Domain: unbound.net
Stories and comments across the archive that link to unbound.net.
Comments · 30
-
Re:DNS blocking
Check out Unbound. You can run it on your local Windows PC as a service. Or if you want to make it available to your LAN, run it on your OpenWRT router.
It is a bit silly that a correct implementation of a DNS resolver is all you need, but that won't last: They'll learn and improve their censorship infrastructure.
-
Re:is anyone using it?
-
Re:/etc/hosts file paranoia
Unfortunately no, you can't use wildcards in hosts files. You can however set up your own DNS resolver to block entire domains with all their subdomains. It's really quite easy, even on your Windows desktop system, and you get DNSSEC verification on top: Unbound. If you use an OpenWRT router, you can install Unbound there and block domains for all your devices in one go.
-
Re:My opinion
I posted about this before and I will probably have to post this again: Where's this alternative to DNS everyone keeps talking about on Slashdot?
If you don't like that the ICANN is doing, (shameless plug) it's pretty easy to download and install an open-source (BSD licensed) recursive DNS server (even on Windows), then use the program to blacklist ICANN's new domains.
If you don't want to use my program, I am sure other DNS servers, such as Unbound and BIND (which usually comes with Linux) have similar capabilities.
-
Re:This story is ...DNS is really boring today, but let me tell you, between 1999 and 2001, DNS was a much more interesting topic.
Back then, there were two DNS servers out there:
- BIND, which was horribly insecure and one of the more significant cause of remote root access security holes
- DJBDNS, which was and by and large is secure, but had a weird maybe-not-open license and lots of quirks
LWN has a good article from that era to give people an idea how limited choices were with open-source DNS servers. Since then, we got Unbound and NSD, PowerDNS, and (shameless plug warning) MaraDNS (there are also a lot of DNS server projects which never were finished or were abandoned years ago, such as OakDNS, Dents, Posadis, etc.)
The idea behind DNSSEC is that is is, within a margin of error (I'm already awaiting a somewhat pedantic correction from a neckbeard), it is the HTTPS of DNS: It makes it impossible (cue neckbeard pedantic correction) to spoof a DNS reply. DNS without DNSSEC is like HTTP without HTTPS: There are security issues where an attacker can make someone go to the wrong web site.
(Yes, I am aware of DNScurve. I'm also aware that, like Esperanto, the best idea doesn't always win--or even get implemented in a mainstream DNS server)
(Slashdot: 2001 called and wants its lack of Unicode support back. Why can't I use use smart quotes or real em dashes in my replies?)
-
Re:Yeah, right
Like you would have blinked an eye if I had just given you the HTTP link. The certificate is issued by CACert, a "peer to peer" certificate authority, and the common name is *.nlnetlabs.nl, the domain of the authors of Unbound. If that scares you, perhaps messing with DNS isn't for you anyway.
-
Re:Yeah, right
That's why you should run your own recursive DNS resolver and override entire zones. I recommend Unbound. It runs on Windows too.
*click link*
"The site's security certificate is not trusted! You attempted to reach www.unbound.net, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications." -
Re:Yeah, right
That's why you should run your own recursive DNS resolver and override entire zones. I recommend Unbound. It runs on Windows too.
-
Re:OK for me on Virgin
I've got Virgin, it _is_ blocked for me at 22:32 GMT. I run my own DNS resolver (unbound)
The piratebay block is ip level not dns level, this appears to be the same. No idea why it works for you guys and not me?
Any way time to add it to foxyproxy list to go via tor.
-
Re:8.8.8.8
feel free to operate your own resolvers
I do. It's easy.
-
BIND alternatives
Since this is about BIND, let me start the inevitable thread about the BIND alternatives.
BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It's also a big binary and sometimes difficult to configure. CVE
Unbound and NSD are a suite of DNS servers from the same people. One (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE Unbound CVE
PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE
MaraDNS. I think it's the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE
DjbDNS. Great tiny two-program DNS suite. Hasn't been updated since 2001 and yes, it has security problems (I'm already taking bets that a follow-up to this post will pretend DjbDNS is magically perfectly secure). Zinq is a currently maintained unofficial fork.
There are many many other DNS servers, both open source and non-open source. Rick Moen has a great list of the open-source ones
-
Re:10 years agoLet's not forget Unbound, which may be faster than MaraDNS's 2.0 recursive resolver. Then again, I just got some funding from a sponsor to work on speeding things up. Also, Unbound has DNSSEC -- something MaraDNS doesn't have.
