You want your DNS resolver to be as close to you as possible, especially if your DNS server does not support EDNS Client Subnet (ECS). You can also use namebench to benchmark different DNS servers. You can find result of benchmarks of public DNS resolvers on. These public global DNS providers are often praised for their speed. The popular global public DNS services all support DNSSEC by default and you can connect to them using encrypted DNS-over-TLS. And your ISP’s DNS servers prevent a single point of failure, a single point of data collection, and a single point of censorship. These might all be reasons in order to not to use your ISP’s DNS servers.īut at least in Europe, ISPs should be restricted by the GDPR to sell DNS data. In less democratic countries local DNS server are abused for censorship. Some (mostly American) ISPs serve redirect pages when you enter an unexisting domain name and they often block hosts with content which is illegal in your country (child pornography, sites helping with copyright infringement, illegal gambling sites,…). (replace dig by kdig if you are using Knot’s DNS utils) To test whether QNAME minimisation is enabled for your current resolver, use this command: $ dig +nodnssec +short TXT There is an online test to check whether your DNS server does DNSSEC validation. Quite often the problem with your ISP’s DNS servers, is that they don’t support DNSSEC and QNAME minmisation. You set up your own DNS recursor which connects itself to authoritative DNS servers.You forward all requests to a public global DNS service, like Cloudlfare’s 1.1.1.1, Quad9 or Google DNS.You forward all requests to your ISP’s DNS servers (which is what is usually done by default).There are basically 3 options for DNS on your client systems: More information about the DNS Privacy project can be found in this Fosdem 2018 talk. Data integrity is proved by DNSSEC and the privacy part is being tackled by the DNS Privacy project, proposing solutions like DNS-over-TLS (all data between resolver and client is encrypted) and QNAME minimisation (not sending the FQDN but only the relevant part to each DNS server when doing recursive resolving).
These days, improvements are being made to fix these problems. However DNS traffic is usually not encrypted and can leak lots of interesting information and originally DNS also did not provide date integrity, making it vulnerable to DNS spoofing. Update 4 August 2020: replace CHAOS class by CH in dig commands so they work with kdig too, Quad9 now does support QNAME minimisation, Quad9 has alternative servers available with ECS support and without QNAME minimisation, Google now also does QNAME minimisation.ĭNS is a crucial part of the Internet.
0 kommentar(er)
