[Dnsmasq-discuss] Can I set up dnsmasq to act as a local caching recursive DNS server?

/dev/rob0 rob0 at gmx.co.uk
Mon Jun 24 03:01:46 BST 2013


On Mon, Jun 24, 2013 at 07:21:58AM +1000, Robert S wrote:
> >> I've been advised that my URIBL query traffic may be
> >> aggregated with many others and that I need to use a
> >> local caching recursive DNS server.
> >>
> > This isn't a problem for me, because my mail server is
> > also an authoritative NS server, and it runs BIND named.
> > I only run dnsmasq in SOHO settings.
>
(But then about how I use BIND named as upstream server for 
dnsmasq...)
>
> This looks like a simple solution.  I've looked at unbound,
> which seems to be easy to set up the same way.

Probably. I just use BIND because I know it.

> I've found a simpler solution which seems to work - I've used the 
> OpenDNS nameserver addresses in my resolv.conf.  Their website 
> state "OpenDNS is the largest and most reliable _recursive_ DNS 
> service ...".  It appears that the previous problems with typo 
> correction etc have been sorted out.  I no longer get error
> messages about URIBL queries.
> 
> Would this be suitable for a SOHO network?  I'd be interested to 
> hear comments.

With OpenDNS you have the same issue with any DNSBL service that 
limits the number of queries per client. That "client" is you and 
every other OpenDNS user who is querying any given DNSBL, maybe 
divided by the total number of OpenDNS outbound recursors.

A secondary issue is that you again rely on a cache you don't 
control. You likewise don't control the upstream cache's DNSSEC 
policy, which is likely to mean that you're not having signatures 
validated at all.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:



More information about the Dnsmasq-discuss mailing list