Fedora and fallback DNS servers

Posted Feb 25, 2021 17:13 UTC (Thu) by jafd (subscriber, #129642)
In reply to: Fedora and fallback DNS servers by dskoll
Parent article: Fedora and fallback DNS servers

There's more! What if I tweak my routing ever so slightly that 8.8.8.8 and 1.1.1.1 are not Google's servers but mine? Knowing there's this transparent fallback in place, I could hit a gold mine. (Granted, Linux users on laptops are rare beasts, but still)

to post comments

Fedora and fallback DNS servers

Posted Feb 25, 2021 20:14 UTC (Thu) by zdzichu (subscriber, #17118) [Link] (4 responses)

If you control the network, why not just provide your DNS via DHCP? Then you wouldn't need to rely on fallback.
But frankly, your comment is absurd and brings nothing to the discussion.

Please

Posted Feb 25, 2021 20:26 UTC (Thu) by corbet (editor, #1) [Link] (3 responses)

I would really like it if comment posters would stop attacking each other in this way. If you disagree with the idea (as you evidently do) then explain your disagreement, but you do not need to insult the poster like this.

Thank you.

Please

Posted Feb 26, 2021 4:07 UTC (Fri) by JoeBuck (subscriber, #2330) [Link] (2 responses)

Jon, it has been 20 years. Time to look around for some mechanism to get comments under control. Simply treating comments as a tree in the order that they were submitted as if they are ordinary articles might have been acceptable two decades ago, but it is way too easy for discussion to be derailed, especially if the very first comment is trollish. There are some topics that just can't be discussed because of the problems with the comment system, and your occasional requests for civility just aren't effective.

I like Ars Technica's system, it seems to produce high quality discussions most of the time. There are other good ones.

Please

Posted Feb 26, 2021 23:58 UTC (Fri) by jrn (subscriber, #64214) [Link] (1 responses)

For what it's worth, I appreciate Jon's comments when he intervenes. They are tasteful and help set the tone for everyone else — they make it clear what kind of engagement is expected in *other* threads.

It may be that additional moderation features are also needed (though I've been coping okay with the killfile equivalent) but I don't want to see this other tool for good go away.

Please

Posted Mar 5, 2021 22:40 UTC (Fri) by flussence (guest, #85566) [Link]

I just want to post a “me too” to this. Having a human tell me when I've done something to elicit a reaction - good or bad - carries infinitely more weight than passive-aggressive externalities codified in software. The moderation style on this site, sadly unusual as it is in this day and age, works better than anything else I've seen.

We don't have an endemic unchecked plague of trolls here partly because it doesn't present a UI up front that sets expectations that they're part of the system. I can guarantee the second something with countable numbers were to be added, there'd be crowds trying to gamify it in all directions — it's already bad enough when I see a large user ID or reply count and brace for the worst.

(Here's where I'd apologise for veering so far off topic, but I think arguing over software-political DNS hijacking is a horse that's already been flogged into dust.)

Fedora and fallback DNS servers

Posted Feb 25, 2021 21:16 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

If you control the network, you can reroute all 53/udp traffic to whatever you want, regardless of the IP address in the headers. If the traffic uses DoT or DoH, then you can't reroute it or otherwise tamper with it, again regardless of the IP address in the headers.

My conclusion is that the IP address in the headers is not relevant to the attack vector which you describe (hostile network/router, active MitM attacks, etc.), except perhaps for cases where an attacker can reroute by IP address but not by port. This should be rare, but given how frequently we see ridiculous BGP leaking/hijacking, I wouldn't put it past them...

Fedora and fallback DNS servers

Posted Feb 26, 2021 10:22 UTC (Fri) by smurf (subscriber, #17840) [Link] (2 responses)

If you control the network anyway, you can just redirect all your users' DNS queries to your local resolver no matter which server the user intends to use.

Fedora and fallback DNS servers

Posted Mar 5, 2021 12:09 UTC (Fri) by kpfleming (subscriber, #23250) [Link] (1 responses)

With the advent of DoH, this has gotten very hard to do well. Now you not only have to block UDP and TCP traffic to destination port 53, but you also have to block TCP traffic to port 443 on the well-known DoH servers, and hope that your users won't use a non-well-known server.

Fedora and fallback DNS servers

Posted Mar 5, 2021 12:13 UTC (Fri) by zdzichu (subscriber, #17118) [Link]

You need to intercept all communication, do MITM with TLS traffic and do deep packet inspection. Because users wanting to use DoH will create their own DoH resolvers on cheapest VPS instances in cloud. I know, they did that in my company.