Home    All Articles    About    carlos@bueno.org    RSS

Install a DNS resolver on your laptop

26 February 2009
Updates:
  1. I have since been lectured sternly (and correctly) that running your own resolver is a rude thing to do. If you want an alternative, try using 4.2.2.1-4.2.2.6 as your DNS servers instead.
  2. a Meraki employee pointed out that they are at the mercy of whatever resolvers the ISPs of their volunteers use. I remain unconvinced as they seem to add an extra layer of indirection. Also, they run their own hardware and software. There is no reason why they couldn't use alternate DNS servers or even run their own.

Free hotspot internet providers (eg Meraki) can have pretty good bandwidth but still feel slow because their DNS resolvers suck and they don't know it. You'll have great response from an SSH session or webmail but clicking a link to a new site will pause or fail.

Even large ISPs get this wrong. I tried for several years to convince BellSouth that one of their DNS resolvers was down:

"No, my internet is not down. The DNS server is down. I can ping. DNS. Dee Enn Ess. Pee Eye Enn Gee. Do you understand I'm trying to tell you about a bad problem with your system? One of your DNS servers is down. It's been down since 2003 but it's still in rotation. Yes, I restarted my router. Yes, my connection is now working but that's not the poi--". Click. Good times.

Solution: install your own damned resolver. I recommend Dr Berstein's excellent dnscache, part of daemontools djbdns (which itself runs under daemontools). Incidentally, this is also a good idea for your servers if you do any crawling, image fetching, etc. You'd be surprised how much it can help.

Excellent installation instructions here:

http://matt.simerson.net/computing/dns/djbdns-macosx.shtml

http://matt.simerson.net/computing/dns/djbdns-freebsd.shtml

Credit to tlack, who taught me this trick back when I was still figuring out bash.

Comments:
I had a similar problem with my charter internet. (For no apparent reason they would resolve everything except youtube at one point)

I just started using OpenDNS (https://www.opendns.com/start/)

No offense intended, but it seems like a simpler solution to just set your DNS server than to install/configure a DNS resolver.
# posted by Blogger Mr. Muffin : February 27, 2009 8:45 AM
 
I use both: dnsmasq AND OpenDSN.

dnsmasq is fast and easy to setup, in Ubuntu at least:

https://help.ubuntu.com/community/Dnsmasq

OpenDNS protects you from typos in the urls, phishing and sites that install badware.
# posted by Anonymous falava : February 27, 2009 9:52 AM
 
Yep, I configure my routers to use OpenDNS (initially to block pr0n) and have seen a pretty good improvement in lookup speeds. Have been very pleased with their other services (keyword mapping, misspelling catcher, reporting) too. Ended up installing at a couple organizations I help with and haven't had to think twice since then.

I certainly understanding wanting to manage the whole thing yourself, and do so locally as much as possible. But OpenDNS is a good solution for a less technical crowd.
# posted by Blogger intheory : February 27, 2009 10:19 AM
 
4.2.2.1
# posted by Anonymous extantproject : February 27, 2009 11:02 AM
 
I've been running my own DNS cache for years. Almost always it works better than the ISP-supplied resolvers.

I used to run DJB's software before, but now there's no point in doing that. Bind has cleaned up their act and it's usable nowadays.
# posted by Anonymous Florin Andrei : February 27, 2009 11:17 AM
 
...(by the way dnscache is part of djbdns, not daemontools)...
# posted by Anonymous Anonymous : February 27, 2009 11:27 AM
 
Hi,

running a good local smart resolver is a good idea if you have a little DNS knowlegde to troubleshoot it if you need to.

Don't forget to change your OS resolver configuration so that you make use of the local smart resolver (/etc/resolv.conf or TCP/IP Settings).

I can recommend "unbound", which is a very fast and secure resolving/caching only DNS Server (a smart resolver, not an authoritative DNS Server like BIND).

It is fast as BIND in most instances, has a more modern design as djbdns and is from the feature set probably the most secure resolving DNS Server today (supports DNSSEC). Give it a try!
# posted by Anonymous Carsten Strotmann : February 28, 2009 3:15 AM
 
Forget the link: Unbound can be found at http://unbound.net

"Unbound is a validating, recursive, and caching DNS resolver.

The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.

The source code is under a BSD License."
# posted by Anonymous Carsten Strotmann : February 28, 2009 3:16 AM
 
"You'll have great response from an SSH session"
If that's the case already, just forward everything over a dynamic SOCKS proxy on your SSH connection and use remote DNS. Much safer, too. (Provided you own/trust the remote SSH.)
# posted by Anonymous Jan! : February 28, 2009 9:11 AM
 

Home    All Articles    About This Site    carlos@bueno.org    RSS