DNS server that compares answers?
|
| Author | Content |
|---|---|
| phsolide May 19, 2011 2:42 PM EDT |
I'm using DNSMASQ on my home network, just to aggregate DNS queries, and provide a little caching to us. But dnsmasq only uses one DNS server at a time. Given that DNS servers seem like they're going to fall under the sway of Giant Immoral MegaCorporations, and start to "censor" domain names, how can I use two or more outside DNS servers, and get the local, caching/aggregating server to compare answers? Do I need to hack on dnsmasq to do this? DNS is not my main area of expertise, so forgive me if this is a dopey question. |
| cr May 19, 2011 5:36 PM EDT |
According to the dnsmasq manpage, it already accepts a list of upstream nameservers, and iterates through the list until it gets a satisfactory response. Any kind of voting-triplet system such as you're suggesting would most likely bring your Net access speed to its knees: that's three queries per resolution you're waiting for, all of which have to be in before the majority vote can be returned. If you've got an upstream nameserver that's lying about certain domains, you can now restrict things so that it never gets asked about them, if I've read the manpage correctly, but IMO your first step should be comparing cache-dumps derived from using different upstream nameservers so as to prove or disprove your supposition of guilt. I've been using dnsmasq for roughly a decade, and I'm amazed at how much capability has been added into it since I first installed it. If you've been using it awhile too, I suggest you grab a fresh copy and see what all you can do with it now. |
| gus3 May 19, 2011 6:03 PM EDT |
@cr, the initial queries after server/proxy startup would suffer from quorum-seeking slowdown, but caching could easily mitigate things over time. Data persistence in /var could help things, too. (I already hear people saying, "So do it!". Sure, be my guest...) |
| cr May 20, 2011 11:07 AM EDT |
The way dnsmasq is set up, if someone wants to code up that triplet-voting resolver, it can be built as a stand-alone demon, maybe on an aliased interface. Then dnsmasq is pointed at the voter, sending its queries to it, and the voter is pointed at those three different upstream nameservers. If you code it, do put in an option for logging all queries, their three responses and their resolve-times. Just saying. @gus: One reason I keep those extra resolv.conf files on hand is so we can switch from one source to another, dodging lag, when the first one bogs down for whatever reason. In a small network setting (3 or 4 people here at present), my experience says that most DNS queries are going to be unique, so the lag will be in-your-face obvious most of the time. When that happens, so are the user complaints: "Is somebody bricking the Net with a download?" I honestly think dodging lying nameservers is best done by analyzing what domains they lie about and then arranging the static configuration so as to never send queries about those domains to them. That means taking cache dumps first and processing them to see exactly what's being lied about. Oh, and do investigate just what those blocked domains really do and thus why they're blocked. I keep a massive hosts file that redirects a bunch of ad-farms, click-trackers and malware sources to localhost, so I'm lying to local DNS queries myself, with good reason. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!