Dholdrums

So it took a few months, but I finally got around to converting my DNS slave. It took about an hour to play around with NSD and figure out how to make it read from a bind master. And the actual cutover was less than five minutes.

Probably the part I like best is how clean the config file is. Take a look at this:

server:
        ip-address: 0.0.0.0
        do-ip4: yes
        do-ip6: no
        logfile: "/var/log/nsd.log"

remote-control:
        control-enable: yes

key:
        name: MYKEY
        algorithm: hmac-md5
        secret: "my+secret+in+base64="

zone:
        name: example.org
        zonefile: /var/db/nsd/example.org
        request-xfr: 1.2.3.4 MYKEY

It's insane how easy this was. Sometime soon I will update my master and then I'll be done with bind for good.

In the What's New page for the upcoming FreeBSD 10, I see that the venerable (infamous?) bind is being replaced with LDNS and unbound, I found the related project NSD, also created by Stichting NLnet Labs.

This is good news. I've always been looking for a bind replacement because it is so large and unwieldy.

Late last year I started researching NSD to replace my bind server, and I've more or less decided I would switch over to it in 2014. But interestingly NSD doesn't have the thing I wanted the most: a clean zone file format. The config files are all sane now, but NSD more or less keeps BIND's zone file format. This page has some examples. Contrast this with DJB's tinydns which has an excellent zone file format, really short and succinct and hard to type in wrong.

Nonetheless, a couple of the primary ROOT servers are run using NSD, so that's very good to hear.

Will report back on my NSD adventures after I switch over.

If you're like me, you use some local ISP for your primary, non-work, Internet connection. Since I'm in NYC, I use Verizon's FIOS service. Although it is pricey, the speeds I get are decent (by American standards).

However, Verizon does one thing that they do that I absolutely hate: THEY HIJACK YOUR DNS.

What is DNS hijacking? Wikipedia has a fairly good entry on the subject.

Basically, if you make an invalid DNS request, instead of returning an error (NXDOMAIN) to your browser as required by the Internet standards, they instead route the page to one of their own pages, usually to display advertising. This breaks all sorts of things, these are described in gory detail in the article above—but such a blatant violation of an Internet RFCs is enough to justify an outcry.

Presuming you use some sort of Unix box, there's a couple of solutions for this:

• You can change the permissions flags on /etc/resolv.conf to be immutable (chflags on FreeBSD, chattr on Linux), although I consider this to be a bit heavy handed.
• You can tell your DHCP client to not update resolv.conf (via dhclient.conf)
• But I think the easiest is way to solve this problem is to override the settings on your wireless router to send hardcoded DNS settings to DHCP clients instead of accepting the ones sent by the ISP. The added advantage here is that it works for all operating systems and clients in your subnet.

Which DNS servers to use instead? Google offers a service called Public DNS that won't hijack your DNS:

• 8.8.8.8
• 8.8.4.4

Although you should keep in mind that Google can and will use your name lookup data for advertising purposes.

Lastly, this article assumes this is for a home or personal network. If you are running a business or other organization, you really should be using your own DNS servers.