default local DNS caching name server

Reindl Harald h.reindl at thelounge.net
Sun Apr 13 06:58:35 UTC 2014 

Am 13.04.2014 08:42, schrieb Simo Sorce:
>>>> * DNS cache should be flushed on route or interface state change.
> 
> I do not see why, the only reason to flush a cache is when there is a
> DNS change (new interface, eg VPN coming up, or going away)

because if i change my routing from ISP to VPN i want to access
the company severs over the VPN - any of them

changing the default root is a common way for such a switch

>> the cache already is running in my LAN for good reasons
> 
> That's a different cache, however if you feel strongly you will be able
> to turn off the local caching dns server on your machines, at your
> option.
> 
>> that DNS cache is pushed with DHCP
> 
> Forwarders are pushed via DHCP, not caches

says who?
you or better the one built the network and services?

the via DHCP pushed DNS servers are caches because they do not forward
anything, they are doing recursion - if youre DNS servers are only
forwarders consider to change that

frankly the main reason i stepped in that thread at all is that
people started to talk about recursion / forwarding without
understand that both terms in case of DNS

>> that DNS cache already does DNSSEC validation
> 
> Which is useless in the *general* case. You may think your physical
> security is perfect, that;s great, but for everybody else, trusting the
> network is not ok, that's why more an more people de[ploy TLS or GSSAPI
> in internal networks too.
> The era of the clear text trusted private network is coming to an end,
> whether you like it or not.
> 
>> if you don't trust the network itself you are lost anyways
> 
> Let me troll a bit, this is why you do all your banking without
> HTTPS ? :-)

that is a completly different story, you enter a HTTPS URL manually
or triggered by HSTS, so you request a encrypted connection from
the very first start

in case of DNS there is nothing encrypted at start resolving
and if i proper manipulate the network you are in i hide any
DNSSEC response from you (deep packet inspection)

> I am strongly in favor of a DNS cache on Fedora, and I would even
> seriously consider any proposal of making it the default on Fedora
> Server too

as long as it is not a hard wired dependency.....
i don't need additional DNS servers on any system

the systems are running BIND are doing that with good reasons
the systems running Unbound as local cache doing that for good reasons (MTA servers)
the systems running dnsmasq are doing it for good reasons (Reverse-proxy with own DNS view)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140413/11db3fcf/attachment.sig>

More information about the devel mailing list