|
|
Log in / Subscribe / Register

Fedora and fallback DNS servers

Fedora and fallback DNS servers

Posted Feb 25, 2021 16:27 UTC (Thu) by dskoll (subscriber, #1630)
Parent article: Fedora and fallback DNS servers

Compiled-in fallback DNS servers seem like a terrible idea to me. We all know that Google and Cloudflare are much too big to fail, but what if the unthinkable happens and 8.8.8.8 or 1.1.1.1 end up being owned by someone whose motives might not be the purest, unlike those two companies?

If someone wants fallback DNS servers, it's easy enough to configure them when provisioning a new installation. Or heck, just implement a recursive resolver in systemd. It has the rest of the kitchen, so why not add the sink?

to post comments

Fedora and fallback DNS servers

Posted Feb 25, 2021 17:13 UTC (Thu) by jafd (subscriber, #129642) [Link] (9 responses)

There's more! What if I tweak my routing ever so slightly that 8.8.8.8 and 1.1.1.1 are not Google's servers but mine? Knowing there's this transparent fallback in place, I could hit a gold mine. (Granted, Linux users on laptops are rare beasts, but still)

Fedora and fallback DNS servers

Posted Feb 25, 2021 20:14 UTC (Thu) by zdzichu (subscriber, #17118) [Link] (4 responses)

If you control the network, why not just provide your DNS via DHCP? Then you wouldn't need to rely on fallback.
But frankly, your comment is absurd and brings nothing to the discussion.

Please

Posted Feb 25, 2021 20:26 UTC (Thu) by corbet (editor, #1) [Link] (3 responses)

I would really like it if comment posters would stop attacking each other in this way. If you disagree with the idea (as you evidently do) then explain your disagreement, but you do not need to insult the poster like this.

Thank you.

Please

Posted Feb 26, 2021 4:07 UTC (Fri) by JoeBuck (subscriber, #2330) [Link] (2 responses)

Jon, it has been 20 years. Time to look around for some mechanism to get comments under control. Simply treating comments as a tree in the order that they were submitted as if they are ordinary articles might have been acceptable two decades ago, but it is way too easy for discussion to be derailed, especially if the very first comment is trollish. There are some topics that just can't be discussed because of the problems with the comment system, and your occasional requests for civility just aren't effective.

I like Ars Technica's system, it seems to produce high quality discussions most of the time. There are other good ones.

Please

Posted Feb 26, 2021 23:58 UTC (Fri) by jrn (subscriber, #64214) [Link] (1 responses)

For what it's worth, I appreciate Jon's comments when he intervenes. They are tasteful and help set the tone for everyone else — they make it clear what kind of engagement is expected in *other* threads.

It may be that additional moderation features are also needed (though I've been coping okay with the killfile equivalent) but I don't want to see this other tool for good go away.

Please

Posted Mar 5, 2021 22:40 UTC (Fri) by flussence (guest, #85566) [Link]

I just want to post a “me too” to this. Having a human tell me when I've done something to elicit a reaction - good or bad - carries infinitely more weight than passive-aggressive externalities codified in software. The moderation style on this site, sadly unusual as it is in this day and age, works better than anything else I've seen.

We don't have an endemic unchecked plague of trolls here partly because it doesn't present a UI up front that sets expectations that they're part of the system. I can guarantee the second something with countable numbers were to be added, there'd be crowds trying to gamify it in all directions — it's already bad enough when I see a large user ID or reply count and brace for the worst.

(Here's where I'd apologise for veering so far off topic, but I think arguing over software-political DNS hijacking is a horse that's already been flogged into dust.)

Fedora and fallback DNS servers

Posted Feb 25, 2021 21:16 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

If you control the network, you can reroute all 53/udp traffic to whatever you want, regardless of the IP address in the headers. If the traffic uses DoT or DoH, then you can't reroute it or otherwise tamper with it, again regardless of the IP address in the headers.

My conclusion is that the IP address in the headers is not relevant to the attack vector which you describe (hostile network/router, active MitM attacks, etc.), except perhaps for cases where an attacker can reroute by IP address but not by port. This should be rare, but given how frequently we see ridiculous BGP leaking/hijacking, I wouldn't put it past them...

Fedora and fallback DNS servers

Posted Feb 26, 2021 10:22 UTC (Fri) by smurf (subscriber, #17840) [Link] (2 responses)

If you control the network anyway, you can just redirect all your users' DNS queries to your local resolver no matter which server the user intends to use.

Fedora and fallback DNS servers

Posted Mar 5, 2021 12:09 UTC (Fri) by kpfleming (subscriber, #23250) [Link] (1 responses)

With the advent of DoH, this has gotten very hard to do well. Now you not only have to block UDP and TCP traffic to destination port 53, but you also have to block TCP traffic to port 443 on the well-known DoH servers, and hope that your users won't use a non-well-known server.

Fedora and fallback DNS servers

Posted Mar 5, 2021 12:13 UTC (Fri) by zdzichu (subscriber, #17118) [Link]

You need to intercept all communication, do MITM with TLS traffic and do deep packet inspection. Because users wanting to use DoH will create their own DoH resolvers on cheapest VPS instances in cloud. I know, they did that in my company.

Fedora and fallback DNS servers

Posted Feb 25, 2021 22:51 UTC (Thu) by patrakov (subscriber, #97174) [Link] (8 responses)

In many countries, these DNS server addresses (8.8.8.8 and 1.1.1.1) are effectively owned by someone else, due to mandatory internet filtering by ISPs.

Fedora and fallback DNS servers

Posted Feb 26, 2021 7:25 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (7 responses)

1.1.1.1 and 8.8.8.8 and similar aren't "effectively owned by someone else". ISPs (of their own accord or by government mandate) could decide to blackhole these addresses but they can't impersonate then because the underlying services offer TLS and of course have certificates for their own names.

Apparently everybody in this thread pays a lot of attention to their DNS configuration and so I'm sure everybody here is using TLS right?

The British government's old white paper (before it was repeatedly back burnered and effectively scrapped) described DNS based filtering censorship as the practical way forward. I remember reading it at the same time IETF 101 London happened, I remember because of the irony.

At that point what is now "Encrypted Client Hello" was only a napkin sketch, but DPRIV and TLS 1.3 were essentially done. DNS-based filtering was thus a dead man walking. Fast forward three years, it's irrelevant. If your teenager wants to read Oglaf then an ISP filter won't stop them.

Fedora and fallback DNS servers

Posted Feb 26, 2021 13:34 UTC (Fri) by dskoll (subscriber, #1630) [Link] (6 responses)

I'm intrigued as to how you run DNS over UDP port 53 with TLS. Please enlighten...

Sure, there's DNSSec, but it's not widely used at all.

Fedora and fallback DNS servers

Posted Feb 26, 2021 17:00 UTC (Fri) by johannbg (guest, #65743) [Link] (5 responses)

Hmm hardly used at all...

As far as I can tell DNSSEC usage is skyrocketing...

https://stats.dnssec-tools.org/

Fedora and fallback DNS servers

Posted Feb 26, 2021 18:02 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Several large cloud hosting providers started offering DNSSEC last year.

Fedora and fallback DNS servers

Posted Feb 26, 2021 19:14 UTC (Fri) by dskoll (subscriber, #1630) [Link] (3 responses)

What percentage of domains (not TLDs, actual registered domains) use DNSSec? I suspect it's under 5%. A quick check shows no DS records for biggies like google.com, microsoft.com, facebook.com, amazon.com, netflix.com, apple.com or oracle.com. There is one for whitehouse.gov, though, which is good.

Fedora and fallback DNS servers

Posted Feb 26, 2021 19:56 UTC (Fri) by johannbg (guest, #65743) [Link] (2 responses)

The "biggies" are always the last to change given the complexity of their infrastructure & bureaucracy.

Given the rate how fast this is being adopted, now that cloud providers offer it, I'm pretty sure Microsoft will have completed their adoption atleast for the Office 365 platform by the end of this year.

NIST provides statistics on IPv6 and DNSSEC adoption within the US government here [1].

1. https://fedv6-deployment.antd.nist.gov/

Fedora and fallback DNS servers

Posted Feb 28, 2021 19:01 UTC (Sun) by dskoll (subscriber, #1630) [Link] (1 responses)

Thanks for the link. As this page shows, DNSSEC adoption is very limited.

Fedora and fallback DNS servers

Posted Feb 28, 2021 19:59 UTC (Sun) by johannbg (guest, #65743) [Link]

Among their sample atleast and as you can see both Debian and FreeBSD are doing better job than Fedora in that measurement and Fedora is just slightly better than RH which is on par with Microsoft...


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds