default local DNS caching name server

Björn Persson bjorn at xn--rombobjrn-67a.se
Sun Apr 13 13:50:32 UTC 2014


William Brown wrote:
>> The cache is never fully flushed. It is only flushed for the domain
>> obtained via DHCP or VPN, because those entries can change. They are
>> not changed for anything else. If the upstream ISP could have
>> spoofed them, so be it - the publisher of the domains could have
>> used DNSSEC to prevent that from happening.
>
>No no no!!!! You need to flush *all* entries. Consider what I resolve
>www.google.com to. That changes *per* ISP because google provides
>different DNS endpoints and zones to ISPs to optimise traffic! So when
>I use google at work, I'm now getting a suboptimal route to their
>servers!

You'll still reach Google, but you'll get a suboptimal route for up to
five minutes – provided that you managed to go from home to work and
reconnect your laptop in less than five minutes. Big deal.

I just looked up www.google.com to check, and I got a TTL of 300
seconds on both A and AAAA records.

>> You need caching for DNSSEC validation, so really,
>> every device needs a cache, unless you want to outsource your DNSSEC
>> validation over an insecure transport (LAN). That seems like a very
>> bad idea.
>
>If your lan is insecure, you have other issues. That isn't the problem
>you are trying to solve. 

If admins want to set up firewalls, link-layer encryption, intrusion
detection and stuff in an attempt to keep all adversaries out of their
LAN, and then have the security of servers and workstations depend on
the guarantee that the LAN is secure, then they should have to
explicitly configure each computer to trust everybody on the LAN.
Fedora can *not* assume that it will only ever be connected to secure,
isolated networks.

>A home user is likely to toy with things and set a
>high-ish ttl, say even 10 minutes, and change records on their server.
>Then their records appear broken, because the local cache isn't expired
>yet. 

The kind of user who runs their own DNS at home and tinkers with
settings like that, is the kind of person who will learn from the
experience and will thereafter know what DNS caching is.

>Intermittent network issues for different people on a network? The
>cache is allowing some people to work, but masking the issue to them.
>It's not allowing people to quickly and effectively isolate issues.

You keep repeating this argument, as if it's somehow a bad thing that
people can continue to work even when the DNS servers have a temporary
problem. To me it sounds more like an argument for why the network
admins should disable the cache on their own workstations and leave it
enabled on everybody else's, so that the admins will be the first to
discover a problem – and that translates to an argument for having a
cache by default.

-- 
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140413/158e196b/attachment.sig>


More information about the devel mailing list