Boffins supercharge the 'hosts' file to save users plagued by DNS outages The venerable Domain Name System (DNS) is becoming known for fragility, and keeping track of your own favourite sites' IP addresses is a pain. So a group of researchers want to automate the upkeep of hosts to give users an emergency backup if their provider blacks out. The idea is that DNS records could be double-checked …
My first thought was also "why not just use a caching resolver, if the primary is not available?". If the default TTL is 1 day, small outages for common domains should be survivable.
But this proposal seems to be a solving a different non-outage problem i.e. ignoring malicious changes for common domains if you think it's more likely the domain owner didn't change it's IP addresses. For example people redirecting nytimes.com to a malicious IP address.
The problem remains how to distinguish intentional changes by domain owners from malicious ones. It does seem that signing DNS replies by the owner (with DNSSEC) would be a cleaner solution.
It would be nice to have a local backup of DNS resolutions and a lightweight application that can check if your current (live) resolution matches that of the recorded one.
If it discovers a mismatch, it flags the discrepancy, leaving you to go and discover if it's a deliberate change, or a hijacking.
I could live with that (mind you, when I used to run Vista I never turned off that 'are you sure' button that came up every time you tried to run something - for some reason I actually preferred having to click 'yes' than having some toe-rag hijack my system :))
What usually happens though is that Primary and Secondary DNS are provided by the ISP automatically to the modem/router. I would say this is the case in well over 90% of DNS's set.
If there was a simple system that backed up DNS records this would help.
Yes, maybe I am being silly and should go off now and set my DNS's manually?
What usually happens though is that Primary and Secondary DNS are provided by the ISP automatically to the modem/router. I would say this is the case in well over 90% of DNS's set.
Yes, maybe I am being silly and should go off now and set my DNS's manually?
Yes. Set a dozen DNS servers on your modem or firewall and then forget about it. If you've not got those options because your a home user then goto the screen in windows where you can enter your DNS details, press the advanced button and select the DNS tab. You can stuff as many servers in there as you want.
In case of a cascading poisoned DNS from the root servers? The idea appears to be an outside-system backup, after all, and so would really only apply in case of a catastrophic DNS failure that kills the whole system, from the 13 root servers on down.
An analogy would be the difference between Business Continuity systems and Disaster Recovery methods. Adding secondary DNS is a BC measure - it makes the system as a whole more resilient by offering a redundant part that offers identical functionality, but is still part of the system in question. The system being suggested is more like an off-site DR backup - it is entirely independent of the live system and so shouldn't be impacted by a catastrophic failure.
So yeah, I don't think this is so much an idea for saving us if individual servers go down, it's about if the whole DNS infrastructure blows up (as unlikely as that is, since DNS was literally designed to survive nuclear warfare).
That's exactly the scenario being addressed here. It's also less than theoretical as the US government has expressed an interest in an Internet off-switch and, personally, I've investigated exactly how one would execute various attacks on the Internet infrastructure every few years since the mid-90's.
[My mind is, quite often, a very dark place.]
Well if you have a single DNS server on your domestic router that has a last generation embedded processor running an outdated version of BIND and a config file set up by a trainee, then it's hardly surprising that DNS looks a little fragile.
To those of us who know what we're doing, it's as solid as a rock.
Given that there's a push towards https everywhere, and the combination of Let's Encrypt's freebie, low fuss, certificates and Google down rating non-https sites, this is a solution which probably won't last long even if it is adopted. I suppose it might do until DNSSEC is rolled out more widely, but I'm generally suspicious of sticking plaster solutions.
Not only that, but the system as described only works on the host you're using, or you have to integrate it with your router, then route all your traffic through it for the full effect. Much better solutions are listed in the comments above; like just use alternate or more DNS servers in your router config. I guess if you're extra paranoid you can run something like this, but do it all yourself with a few scripts to siphon off the DNS hits, then populate, or use it to verify, your own caching DNS. I can see feeding a /etc/hosts file directly for a Mac, Linux, or even Windows to support this, but you must also provide for your mobes, so traffic capturing and local DNS would be a must. YMMV.
I grabbed a pair of old Pentium-4 boxes loaded with OpenBSD and a cron job to wget the root.zone file from internic.org, place it into nsd's zone directory, then kill -HUP nsd. I get my own root server and only a failure of an entire TLD's DNS server would cut me off.
I get unpoisoned DNS (unless someone can poison the root TLD servers...), much quicker responses, better uptime, and no futzing about something as ridiculously unnecessary as this new research.
The principle resembles some setups I used to see in the days when people used to find DNS too hard and created scripts and goodness knows what to replicate zone files between their hosts and even clients. Hard to believe now, but I had a considerable struggle to get all of my organisation, which was highly devolved at the time, to accept that DNS was the way to go.
'Course we now have the problem that DNS, like so many of the early protocols, is a bit too keen to assume good faith on the part of every administrator on the internetwork.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
