then corporate
networks, ISPs, captive portals etc. will probably start blocking DNS
to outside servers or redirecting port 53 to their own servers.  In
fact some already do this.  We don't want to escalate the arms race by
encouraging this behavior.

More information about the devel mailing list