nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are public DNS a good thing? (was: Re: 1.1.1.1)

From: Jay Acuna via NANOG <nanog () lists nanog org>
Date: Thu, 17 Jul 2025 11:58:49 -0500
On Thu, Jul 17, 2025 at 9:40 AM Marc Binderberger via NANOG
<nanog () lists nanog org> wrote:

This raises my question: are public DNS like 1.1.1.1 or Google's 8.8.8.8
actually a good thing?


Overall I would say the services' existence is mostly a good thing,
And you could mitigate most redundancy issues on the client by setting a
different public DNS provider as a second or tertiary resolver.

But there are definitely some disadvantages, and outages are
not the only risk created by global centralization in one provider.

For example: By centralizing in a few public rDNS providers;
You are creating a single entity who can be easily served by governmental
entities or large conglomerates with blanket censorship or blocking orders
due to sites hosting content related to sensitive social issues or
legal disputes,
plus subpoenas or warrants exposing user data.

By running your own recursive resolver you are guaranteeing that the interests
of the person hosting your resolver servers are aligned with your interests,
and they aren't going to block your access to resources some company
doesn't want you to see.


Personally I tend to run "unbound" for recursive resolving and close it
against outside use. But I may miss an important point - any reasoning that


In its simplest config: You lose out on a privacy benefit by running
your own recursive nameserver.

When using 1.1.1.1 with your browser: requests and responses can be
exchanged using
DNS over HTTPS;  which means that a passive eavesdropper, such as
your own Internet service provider with their DNS monetization program
cannot capture and
log your queries for resale to data brokers.   You are reducing the
number of parties
you have to entrust with the privacy of DNS queries you make and their answers.

However,  authoritative Nameservers have no equivalent encrypted transport,
so you cannot obtain that privacy when you are running your own
recursive resolution.
You may perform DNSSEC validation,  but  TCP Port 53 or UDP DNS traffic is still
unencrypted, and authoritative nameservers rarely or never offer an
encrypted transport
to secure your recursive resolver against passive spying.


points to the one or the other solution as being better?
(my setups/domains are for private use only these days, nothing big, nothing


I think the best solution may be have your own DNSSEC-validating resolver,
but operate it in a query forwarding mode towards multiple different
DNS resolver
providers for redundancy using DoH; DNS or HTTPS or DNS over TLS.

--
-JA
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QA2ENGWXEBFMKC3GOHI2OXI22NNUQTVX/
Previous By Date Next
Previous By Thread Next

Current thread: