Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But who runs a DNS server? 99% of users only do DNS resolution and for that you don't need to run a DNS server on your system.


Many people run a DNS server to cache DNS responses locally. And they don’t want to expose the DNS server publicly. systemd-resolved does that, you can’t even expose it accidentally.

But many distros actually install a DNS server by default, usually unbound or BIND9, and while some bind it to localhost, many bind it to all interfaces.

As you said, that’s not necessary for most users, yet, major distros do it.


> cache DNS responses locally

I believe there is a built-in solution in glibc:

http://prefetch.net/blog/index.php/2011/03/27/configuring-ns...


Which distros install a DNS server (and enable it) by default? I've never seen this.


dnsmasq has been installed as a local DNS cache on Ubuntu and other Debian derivatives for many years. /etc/resolv.conf normally points at localhost.


It only listens on localhost though (127.0.1.1 by default), so it's not possible for it to be abused for dns amplification attacks.


IIRC dnsmasq still listens on all interfaces for some reason


Which is exactly the issue I mentioned.

You get on some distros by default something that that makes you subject to DNS amplification attacks.


It is supposed to reject requests from the addresses it does not listen on. I just found it strange that it binds on all interfaces regardless.


I’ve noticed it respond with an error packet – which ended up being used for DNS Amplification nonetheless.


I thought DNS was connectionless? Don't all DNS clients have to bind to UDP port 53 to function correctly?


It's not the port that matters; it's the interface. A caching DNS service for a simple desktop experience should only be listening for queries on the localhost interface (lo).


FreeBSD has named. In 9.0 it's BIND. In 10.0 & 11.0 it's Unbound.


You need to explicitly enable it, and it only listens on localhost by default.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: