Don't forget (Aside from DoH or DoHS) that DNS uses udp AND tcp port 53.
Lyle Giese
On 3/4/24 11:27, Jared Mauch wrote:
On Mar 3, 2024, at 12:26 PM, Fred Morris <[email protected]> wrote:
Speaking to the message not the (ChetGPT) "massage"...
On Sun, 3 Mar 2024, Turritopsis Dohrnii Teo En Ming wrote:
[...]
I define most popular as the largest number of DNS server installed throughout
the whole world.
I think this is a valid point. DNS is not synonymous with the Internet; neither
is operations.
Internal DNS servers exist, and with guidance concerning the need for network
segmentation there should be a lot more of them. I have had several requests
and inquiries over the past few years specifically concerning a desire to log
the addresses of clients making requests.
These requests persistently refuse to accept that DNS is an application level protocol, and that a
request (or response) is recast by every nameserver it passes through even if it is merely
"forwarding": "there must be a way!" People go to great lengths, there's a lot
of language lawyering and playing with EDNS involved in these attempts.
Invariably my answer (for all but the most technical questions) is install a real DNS
server with visibility inside of the NAT horizon (if there is one; there usually is), and
that the general-purpose "logging" solution is Dnstap.
My admittedly cynical response to the question posed here is that the most
common server software is probably a lightweight forwarder (e.g. dnsmasq) or
something which only coincidentally does DNS (e.g. Active Directory).
I think based on the surveys that I had done before, there’s quite a number of
not only forwarders, eg: dnsmasq but also iptables rules that perform
forwarding as a service, eg: take all udp/53 hitting the host and forward the
packets (only sometimes with source address rewritten) to the configured DNS
server(s).
It’s likely much harder to determine this as you could practically put
something behind DoH w/ HTTP basic auth preventing any queries from occurring
without authorization. If there were a stable standards based way to deliver
the credentials, I could see this being done as part of a captive portal or
pay-as-you-go service even.
- Jared
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
