|
List Info Thread: Re: DNS Blacklist feature
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Re: DNS Blacklist feature |
|
List Info Thread: Re: DNS Blacklist feature
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
duskware.de> wrote:
> > On Mon, Nov 05, 2007 at 05:10:46PM -0500, D'Arcy
J.M. Cain wrote:
> > > Let's say that I have a DSL modem that picks
up my ISP's nameserver
> > > automatically and I use the modem's DNS
server on my NetBSD box behind
> > > the modem.
> >
> > Probably stupid question:
>
> Certainly not stupid.
>
> > isn't it a lot easier to just not use that modems
DNS cache at all and
> > run your own cahing dns on the machine where you'd
put the /etc/hosts
> > lines in (in your example)?
>
> For you and I, probably. Is that level of expertise
our requirement
> for using NetBSD? I would like to think that our
system is usable by
> people whose expertise lies elsewhere. I know that it
is a small fence
> but it is a fence nonetheless.
>
The level of expertise required here is anything but
simple.
To even have a chance at making something like this usable
by
non-experts would require:
- hard coding in domain name to the DHCP client that it
knows will fail,
such as www.verizon-bites-my-ass.netbsd.org (*we* have to
have
ultimate control over the name);
- do a query for said name when dhcp-client receives an
answer with
DNS servers, sending a query to each server;
- verify that NXDOMAIN is returned by each server or;
- have a list of alternative DNS servers hard coded in
somewhere to use
instead.
While we can possibly come up with code to do 1-3, doing
4...how?
How do we choose suitable DNS servers for everyone in the
event
that their ISP does this?
Even then there are implied privacy issues with always
querying for a
.netbsd.org name (think about it.) Why not use a totally
bogus domain
name as the target like www.no-such.domain.exists? That is
believably
false and maybe Verizon could be smart about what they do if
lots
of people started to use something that was obviously not a
real DNS
name as a canary.
But realisticly, this isn't a problem for NetBSD to solve.
One might also ask the question of why it must be a
different
experience for NetBSD users vs others.
The problem is an anti-social ISP and as anyone who's been
on the
Internet for long enough knows, you cannot solve social
problems
by using technology - you can only push them around.
Darren