
Paul Vixie thinks more people should be running their own DNS servers - indigodaddy
https://www.businessinsider.com/internet-pioneer-paul-vixie-privacy-security-dns-server-2019-3
======
rmdoss
More people should be running their own mail servers, their own web servers,
their own _IRC_ servers, etc.

But I don't think we are ever going back to that direction. The arguments and
benefits for running one locally are not enough the trouble as well.

Performance? Due to DNS caching at the resolver level, it is probably faster
to use Google's 8.8.8.8 or CloudFlare's 1.1.1.1, than anything local (where
all dns requests are a MISS).

Privacy? With DNS over TLS/DNS over HTTPS, your ISPs can't see what you are
doing. If you run DNS locally, they can. Yes, they will see all the requests
your resolvers are doing to the auth DNS servers.

Security? Some _good_ resolvers, like Quad9 or CleanBrowsing will block
malicious domains. CleanBrowsing will also help blocking adult content if you
have kids. I don't think maintaining such control is practical for most people
(pi-hole helps, but still hard to keep it updated and find good enough
databases to use).

I would love a de-centralized web, but it is pretty hard to go back.

~~~
hazeii
Single data point, but I've been running a home DNS server (bind) for many
years; it's set to be authoritative for the .local domain and caching for
everything else (except for major tracking and advertising sites, which it
blackholes).

For hits that are in the cache (the usual case) it's obviously faster than
going out to the 'net,. The black-holing combined with ad-blockers mean
browsing is a _lot_ faster and considerably more peaceful.

In terms of maintenance, it's no real effort other than updating every few
years (being behind NAT the security risks aren't huge) and it means the
entire household sees the benefit (plus access to webservers/wiki's etc on the
.local domain).

Obviously the downside is it needs to be on something that runs 24x7 and a
modicum of IT skills are required to set it up. One other catch is that your
ISP might block you for not using their DNS; BT (UK ISP) did this, but it is
possible to turn off this 'security feature' via a rather obfuscated web page
(may have changed since I last did it).

~~~
7ewis
Did you change DNS using the BT Hub?

Mine forces me to use their DNS, would love to turn it off at a router level.
I know I can buy a new router but I can't justify that right now.

~~~
TabbedFonzo
The work around for this (unfortunately) is to use another device to dish out
DHCP. I have setup my Pi Hole to serve this and my DNS

------
js2
Ironically, the instructions linked to in this article for running your own
DNS server[1] suggest configuring it to forward all non-local queries to your
ISP or Google DNS.

(It’s not clear to me whether Vixie is more bothered by the loss of privacy in
using Google/Cloudflare/OpenDNS/etc and/or it’s the loss of privacy.)

If you’re going to do that, you might as well use dnsmasq or just use your
ISPs servers directly. If your concern is privacy, you need to configure BIND
to operate in recursive mode instead of as a forwarder (dnsmasq is a forwarder
only, but you could use unbind if you don’t like BIND). But note that your ISP
could in theory still snoop your recursive DNS queried. It all depends who you
trust the least.

You could also, per my sibling comment, run dnsmasq locally and then run a
recursive DNS server on a cloud server, using either a VPN or DOH in-between.
That would give you a local cache with your own recursive DNS that your ISP
can’t snoop. But do you trust your cloud provider? (Also make sure if you do
this that you configure edns0 client subnet or your video streaming may
break.)

[1]
[https://www.ionos.com/digitalguide/server/configuration/how-...](https://www.ionos.com/digitalguide/server/configuration/how-
to-make-your-raspberry-pi-into-a-dns-server/)

~~~
reshie
well there is dnscrypt. i use a local cache for fast revisits. ya i'm not sure
everyone having full dns servers would be a good thing or even practical.

~~~
js2
DNSCrypt only provides authentication, not confidentiality, and it’s only
between the client and the recursive server. So it doesn’t address either the
performance or the privacy concern of routing all your DNS through someone
else’s recursive servers.

Edit: apparently it encrypts traffic as well:

[https://dnscrypt.info/faq/](https://dnscrypt.info/faq/)

So it’s comparable to DoH which prevents your ISP from snooping but per my
other comments here doesn’t address the privacy concern of now having to trust
the upstream resolver.

~~~
ryan-c
Are you sure you're not thinking of DNSCurve? It doesn't provide
confidentiality, but AFAICT DNSCrypt does.

~~~
js2
You’re right. I went of the Wikipedia page for it which says:

 _DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in
a cryptographic construction in order to detect forgery. Though it doesn 't
provide end-to-end security, it protects the local network against man-in-the-
middle attacks._

[https://en.wikipedia.org/wiki/DNSCrypt](https://en.wikipedia.org/wiki/DNSCrypt)

But according to dnscrypt.info it’s encrypted.

~~~
zrm
DNSCrypt and DNSCurve both provide confidentiality (and are very similar to
each other). The thing that doesn't provide confidentiality is DNSSEC.

------
vkaku
I agree with Paul Vixie. The internet, IMO, is not a playground for large
corporations.

What originally made the Internet amazing was the participatory nature of it.
As it started 'standardizing' or 'accruing', autonomy was lost in the pursuit
of efficiency.

Today, 2-3 corporations are just trying to own the internet, and this needs to
stop. I favour a participation in the Internet than what it is today.

Okay, so how can we make it happen?

\- Make a decent DNS Server in Go/Rust/<Any-Clean-Coded-Implementation>.

\- Make this embeddable in routers/open stacks, maybe in OpenWRT.

\- Make it easier to define top level zones/domains in a modern, easy data
format (maybe JSON/YAML). Make this an overlay/augment format.

\- Publish bootstrap corpus of data for such independent DNS servers; No, they
do not need to have all the root server content updated as frequently. It
could be easy to sync this periodically with a git pull. This should be an
internet-wide mirrored effort, like Bitcoin.

\- Isolate oneself from people, arguments and organizations who want to use
AWS/Google/<Insert-Popular-Provider-Of-Choice> because they work at scale and
are cheap. One should know that to have an independent internet, the change
starts with the self.

\- Run the DNS server at home, production, *cloud and protect the Internet.

~~~
xorcist
What's wrong with opkg install unbound? It's robust, doesn't require
maintenance, and already available an an optional install in OpenWRT.

The reason people don't use it is probably just that it isn't default. Some
captive portals mess with DNS resolution and it's probably easier for OpenWRT
to just let them.

~~~
lazyjones
> _What 's wrong with opkg install unbound? It's robust, doesn't require
> maintenance,_

Good joke. It's written in C, so in addition to typical protocol/logic flaws,
it'll have its share of security and memory leak problems. No maintenance?
Have a look at
[https://nlnetlabs.nl/svn/unbound/tags/release-1.9.1/doc/Chan...](https://nlnetlabs.nl/svn/unbound/tags/release-1.9.1/doc/Changelog)
and its security advisories... Regular updates are necessary.

~~~
upofadown
Here is a list (and some discussion) of the 4 CVEs that unbound has had
starting in 2011:

* [https://nlnetlabs.nl/projects/unbound/security-advisories/](https://nlnetlabs.nl/projects/unbound/security-advisories/)

Nothing there looks particularly scary to me.

------
jacquesm
Then he should have made it a lot easier to do so. The whole problem with DNS
is the finicky configuration, it is about as tricky to set up properly as a
mail server in spite of the outward simplicity. Mail, DNS and also WWW servers
are the ideal components of federated systems but the degree to which you have
to be a networking guru, security guy and systems administrator to keep all
three up and running without issues over a longer period of time is such that
many people will simply not take the trouble.

~~~
jsiepkes
Isn't that more a problem of the implementations then the DNS standard?

------
neonate
[http://archive.is/sRDJv](http://archive.is/sRDJv)

[https://outline.com/fDZwD7](https://outline.com/fDZwD7)

~~~
slyall
Ironically my ISP is using their DNS servers to block archive.is

~~~
coldacid
Sure sucks to live in New Zealand right now, doesn't it?

~~~
slyall
The block is a minor inconvenience. I'm okay with it as long as it is a
temporary thing.

~~~
mkl
I'm not. It tells me I can't trust my phone company to reliably provide the
internet access I pay them for: who knows what they'll try to block next? I
made a complaint, and got a response that quoted the terms of use which say
they can mess with traffic if they want to. I know that, and my position is
they shouldn't half-assedly try to police content. So, I installed a VPN on my
phone.

------
songzme
I have my own home server on a standard consumer Comcast internet (cheap plan
at 60mbps) running c0d3.com, and the students that are learning how to code on
it never had any issues with stability (except that one time where I had a
power outage at home).

I also have my router configured to use our server as a DNS server and the
speed is incredible. Since I'm hosting my sites at home, when people in my
WiFi network use my sites it feels almost instantaneous (because network
request resolves locally)

3 of my students were inspired to set up their own servers and they love the
experience so far. Finding people who run their own services is so rare, I
hope more people do it.

I am concerned about security implications though. Could people hack into my
home server, then hack into the router, and then launch a man in the middle
attack?

~~~
acct1771
If you're serving your website from your router as a webserver (dumb), this
would be a concern. Serve your website(s) from a webserver running in a
VM/container, and you're doing okay.

------
jeffreyrogers
I ran my own DNS servers in the past (and email servers). It's not too
difficult to setup (email is significantly harder), although you'll probably
have to run at least two DNS servers in order to use it with a domain because
most registrars won't let you change the nameservers unless you have at least
two.

I think it's a worthwhile thing to do since it demystifies how DNS works
(similarly with running your own email servers), but if you're running
everything on cloud infrastructure I don't see much benefit aside from the
educational aspect.

~~~
0x0
There's a nice and free secondary DNS service available at
[https://freedns.afraid.org](https://freedns.afraid.org) \- so if you trust
that service, you can get away with running just one master DNS yourself.

------
cbdumas
I learned recently that my home router runs a forwarding DNS server. I suspect
many people are already doing this and don't know it.

~~~
js2
The article is partly about the performance issue of not having a local server
and partly about the privacy loss of sending all your DNS queries to Google.
Even without a local dns server there’s still a stub resolver on your OS that
provides some degree of caching.

------
HQS
I think we are approaching another tipping point towards decentralization. As
more and more people become aware of the privacy and other abuses from Google
and Facebook there will be a growing migration towards anyone who offers
alternatives and more choices.

I remember the great excitement of those early days when the internet first
started to become a mass public phenonema. It was going to change everything,
become the great leveler. Those huge entrenched monopolistic corporations
would have trouble competing against small quick startups. And for a while
that happened, entire industries were changed by tiny startups in garages,
like Google. But as it became bigger Google changed for the worse.

I think this is going to be a continuing cycle. But one great thing is that we
will be creating new tools such as blockchain and will have a clearer roadmap
of what to do when somebody amasses so much centralized power that they start
to limit our choices, to enrich themselves.

Another thing, today people are walking around with enough combined computing
power in the phones in their pocket to dwarf the resources of even Google,
Facebook, and even the CIA and NSA and I know we have enough hackers that
would consider it a challenge and even fun to organize all that power to
counteract any serious abuses.

For instance many phones these days have at least 8 processors around 4GHZ and
it now is possible to add a 1 Terabyte SD Card. That is more than enough to
use it as a DNS Server.

Soon we will be seeing more and more peer to peer mesh networks, decreasing
the need to use an ISP. I think more and more local Co-ops will be formed with
people networking together their computer resources. And these Co-ops could
network together themselves. For example they could form an online buyers club
with all purchases going through a specific IP Address and no transaction
being able to be traced to individuals. And a small percentage of the purchase
price can be earmarked to pay people running the DNS or other services or pay
them for any useful specialized software they have developed for these uses.

------
spc476
For an end user, a resolver only DNS server is probably one of the easiest
services to run as there's really nothing to configure. I run my own resolver
only DNS server at home. The configuration is minimal and I haven't had to
touch it in years (about every five years I update the root zone to pick up
new root servers if any).

I also happen to run DNS for my domain (as well as email, web, gopher and
qotd) and that is a bit more involved than just resolving only, but it's by
far easier to manage than an email server.

------
3xblah
I have been serving myself a custom root.zone for almost 20 years now.

I use tinydns for this which I think has always been the ideal choice for
personal use. The author from the beginning recommended users not to use third
party DNS and that advice has proven to be more and more prudent over the
years. tinydns stores records on disk and has never been limited by RAM as
would be something like nsd, for example. Today, I manage to fit all the data
I need on tmpfs anyway.

I am certainly not the only person to serve their own root.

There used to be a project called ORSC that started around 1998 when there
were people actively protesting ICANN management of domain names. ORSC ran
their own root servers, as a service for others, as an alternative to ICANN. I
remember seeing a page -- it may have been associated with ORSC -- showing how
to run an alternative root. The software used was tinydns.

I also remember a former head of ICANN who said he ran his own local
root.zone. Not sure what software he used. This was years before any "expert",
e.g. Cricket Liu, even admitted running a local cache (nevermind a local root)
could be a good idea.

Managing DNS for myself I noticed a few things over the years.

The amount of DNS data I will need for all internet use in the course of a
lifetime -- subtracting all data for ad servers -- is relatively small. With
today's computer equipment it can easily be stored locally.

Within that subset of DNS data the amount that is changing constantly is also
relatively small. The Mockapetris DNS is premised on handling dynamic data but
I manage to meet own needs with almost all static data. Further, the sampling
I have done kept showing that most data stored in the DNS as a whole was not
very dynamic.

Serving the data I need via authoritative servers like tinydns or nsd reduces
the need for a cache, let alone one shared with others (who could possibly
poison it... thereby reducing need for more complexity to protect against such
poisoning).

As mentioned in the article, Vixie's problem was with _Google hardware_.
Something like not being able to edit /etc/resolv.conf. Several solutions
exist.

What happens when the _ISP_ is redirecting all queries to port 53 to their own
DNS servers? Imagine where the ISP has made its resolvers authoritative for
everything, where it modifies the answers and you cannot access any other
remote DNS server on port 53.

What is the solution? Multiple possibilities. If the needs are only for a
relatively small amount of mainly static DNS data, then one option is to
prefetch the data in bulk via FTP/HTTP. If the user wants a DNS cache, then
another option is to set up own remote cache listening on a port other than 53
then forward queries there. VPN seems like overkill when the only issue is DNS
traffic.

As such, "running their own DNS servers" could involve more than just using a
RPi on the local network.

