Saturday, January 29, 2011

Running a recursive DNS server on localhost

Every so often, people here ask "should I use my ISP DNS or (google/opendns)"?

What I want to know is, why not run a local recursive server yourself on your own computer or local network? Then just use 127.0.0.1 for your DNS server and let that server find out names directly, instead of trusting / relying on the servers run by your ISP (or google/opendns)?

For instance, the recursive server that comes with PowerDNS works quite well, has both linux and windows versions, and is free. With unix, you've got both the PowerDNS and dnscache, though dnscache has wacky issues with really long cname chains...

What are some reasons for and against running a local recursive server?

From serverfault chris

  • The DNS system was designed to run more efficiently with regional caching via your ISP.
    Unless you have a security concern, or you ISP's DNS servers are somehow limited, you should use them.

    chris : Many ISP DNS servers respond with incorrect data if you ask for a record that doesn't exist. That breaks all kinds of things and is in violation of the spec, but they do it anyhow. Other ISP DNS servers are poisoned because they're running bind8, or are just flakey.
    From Chris S

  • I prefer to utilize my own recursive server as well, chris. It's one less piece of information that is readily given to a third party. The only service I like utilizing an ISP for is the uplink.

    Chris S makes a good point, however. If every end-user ran a local cache, it would put substantially more DNS load on the Internet.

    Comcast DNS Hijacking

    Daniel Papasian : Perhaps this'll help reduce the amount of casual monitoring of your traffic that might happen, but realize your DNS requests are still trivially logged by your ISP.
    Warner : As will any plaintext request, et cetera. However, it's less easily manipulated for otherwise 'benign' activities such as DNS redirection for analytics and advertising.
    chris : Has anyone done research into how much more load (or less load) would be put on the internet if clients did their own recursive DNS? A decade ago, it made sense to have DNS centralized because the root servers weren't that robust, but these days, does it still make sense? I've seen lots of hand-waving and superstition, but not a whole lot of actual evidence.
    From Warner

  • What Chris S said, and performance. If someone else is worrying about CPU load, you don't sacrifice speed of your own machine.

    From fahadsadah

  • Name servers that recurse may be vulnerable to cache poisoning attacks - if that nameserver is also authoritative for any domains it could make you vulnerable to some nasty hijacking attacks.

    To minimize this threat, if you do choose to operate a recursive server, you should only permit recursion for client IPs under your control.

    chris : This is precisely why I would run a DNS server on 127.0.0.1 of a given machine -- only that machine would be able to make requests against itself so cache poisoning attacks would be impossible. Similarly, a machine could be configured to allow requests from the local subnet, which would be presumably be trustworthy. The configuration issues, at least with pdns and dnscache, are pretty trivial even including split horizon DNS and private local namespaces.
    From quadruplebucky

  • If your ISP provides you with a recursive DNS server that

    1. Is at least as reliable as your link
    2. Low latency (presumably it would be, it's probably very close to you network-wise)
    3. Is properly configured and secured

    Then there aren't many significant benefits for recursively resolving your DNS queries.

    You can set up a DNS server to forward recursive queries instead of resolving them itself, and simply have those requests go to your ISP's server. What you gain from doing this is the ability to have a cache hit at your ISP's server, which could save you dozens of milliseconds in many typical setups.

    There are lots of reasons why you might want to use this setup - say, you might be running .local zones for your site (or split-horizon on your site's domain), or you might want to blackhole DNS certain zones.

    chris : But if I run a local recursor, say of powerdns or dnscache, wouldn't that have a lower latency (for things already looked up) and be properly configured and secured (after all, it only accepts requests on 127.0.0.1 so no cache poisoning).
    Daniel Papasian : There's no reason to think a local recursing server would be any faster than a local forwarding server, and plenty of reasons to think it'd be slower.
    From Daniel Papasian

  • I think you need to approach this differently:

    What problem are you trying to resolve?

    Is running a local DNS server the best solution to that problem. I've often seen people deploy a local DNS server with really no good justification for doing so. In this case, you've added another service to be maintained, another vector for attack, and another link in your network for which you are responsible.

    I've seen local DNS servers deployed for very good reasons. For example, I've seen cases where the ISP's supplied DNS servers have a lot of latency. We tracked and measured this latency, up to 800ms in some cases. Installing a local caching server fixed this latency.

    I've had mail servers be slowed by the providers public DNS resolvers. By installing a local DNS server, this issue was resolved.

    I've seen the need to resolve some domains differently on the internal network vs. the external network, once again a local DNS server was the answer.

    IT solutions are highly dependent on the environment that they are deployed.

    chris : I've seen plenty of situations where the DNS server for a local network is the wireless router, which in turn forwards the DNS requests to the ISP server, which responds with their "search" site for nonexistent domains. So, you've got the slowest computer on your network (the nat router) forwarding requests to a broken DNS server. Rather than worry about these sorts of problems, why not just install pdns-recursor on systems in the same way people install anti-spyware software? Is the power-dns recursor not reliable, or is it just a theory that it *may* cause problems?
    jeffatrackaid : Take a look at: https://secunia.com/advisories/product/9556/?task=statistics One again, this highly depends on your environment and needs. I operate from the standpoint of less is more. The leaner your environment, the less software you have to look after, the smaller your threat surface, and the fewer licenses to manage. I'm not against installing such local resolver tools if they add real value. In the environment you describe, it could be better to get a router with a built-in DNS server. Depends on the needs.
    From jeffatrackaid
Posted by Mu Cat at 5:40 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)