And, of course, there is Power DNS, another excellent DNS server.
Then again, there's something to be said for being able to set things up using only a three-line configuration file and a 64k binary works nice for embedded places like OpenWRT where Unbound and PowerDNS won't fit.
- Sam
-
Re:Does Verizon FiOS do it?
Cox has its own redirection. Easily fixed by putting in 4.4.4.4 and 8.8.8.8 into your DNS servers. However, this seems more invasive and abusive.
Running your own caching resolver is really not difficult. Personally I use Unbound but there is no shortage of choices.
I do need my ISP to provide me with a pipe and an IP address. That's inherent in the arrangement. But everywhere I have a choice in the matter, I see no good reason to depend on them to do the right thing. They obviously have multiple temptations to do otherwise. -
Missed the easiest
Run your own recursive DNS resolver with DNSSEC validation. I recommend Unbound, because it's easy to set up and it runs on Windows and Linux.
Granted, it is technically still possible to censor your results by intercepting your DNS packets, but if implementations of DNS censorship in other countries are any indication, running your own resolver works nicely.
-
Re:IPv6 day using IPv4 addresses?
You must have a Google-white-listed DNS server. I have an IPv6-enabled workstation and DNS server, however I get no AAAA record back for ipv6.l.google.com.
Your IPv6 is broken, then.
$ dig AAAA ipv6.l.google.com
[...] ;; ANSWER SECTION:
ipv6.l.google.com. 300 IN AAAA 2001:4860:8001::69Running Unbound on Debian, no special configuration.
-
Re:Maybe we should get some software support?
Here's what I do on Windows XP: Use Unbound as a local recursive, caching and validating resolver that returns an error when a signature doesn't validate. The DNS in my network connections points to 127.0.0.1.
-
Re:No surprises here
I use a recursive resolver on my computer (Unbound) and have this in its config file:
local-zone: "facebook.com." static
local-zone: "googlesyndication.com." static
local-zone: "google-analytics.com." static
local-zone: "doubleclick.net." staticand quite a few more. These entries create zones which are empty and override the real zones. As far as my computer is concerned, facebook.com does not exist and none of its subdomains either.
-
Re:For the rest of us...
That is not generally true. Clients should not configure root servers as one of their recursive resolvers. There's nothing wrong with using root servers as non-recursive resolvers though.
I recommend running Unbound locally. Unbound is a small recursive resolver which validates records with DNSSEC. You can run it as a service on your Windows machine and point your "DNS" to 127.0.0.1. This way your computer does all the cryptographic checking. It will talk to the root servers directly, but only infrequently (thanks to caching) and only for a few records (the name servers of the top level domains).
-
Re:Why?
Unfortunately DNS is still mostly unauthenticated. It's a connectionless protocol, so it's easily redirected. There are quite a few networks where packets to port 53 will always end up at the ISP's DNS server. Should you decide to use a different port, there's certainly a deep packet inspection rule waiting to be activated to catch that too. It's time for DNSSec and opportunistic encryption with DNS-supplied keys. (I should note that SSL keys in DNS are a real killer application for DNSSec, so ISPs won't be able to just disable DNSSec.)
That said, for now most people who care about this kind of stuff can work around meddling ISPs by using a public DNS server (not OpenDNS, they redirect www.google.com) or running a DNS server locally (here's one for Windows: Unbound).
-
But what about the bloat?
-
Re:NLnet Labs software
Let's just compare the performance, reliability, scalability, and security between Nominum's products and NSD and Unbound. For the moment, have a look specifically at Wouter's presentation from RIPE a year and a half ago for a beta version of Unbound, which show it handling double the number of queries per second of PowerDNS and Bind9 (start at page 11). We're now at version 1.3.3, and I've got an entry-level 1u Xeon server that will handle about 10kqps before slowing down with an Unbound config that took me all of an hour to learn, configure, and tune for optimum performance.
BTW, credit where credit is due, I've got to say thanks to Nominum for open-sourcing their DNS performance testing tools, which was what I used to test my Unbound setup. I think this marking campaign is a result of the right hand not knowing what the left hand is doing, as PowerDNS et. al. were not created in a vacuum and certainly rely on open-source libraries for various things.