~~~
JdeBP
I have, also.

* [http://jdebp.uk./Softwares/nosh/guide/services/djbdns.html#D...](http://jdebp.uk./Softwares/nosh/guide/services/djbdns.html#Default)

* [http://cr.yp.to/dnsroot.html](http://cr.yp.to/dnsroot.html)

------
geocrasher
Back when I was on 1.5mbps DSL, one of the biggest performance gains in all
the things I tried wasn't content caching via a proxy. It wasn't ad blocking
(although that helped!) It was running my own DNS. Web pages got _snappy_
again. I'm on a fast internet connection now, but I still contemplate running
my own DNS just to get that snappiness back.

------
Waterluvian
How hard is it to make a personal use raspberry pi dns server that assembles a
local database using the consensus of a bunch of major sources?

~~~
viraptor
That's not really how customer DNS works, so you're talking about a custom
monitoring project. It doesn't seem very hard to monitor the consensus - get a
stream of domains and run "dig" against the known endpoints.

But if you want an actual server doing that, I don't think there's much point.
You'll get differences for various valid reasons. Entries changing, different
anycasts getting different geo responses, etc. It's a bit like "a man with a
watch knows the right time, a man with two watches can never be sure".

So the answer is really - why do you want to do this? Different reasons here
lead to different approaches.

~~~
Waterluvian
Thanks for sharing. I don't understand DNS as well. I wasn't sure they could
disagree for valid reasons for example.

------
raggi
Quick, name a non-niche dns server that is easy to configure and maintain that
hasn't had a major vulnerability in the last six months.

~~~
tomjakubowski
dnsmasq's last CVE was in October 2017 [https://cve.mitre.org/cgi-
bin/cvekey.cgi?keyword=dnsmasq](https://cve.mitre.org/cgi-
bin/cvekey.cgi?keyword=dnsmasq)

despite that "safety record", I am probably going to switch to
[https://github.com/bluejekyll/trust-dns](https://github.com/bluejekyll/trust-
dns)

~~~
bluejekyll
Thanks for the shoutout to trust-dns.

I would take the fact that there have been no CVEs on the server with a grain
of salt, as I don’t think it’s seeing a lot of use. The embedded resolver is
getting a lot...

