[kwlug-disc] CCC talk about DNS(ystem)

Doug Moen doug at moens.org
Thu Apr 9 09:25:48 EDT 2020 

I answered my own question by googling it.
Here's the document I found: https://www.m3aawg.org/sites/default/files/m3aawg-dns-crypto-tutorial-2018-09.pdf

14.  What About Users Running Their Own Personal Dedicated Recursive Resolver?

At least some technically inclined users may also choose to run their own dedicated personal recursive resolver service. Doing so in a fully professional way involves a number of considerations:

 • To avoid flaunting routine "no server" terms of service for residential services, most consumer users will need to upgrade their current internet service plan to one allowing the user to operate a server. Alternatively, the user can purchase hosting from a third party Web hosting company for their resolver.
 • The user may also need to purchase a static IP from their ISP at additional cost.
 • The user will need to register a domain and arrange for authoritative name service for the domain or run an authoritative server of their own.
 • The user will need to purchase and correctly configure an SSL/TLS certificate from a commercial service provider, or perhaps, use the free Let's Encrypt certificate service.
 • The user needs to appropriately limit access to their server so that others can use it while also ensuring that it is not vulnerable to abuse by third parties (e.g., prevent the server from being unintentionally "open").

Contrast the above to-do list with the work involved when "I've got to install an app on my phone." The difference in technical effort and knowledge is noteworthy.

There is also the reality that running your own personal dedicated recursive resolver means that you potentially lose the ability to "hide in the crowd." The fact that you are running your own personal dedicated recursive resolver means that the stream of queries seen in conjunction with that resolver will all correlate 1:1 to you and you alone, or to you and whomever else you allow to use your dedicated recursive resolver such as your family members. One potential redeeming factor is that running your own dedicated personal recursive resolver may be so uncommon that few, if any, would even think to look for that traffic and monitor it. It may also be worth noting that if you are using a third party recursive resolver that sends EDNS Client Subnext extension (or uses other EDNS0 options to increase attributability), your ability to "hide in the crowd" may also be limited. See Appendix 3.

On Thu, Apr 9, 2020, at 10:57 AM, Doug Moen wrote:
> The question is: what if I don't rely on somebody else's DNS server, 
> but instead run my own. Let's say I don't rely on my ISP's server, or 
> on Google's 8.8.8.8 server, or on 1.1.1.1, or on CIRA's server, but 
> instead run my own. Let's assume I am sophisticated enough to use the 
> non consumer grade routers advocated by other KWLUG members, and that I 
> am capable of running my own instance of BIND as a recursive DNS server.
> 
> The criticism people make of using someone elses DNS server is that 
> they can see all of your traffic, they might be recording all that 
> information and profiling you, and they might be blocking access to 
> some domains or inserting advertising by redirecting requests. A 
> previous post asked why we should trust CIRA's server. So what if you 
> run your own server? Does anybody here do that for the reasons I just 
> mentioned?
> 
> On Thu, Apr 9, 2020, at 2:09 AM, Chris Irwin wrote:
> > On Thu, Apr 09, 2020 at 12:48:23AM +0000, Doug Moen wrote:
> > 
> > >What are the privacy and security implications of running your own DNS 
> > >server (BIND), as opposed to relying on your ISP's DNS servers?
> > 
> > You may already have a local caching DNS server if you're using a 
> > consumer router (dnsmasq, likely, instead of BIND). By default, it will 
> > just forward requests to your ISP, but you can change that in pretty 
> > much any router. (Whether you can enable/enforce DoT or DoH lookups on 
> > your router really depends on the firmware, and probably isn't common).
> > 
> > DoT would require you to configure your system to use it (applications 
> > have no control over it). That is one of several reasons DoH is gaining 
> > support in browsers, because Firefox can add encrypted DNS lookups into 
> > the software (and get more inforamtion about the responses as well) 
> > without "hoping" the system does it (most don't).
> > 
> > -- 
> > Chris Irwin
> > 
> > email:   chris at chrisirwin.ca
> >   xmpp:   chris at chrisirwin.ca
> >    web: https://chrisirwin.ca
> > 
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list