1
I'm thinking about implementing more local stuff for performance, internet usage and also privacy. I like the idea of not having to rely on Google's 8.8.8.8 and 8.8.4.4 for my own DNS services (both for performance and privacy) and I like the idea of having a local mirror for my debian updates for my 40+ machines here instead... Back to the question: Many articles talk about having a Master and Slave server for DNS (BIND9) but I only really want one caching server or forwarding server.
Also trying to figure out my best option, forwarding or caching? Caching seems to make the most sense but they're both so similar...
The setup doesn't seem too difficult, but the choices are a bit confusing. See here and here, they've both left me a bit confused as to whether I need a Master and Slave or simply one independent server. Thanks all.
Tmanok
Posted 2018-02-13T21:04:32.677
Reputation: 78
THANK YOU for actually answering the question, sometimes a rarity about services nobody knows about but claims to know about. Thanks Anaksunaman, you wouldn't happen to know of any security flaws with DNS Caching servers would you? – Tmanok – 2018-02-14T08:22:03.597
1You're welcome and thank you. =) Regarding security, the basic issue with Caching configurations is that the resolution process can be exploited to cause problems by malicious third parties. This most often takes the form of things such as cache poisoning (which can spread to other DNS servers) or DNS amplification attacks (which are a type of distributed denial of service [DDoS] attack). Many of the security issues of a Caching configuration can be negated with proper access control lists (ACLs) to limit recursion (looking up domains) to local clients only and keeping your software updated. – Anaksunaman – 2018-02-14T09:34:55.573
1
That said, there are definitely more topics and more steps to take if you want to be vigilant about your security. If you want an extremely bare-bones overview of some of the security issues involved, you might want to look at this article. It also helps to keep in mind that publicly available servers used for providing DNS services for externally accessible domains (authoritative name servers) probably need a bit more scrutiny than those that perhaps provide only local domain names, regardless of recursion.
– Anaksunaman – 2018-02-14T09:43:02.333Actually funny you mention publicly available DNS servers I was really wondering what using [https://public-dns.info//nameserver/ca.html] one of these would do if anything positive / negative to my network. Evidently I don't see Google going down but I do see them tracking my results and making a small profit and invasion of privacy from that. – Tmanok – 2018-02-15T04:55:17.140
1It would depend entirely on the servers you chose, I'd say. Performance wise, it would most likely come down to geographic location (how close are they to you?), infrastructure (is their equipment actually better than yours?) and cache size (how many requests do they serve?). Cache size is the most likely area I see where there might be an advantage. But if they are servicing a bunch of request that aren't cached (you aren't visiting a lot of sites others are), then that advantage is diminished. Equipment is a real tossup and you can never get geographically closer than where you are now. – Anaksunaman – 2018-02-16T02:22:09.863
1From a privacy point of view, its a matter of trust. I would imagine that many of those providers are not Google -- but that's not guaranteed. You might also consider safety concerns -- you are arguably relying on them to keep their servers safe (or safer than you can keep your own), which may or may not be a reasonable expectation. I am not saying any service on that list is "bad" (and being smaller might even prevent some targeted mischief) but it's probably as much of a gamble as using any other third-party provider. – Anaksunaman – 2018-02-16T02:35:54.650