 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
John Abreau wrote: > ...you're thinking that the correct thing to do is to use Verizon's > DNS, and that end users are not supposed to touch the root > nameservers. The opposite is actually the case. > > To use the Internet the way it was designed, you're supposed to run > your own local nameservers that talk to the root nameservers > directly. The ISP's nameservers are there for people who are either > unable or unwilling to operate their own local network. I don't think that's correct. It subverts the intent of DNS being a distributed database. The logic you describe makes perfect sense at a time when an "end-user" meant an organization the size of a university. If you are willing/able to run a DNS server locally, my recommendation is that you should run a caching proxy, that in turn talks to several recursive servers, unless you have an organization with hundreds of users. Specifically I recommend Dnsmasq, which in additions to providing an optimized caching proxy, and includes the ability to serve local names, and has an integrated DHCP server, making management of a small LAN's IP and names far easter. It'll also give you protection against DNS rebinding attacks. This is the DNS proxy/DHCP solution used by all the 3rd party router firmwares. (I don't really get why anyone with bother with running Bind, unless they were using it in a large enterprise or as a public authoritative server.) If it were true that it was hard to find a public recursive server that was fast, reliable, and didn't monkey with the records, then running your own recursive resolver would make sense. But that's not the case. Also, on this topic, GRC recently released a DNS benchmark tool: http://www.grc.com/dns/benchmark.htm It's designed for Windows, but supposedly runs under Wine. (I haven't tried it. The Python tool previously mentioned on the list does the job adequately for me. But the GRC tool does have a bunch of additional features, like testing the servers for redirects on bad names, whether they filter out rebinding attacks, and DNSSEC compliance.) -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