Feel free to open any issues for features you’d like to see.

------
rannug
I've been running BIND9 on a raspberry pi powered off of a usb port on my wifi
router. Sure 8.8.8.8 and 1.1.1.1 will know some of my households queries, but
not how much they are being queried. It's actually surprisingly busy with
redundant requests. Request that google et al know less about now.

It's also handy to review the DNS logs. I found out my off brand wifi cameras
were phoning home to china every minute. Blocked that domain in a hot minute!

------
Havoc
That seems like a bit much. I think getting people to run a raspberry and pi-
hole is a much more realistic aim in terms of usefulness and creating
awareness.

Plus it's been pretty eye opening. I'm running uBlock Origin and Privacy
badger...and still the pi-hole filter 25% of my traffic. A full fkin quarter
after adblockers...

~~~
elagost
Pi-Hole is great as a caching mechanism and is easy enough for non-techie
friends and family to use (just make sure you have it auto-update for them, or
do it yourself once in a while).

Bind9, a true dns server, doesn't provide the privacy enhancements that pi-
hole does and it is much more opaque for normal users. I think you're right -
it's much easier to look at targets that are a little easier to hit rather
than suggesting a bind9 setup to everyone. I have the know-how to do both, and
I prefer pi-hole anyway!

------
js2
I run dnsmasq at home talking to Google DNS via DoH. I’ve been thinking about
running my own recursive resolver but that theoretically lets my ISP see all
my DNS lookups.

I think as a compromise I’ll run my own recursive DNS on a digital ocean
droplet and point my local dnsmasq instance at that.

~~~
wahern
So you're cool with Google, a company whose primary business is tracking
people, seeing all your DNS, but not your ISP, whose primary business is
delivering network access, notwithstanding their bumbling efforts to branch
out.

Now, Google does claim they don't track DNS requests. But consider why that
is? Once upon a time they didn't scan Gmail content either, but that was
before GMail dominated the webmail space.

What do you think is going to happen once DNS becomes centralized? If it's
taken too far we won't be able to go back. And it can easily go too far.
Chrome and Firefox are ubiquitous enough that if they succeed in removing
local resolvers from the loop it will mean that the entire ecosystem will have
transformed to accommodate them. Software stacks, configuration policies, etc
will have all evolved to disfavor niche use cases and favor Google,
Cloudflare, etc.

ISPs can already see the IP address we're all connecting to, and the
correlation between domains and IPv4 addresses is more than strong enough to
provide the necessary information for commercial profiling. IPv6 will
virtually make it 1:1. (So Encrypted SNI likewise provides little benefit.)

The shift to TLS accounts for 90% of the potential capacity for avoiding ISP
snooping, short of VPNs or TOR. That last 10% comes with a _huge_ price tag.

~~~
throwawaygoog10
Disclaimer: I work for Google, but not on DNS or Gmail.

> Now, Google does claim they don't track DNS requests. But consider why that
> is? Once upon a time they didn't scan Gmail content either, but that was
> before GMail dominated the webmail space.

You seem to assume that it's a singular organization with a unified agenda,
but this really isn't the case. It's the same thing about when folks assume
Google looks at your Drive files to recommend ads to you -- it isn't true,
there's different motives there.

Drive: we want to sell you storage, your data isn't scanned (except for
viruses). Google DNS: speed up DNS, which improves load times, which improves
the overall web experience. Photos: Ditto, we want to sell you storage.

Performance is a feature, and most ISP resolvers are junk. Worse, many of
those resolvers like to inject their own NXDOMAIN pages. :\

You could argue that Google DNS does positively impact Ads, but only in the
respect that faster DNS resolution helps ads load faster too. Overall, I see
it as one of those "long term greedy" (my own words) strategies.

As a privacy-conscious Googler myself, I've taken a look at Google DNS to
convince myself that it's what it says on the tin. As far as I can tell it is,
but I don't expect you to take my word for it. What logging exists is
extremely temporary (short-term debugging.)

Re: Gmail, this isn't true either. Sure, there's still processing of your
emails (we receive your email, scan it for spam), but it isn't used for Gmail
ads. The public perception of this was so bad and the incremental improvement
in ad quality so low, that now ads just use your general ad profile. No email
scanning involved.

> Software stacks, configuration policies, etc will have all evolved to
> disfavor niche use cases and favor Google, Cloudflare, etc.

This is a different matter entirely, but this isn't _always_ a bad thing. I'm
thinking of TCP here, which has almost entirely been ossified by middleboxes.
Same for TLS -- TLS development has been hamstrung by these same kinds of
middleboxes and "protocol accelerators." This kind of incredible technology
position has allowed for the acceleration of HTTP/2 and the development of
QUIC (and therefore HTTP/3). Overall, Google has been incredibly open with the
development of these and worked to include everyone. I'm sure it's not always
that way. Can you bring up some examples where "niche use-cases" have been
locked out by Google-driven software stacks and configuration policies?

