[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Fedora mulls providing a local DNSSEC resolver

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 13:40 UTC (Thu) by lambda (subscriber, #40735)
Parent article: Fedora mulls providing a local DNSSEC resolver

I like this idea from a security standpoint. But there are going to be a lot of practical problems implementing this for laptop users.

For one, many wifi hotspots rely on DNS hijacking to present you with the login page. This will mean that you never see that login page, and thus are never allowed to log in to stop your packets from being blackholed.

For another, content deliver networks like Akamai use your DNS request to figure out what network you're on, and thus direct you to a topologically close server. They keep a big map of the most common DNS resolvers on the Internet, with metrics for how close each of those networks are to each of their data centers. If you're running your own resolver, you won't be in their database and thus will most likely get a more generic result. There are other techniques used to mitigate this somewhat, but it's still likely that you'll get somewhat worse performance for content hosted on CDNs if you run your own personal resolver rather than using your ISP's.

to post comments

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 20:22 UTC (Thu) by Comet (guest, #11646) [Link]

Hotspot handling is managed by the dnssec-trigger project, related to unbound, and RedHat people can be seen on the mailing-list for that project, providing patches.

dnssec-trigger is a rather nice cross-platform tool. http://www.nlnetlabs.nl/projects/dnssec-trigger/

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 23:03 UTC (Thu) by drag (guest, #31333) [Link] (1 responses)

> For one, many wifi hotspots rely on DNS hijacking to present you with the login page.

The ones I've ran into resolve DNS to ip addresses correctly. It's just when you try to connect to a website or whatever the gateway redirect your browser session to their web server.

Or at least that is how they seem to work.

I know this because it's possible to tunnel TCP/IP over DNS...

Fedora mulls providing a local DNSSEC resolver

Posted May 23, 2014 15:25 UTC (Fri) by raven667 (subscriber, #5198) [Link]

I've seen a captive portal that works via DNS hijacking, or at least the DHCP response to clients in the pre-auth network assigns the captive portal box as the DNS server, and the DNS server on the captive portal box responds to everything (except for a few resources allowed to unauthenticated users) with its own IP address. This architecture doesn't require the captive portal to be in-line or in the same layer2 network as the clients which helps with scalability.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds