[Dnsmasq-discuss] Improve privacy by randomly selecting DNS server from a whitelist
Sam Kuper
sam.kuper at uclmail.net
Mon Oct 10 14:53:44 BST 2016
On 10/10/2016, Sam Kuper <sam.kuper at uclmail.net> wrote:
> Dear Dnsmasq folk [...]
Apologies, some of the formatting went awry in my previous message.
Let me try that again.
Dear Dnsmasq folk,
This is my first foray onto the mailing list, and I am not very
experienced with Dnsmasq or indeed DNS, so please be gentle.
I was setting up an OpenWRT router recently, and wanted to be able to
improve the privacy of DNS requests made from that router and from the
PCs on the LAN.
By handing off all the requests to *one* DNS provider, whether that
provider is the ISP, or Google, or someone else, privacy is obviously
compromised: that provider can very easily record *all* the DNS
requests sent via that router (except, perhaps, in cases where the
client is configured to not to seek a DNS forwarder on the LAN).
Unfortunately, there are no public DNS providers who I trust not to
record this sort of information for longer than necessary, nor any
whom I trust never to abuse that sort of information. (Perhaps you
think my feelings about this are wrong, but please bear with me.)
Fortunately, there are numerous public DNS servers that I trust, more
or less, to return accurate results to DNS queries. I'll call this the
"semi-trusted set".
Therefore, it occurred to me that a better option than simply relying
on *one* provider, would be to supply the router with a list of IP
addresses for the servers in the semi-trusted set, and then, for each
DNS query the router cannot answer from its own DNS cache, have the
router send the query to a randomly selected DNS server from that
list. That way, the clients would (I hope) receive trustworthy
replies, and none of the providers would be able to record more than a
random subset of the requests. This might come at the cost of slightly
slower average response times for DNS queries, but for my use case,
this would be perfectly acceptable.
While searching for a way to do this, I learned that Dnsmasq is
included by default in OpenWRT. Learning, in turn, about Dnsmasq, made
me optimistic that it might be possible to configure or extend Dnsmasq
to achieve the desired functionality described above.
I would be grateful to know:
- whether, and if so, why, the desiderata I described are a Bad Idea.
(I hope not, but it's always good to have a sanity check.)
- whether anyone on this list knows of a way to achieve the desired
functionality by configuring existing software available within
OpenWRT, and if so, how. (Maybe there's a package, or a setting, that
does exactly what I'm after, and I've just never heard of it.) Please
reply to me off-list if the answer is not relevant to Dnsmasq.
- whether, if the desired functionality is not currently readily
available within OpenWRT, but could be made available by extending
Dnsmasq, any of you on the list would be keen to implement that
functionality (Simon Kelley, maybe?), or to donate funds towards such
an effort.
Many thanks.
More information about the Dnsmasq-discuss
mailing list