~~~
rsync
"Google DNS: speed up DNS, which improves load times, which improves the
overall web experience."

Oh, just stop.

It's even more disappointing to consider that _you believe this to be true_.

~~~
jusssi
As a counter-anecdote to your disbelief, I've enjoyed internet on an ISP whose
DNS servers were very slow. Slow enough for me to spend the effort to find out
what's the holdup between enter key and first paint. DNS responses were about
350ms, compared to 8.8.8.8 sub-20ms.

Edit: I should add that the slowness wasn't a peak hour thing, it was
consistent, all day, for several months.

Switching made my subjective experience better.

------
badrabbit
More prorocols should be designed such that random willing individuals can
contribute to the core infrastructure? DNS was made in an era where just
anyone can run a DNS server for the public,hence the design choices.

------
ripdog
I live in NZ, and run my own DNS server. It's just unbound on pfsense, super
simple. The good thing is when my ISP started blocking websites after the
Christchurch attacks, I didn't even notice. (They were simple DNS blocks.)

~~~
maimeowmeow
Whats the difference between personal dns server, vs using google, and
opendns? Arnt u resolving to that?

~~~
est
DNS protocol is largely a single UDP packet. In China the packet can be
sniffed and dropped according to its content.

So even if you switch to 8.8.8.8, your ISP can still tamper it.

------
fredsted
I run my own dns server (and a bunch of other stuff), but as secondary dns
with a hidden master. It lets me configure records how I want but with the
benefit of using my provider's international dns server network.

------
benj111
Is this the Paul Vixie of Vixie Cron fame?

Edit: To answer my own question. Yes it seems

[https://en.m.wikipedia.org/wiki/Paul_Vixie](https://en.m.wikipedia.org/wiki/Paul_Vixie)

------
merb
well basically running your own dns server, might be better for privacy,
however security might be worse if you are lazy. if you do not keep your stuff
up to date you will be more in trouble and have probably less privacy. (the
same with mail servers, etc..) of course the more tech savy and time you have
the less of an issue will it be.

------
scarejunba
Did this for over a decade. Kinda easy but also pointless. I'm switching
Google Cloud DNS.

------
mmaunder
This site is a paywall no matter if I go incognito or use the web link. Am i
missing some ninja magic? Is it ok to be irritated by this?

Haven't been able to read the article but is it referring to this Nov 2018
tweet?

[https://twitter.com/paulvixie/status/1063843157668970496?s=1...](https://twitter.com/paulvixie/status/1063843157668970496?s=19)

~~~
spudlyo
It's ok to be irritated by this. I ended up reading it in links[0] initially,
which is usually my go to. After reading your comment I decided to install
Firefox 66 (which I've been meaning to do anyway), where NoScript is
apparently still at thing. No Javascript, no annoying popovers.

[0]:
[https://en.wikipedia.org/wiki/Links_(web_browser)](https://en.wikipedia.org/wiki/Links_\(web_browser\))

------
Thorrez
Isn't there a distinction between a DNS server and a DNS resolver?

------
drudru11
Paul probably has really nice internet access.

Most people in the USA have really poor access for running services. I have
constant problems with Comcast myself.

One day when we have fiber and static ipv6, then we can run mail, IRC, Http,
dns, etc.

------
chunsj
Whatever DNS you have, the Government like South Korean one will tap, monitor
and censor it as it wants to.

------
decimalplace
The article is behind a paywall for me. Will somebody post the full text?

------
WhatTheHomePod
Isn't there something as a decentralised DNS client?

