On Fri, Feb 26, 2016 at 11:04:49AM -0500, Curtis Maurand wrote:
I run my own resolver from behind my firewall at my home. I don't allow incoming port 53 traffic. I realize there's not a lot of privacy on the net, but I don't like having my dns queries tracked in order to target advertising at me and for annoying failed queries to end up at some annoying search page.
Likewise, and I don't like getting back forged DNS responses because some already-bloated ISP needs to tuck a few more dollars into their executives' paychecks. I've tested it fairly thoroughly in order to ensure that it can't be conscripted into an attack and do so again every time I make a firewall configuration change or a software upgrade. I've also started running local resolvers on portable systems in order to avoid the same set of problems when connecting to random networks. It often occurs to me that if the engineers of those networks invested the time that they spend corrupting DNS into preventing DNS-borne attacks that the entire Internet would be better off. ---rsk