Fedora and fallback DNS servers

Posted Feb 26, 2021 3:30 UTC (Fri) by wahern (subscriber, #37304)
In reply to: Fedora and fallback DNS servers by pizza
Parent article: Fedora and fallback DNS servers

> Sure, and those laws say "the provider can collect whatever they want and do whatever they want with it". As does the contract, incidentally.

Some jurisdictions do prohibit ISPs from selling user data. And some ISPs are genuinely good netizens. People in these situations (a not insubstantial number, even in the U.S.) accidentally failing over to Google or Cloudflare are objectively in a *worse* situation.

Furthermore, small choices that push the entire Internet ecosystem into reliance on Google, Cloudflare, etc, means it becomes increasingly difficult to significantly improve the situation for everyone. It's not politically difficult (at least not in many jurisdictions outside the U.S.) to justify restrictions on ISPs collecting and leveraging personal data. But try to do that for Google and Cloudflare once a majority of the internet is relying on them to provide "free" DNS service, and then you'll find that you've burned all your bridges (port 53 is blocked everywhere except to Google and Cloudflare) and no longer have any real leverage. They can just take their ball and go home and then your citizens or clients will complain, "what use is privacy if I can't perform the activities I was interested in at all."

Look, it's a difficult problem juggling these competing demands--convenience vs privacy, security, etc. No doubt about it. But there's a difference between taking a path which we're not quite sure where it leads, and taking a path that very clearly leads to an undesirable end, even if it's slightly better than the status quo. Anyhow, the latter path isn't ever going away. Google and Cloudflare want you to use their DNS services because it not only makes them more money, it promises even greater dividends down the road as more people become reliant on them. That's true today and it will remain true for the foreseeable future.

Anyhow, if convenience is your primary objective, the solution is easy: just run a local recursing resolver. NLnet Labs' unbound is one of the most popular local resolvers in FOSS systems (perhaps second only to systemd-resolved). It's reputation is unimpeachable, supports all the latest standards to a much greater degree than systemd-resolved (including DoT and DoH, client- *and* server-side), and it's a first-class recursing, caching resolver. Moreover, it's composed of a collection of well documented APIs, meaning it's relatively easy to stitch together your own local resolver that transparently performs whatever fancy fallback magic you could ever want. OpenBSD does this: they provide unbound in the default install, but also provide their own bespoke "road warrior" resolver built on the unbound libraries. systemd could have decided to use these libraries if they had wanted to; it still can, in fact.

Conflation of the convenience and privacy issues is happening largely because of deficiencies in systemd-resolved itself. Only if you can't reliably perform recursive queries do you need to resort to choosing Google or Cloudflare as the fallback. And even then the options aren't mutually exclusive--you could first try the DHCP-declared server; if that doesn't work try recursing yourself; if that doesn't work fall back to Google over DoT/DoH. And to reiterate, libunbound puts all that within reach with a fraction of the effort that has gone into writing the systemd-resolved stack.[1]

[1] Not that I think the systemd-resolved stack is bad. I had no qualms relying on it to proxy upstream (to the DHCP-declared servers) for our clustering architecture.

to post comments

Fedora and fallback DNS servers

Posted Feb 26, 2021 4:36 UTC (Fri) by pizza (subscriber, #46) [Link] (2 responses)

> Some jurisdictions do prohibit ISPs from selling user data.

Sure, some do. Many more don't.

Meanwhile, Google (and for that matter, Cloudfare) has never "sold user data".

(Now Google sells _advertising_ that uses that data to improve targeting. But so have my last two ISPs)

And your ISP has some pretty detailed user activity data that many jurisdictions mandate be collected and retained, for "law enforcement" purposes. This sort of thing was a prime reason for the https-everywhere push. (Which led to even more intrusive middleboxes, which led browsers to pin certificates to catch data interception, and so forth...)

> Google and Cloudflare want you to use their DNS services because it not only makes them more money, it promises even greater dividends down the road as more people become reliant on them. That's true today and it will remain true for the foreseeable future.

...And also because plenty of middlemen routinely muck with end-users' DNS queries (and anything else that can be intercepted) leading to all manner of shenanigans, from relatively benign (data collection), somewhat skeevy (injecting advertising), to outright hostile (MITM attacks, credential harvesting)

(TBH I'd be quite surprised if Google and/or Cloudfare make any money off of their public DNS resolver, much less enough to offset the cost of providing/maintaining the service..)

> Anyhow, if convenience is your primary objective, the solution is easy: just run a local recursing resolver.

Um, how is installing and appropriately configuring an additional software packages "convenient" or "easy"?

If "convenience" is truly the primary objective, then systemd-resolved's upstream behaviour is ideal, as it will use whatever your ISP/etc hands you and only fall back to well-known public services if what you were handed doesn't work (or is nonexistent) for whatever reason.

(And I say that as someone who has private recursive resolvers set up for all of the networks I'm responsible for. And who has long made sure that "internal" DNS zones are publicly resolvable due to corporate VPN clients overriding local resolver settings..)

Fedora and fallback DNS servers

Posted Feb 26, 2021 10:40 UTC (Fri) by smurf (subscriber, #17840) [Link]

> (TBH I'd be quite surprised if Google and/or Cloudfare make any money off of their public DNS resolver, much less enough to offset the cost of providing/maintaining the service..)

The systems running the public DNS resolvers are there anyway, they provide search / content acceleration. Data gained from them helps identify malicious users (if suddenly 100k random queries for random123.s0me0bscured0ma1n.com show up, something fishy may be going on) which helps both secure and/or run their other services. So I strongly suspect that their effect is net positive.

Fedora and fallback DNS servers

Posted Feb 27, 2021 6:40 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

Both Google and Cloudflare have reasoned that their profitability is inherently tied to the Internet. If they make the Internet work better, they get more profits. Certainly we can trivially analyse the most superficial version of this thinking as correct - if the Internet somehow goes away Google and Cloudflare are ruined.

For now this aligns their interests and mine very well. In principle the Network might some day be transitioning to a successor technology and we could imagine Google and Cloudflare, if they still existed when that happens, fighting this change, like a 1990s telco (profiting from the previous iteration of the Network the global PSTN) trying to stop the Internet rather than going with the flow, but if that happens it would be in the distant future and I expect to be long dead.

Anyway, under this rationale offering public DNS unbreaks the Internet for some non-trivial fraction of users, which in turn drives up your profitability.

For Cloudflare in particular there's an extra bonus, the 1.1.1.1 server gets to choose which of several valid answers to give in response to queries and so it can choose answers for Cloudflare services that reduce RTT between origin and server since it knows where they both are.

Historically there was effort to help other servers do this in DNS, by telling them the first few octets of the asking client's IP address. EDNS Client Subnet. Unfortunately of course as we see in this thread, people consider their IP address private information and don't want it leaked. So Cloudflare does not use EDNS Client Subnet at all.