This is a troll? The cluefulness ratio here has gone down so far...
-
Re:NLnet Labs software
Let's just compare the performance, reliability, scalability, and security between Nominum's products and NSD and Unbound. For the moment, have a look specifically at Wouter's presentation from RIPE a year and a half ago for a beta version of Unbound, which show it handling double the number of queries per second of PowerDNS and Bind9 (start at page 11). We're now at version 1.3.3, and I've got an entry-level 1u Xeon server that will handle about 10kqps before slowing down with an Unbound config that took me all of an hour to learn, configure, and tune for optimum performance.
BTW, credit where credit is due, I've got to say thanks to Nominum for open-sourcing their DNS performance testing tools, which was what I used to test my Unbound setup. I think this marking campaign is a result of the right hand not knowing what the left hand is doing, as PowerDNS et. al. were not created in a vacuum and certainly rely on open-source libraries for various things.
This is a troll? The cluefulness ratio here has gone down so far...
-
NLnet Labs software
Let's just compare the performance, reliability, scalability, and security between Nominum's products and NSD and Unbound. For the moment, have a look specifically at Wouter's presentation from RIPE a year and a half ago for a beta version of Unbound, which show it handling double the number of queries per second of PowerDNS and Bind9 (start at page 11). We're now at version 1.3.3, and I've got an entry-level 1u Xeon server that will handle about 10kqps before slowing down with an Unbound config that took me all of an hour to learn, configure, and tune for optimum performance.
BTW, credit where credit is due, I've got to say thanks to Nominum for open-sourcing their DNS performance testing tools, which was what I used to test my Unbound setup. I think this marking campaign is a result of the right hand not knowing what the left hand is doing, as PowerDNS et. al. were not created in a vacuum and certainly rely on open-source libraries for various things.
-
NLnet Labs software
Let's just compare the performance, reliability, scalability, and security between Nominum's products and NSD and Unbound. For the moment, have a look specifically at Wouter's presentation from RIPE a year and a half ago for a beta version of Unbound, which show it handling double the number of queries per second of PowerDNS and Bind9 (start at page 11). We're now at version 1.3.3, and I've got an entry-level 1u Xeon server that will handle about 10kqps before slowing down with an Unbound config that took me all of an hour to learn, configure, and tune for optimum performance.
BTW, credit where credit is due, I've got to say thanks to Nominum for open-sourcing their DNS performance testing tools, which was what I used to test my Unbound setup. I think this marking campaign is a result of the right hand not knowing what the left hand is doing, as PowerDNS et. al. were not created in a vacuum and certainly rely on open-source libraries for various things.
-
Roll your own, it's easy.
Instead of migrating from one punk who pulls this stunt to the next, quit using someone else's recursive resolver and run your own: Unbound - a validating, recursive, and caching DNS resolver. Available for Unix and Windows.
-
Re:There is a curious lack of small DNSSEC resolve
Windows 7 and Windows Server 2008 R2 have one built in, and Unbound is a smaller DNSSEC aware resolver for Unix like OSs.
-
sensationalist nonsense - use 0x20 now!
Stupid sensationalism.
You can right now use draft-vixie-dnsex-dns0x20 to protect against the kaminsky bug. This option is already available in the unbound nameserver.
Talking about totally talking out of context. Fools!
If IETF does something to mitigate, the unbelievers scream "see we dont need dnssec"
If IETF does not do something, the unbelievers scream "you're blackmailing us into dnssec"
Stop whining and put your foot where your mouth is.
-
More sites need to implement DNSSEC,
Especially the TLDs. Very few TLDs have DNSSEC which would make this attack practically impossible. IPv6 would allow for more source addresses as well, which is discussed in the link below. If you run a recursive resolver I highly advise using Unbound. It is the most secure resolver I know of and has an incredible amount of thought put into it (without BIND's bloat). It has many provisions for DNSSEC-less zones. See: http://www.unbound.net/documentation/patch_announce102.html
-
IE6
Their page does not render correctly on IE7. The main paragraphs are partially hidden by the right hand pane.
If they cannot even code their web pages to work with the main web browser out there then I cannot trust their claims of their implementation of DNS being so secure. -
It's not...
...a DNS-Server.
Taken from here: Unbound is a validating, recursive, and caching DNS resolver. Huh, frontpage-information is always quite hard to get.