in what way is the solution for bind being overkill to write an new, insecure dns resolver that uses an non-standard api? how is that problem not solved by replacing bind with a caching dns resolver like unbound that uses the existing api. or an even simpler dns proxy that leverages your standard home router for the actual resolution? again through the existing api
this is only a problem for distros that choose to install by default bind instead of simpler software that already existed to solve this problem
and the new systemd api is not better for this situation, it's just frustratingly different for the sake of difference. and one that's explicitly designed to be anti-non-linux (fuck bsd, etc., according to lennart)
i find it's best not to talk about systemd as a more secure solution for anything when the article we are discussing has fairly accurately demonstrated the systemic insecurity of systemd and the team's bad dev practice
Unbound solves this problem by having your own recursive resolver running on your computer. Plus it can do DNSSEC validation. The only way to counter it would be to intercept any and all DNS traffic (not just toward few servers).
I've been using it for years, the only problem I've run into are captive portals in some hotels - unbound will complain about active attack (which in fact a captive portal does). You need to disable validation for a while then.
I'll put a link here for people who haven't tried unbound.
Most common Linux distros have unbound recursive validating resolver in their repositories, usually all it takes is to install it and then point /etc/resolv.conf (or NetworkManager or whatever) to it.
It's also available for other OSes.
I run it on every computer I own, including the home AP router.
Try installing a local recursive DNS resolver on your machine and setting your DNS server to 127.0.0.1. That should avoid the issue entirely since DNS resolution will no longer depend on your ISP's DNS server which is clearly breaking DNS (except if they're really evil and are intercepting and rewriting outbound DNS queries, but I doubt that.) That also neatly sidesteps the alternative - using stuff like Google's public DNS or OpenDNS - which degrades your experience because it breaks the geolocation assumptions of CDNs used for video delivery etc.
I recommend Unbound - been using it for over 2 years without any problems whatsoever. You can find Windows builds (as well as the source code) here.
Don't forget to reconfigure your system so that it actually uses the local resolver, of course.
Looks like you're using an "old" list for what servers to block. Only four domains (or maybe even two) have to be blocked:
First two are update download servers for Wii and Wii U and last two are used to check network availability (error if can't reach those and no update gets triggered).
Also, note that you may want to redirect to something else than 127.0.0.1 (like a local server of yours) depending on what you want. For most people, 127.0.0.1 will be fine.
Unbound works for both Linux and Windows (this what I have set up on both my pi and PC). You can use both dnsmasq and unbound on the same device (for example using dnsmasq for dhcp and unbound for validating-recursive-caching DNS (though if you forward your DNS queries to Google DNS (for example), it won't have all these properties, and you might as well use only dnsmasq if you're on Linux)), have "port=0" in your dnsmasq.conf so port 53 is used for unbound. To block domains with unbound, have unbound main config file have a line
include "path_to_blocking_file.conf"
and this file should have lines like
local-zone: "nus.c.shop.nintendowifi.net" redirect local-data: "nus.c.shop.nintendowifi.net A 127.0.0.1"
And remember, if you want to have eShop access, use the homebrew NNU Patcher which patches the NeedsNetworkUpdate function which is normally called and would fail with the standard blocks, so this function is not called and doesn't fail (illusion of success) and you can wander on the eShop.
Solution: don't remove the server from the remote office. If it's serving a useful function, why get rid of it? Maybe your boss is wrong.
If you think slow DNS lookups are bad, wait until file services, LDAP lookups, and Group Policy are all flowing over the wire between your two sites. http://i.imgur.com/RNiGEF6.jpg
But if you're really caught between a rock and a hard place, then look into setting up a recursive caching DNS resolver like Unbound. That will help with the DNS latency.
Two notes:
googlednstest.com supports DNSSEC, so you can use it to verify that the response was not spoofed (but you needs DNSSEC-aware resolver either run by ISP or locally, e.g. unbound):
dig +dnssec 405062e5befde4af97e9382af16cc87c8fb7c4e2.certs.googlednstest.com TXT
for popular services, cert fingerprints appear quickly, not so much for obscure sites
> can't access unbound trust anchor
. > TrustAnchorFile (string) Specifies a file from which trust anchor data should be read when doing DNS queries and applying the DNSSEC protocol. This is currently ignored unless the underlying library is compiled to use Unbound; see the documentation at at http://unbound.net for the expected format of this file.
?