Power outages as soon as I head to bed, nice

This is fine

the good part about power outages is it told me that my NUC's re-done network configuration was actually broken and didn't work correctly on reboot (missing v4 connectivity)

for some reason it was adding the statically configured IPv4 address to the eno1 interface instead of the bridge interface even though it was under the br0 interface

DHCP works fine though so 🤷🏾‍♂️

the correct config:

auto br0
iface br0 inet dhcp
bridge_ports eno1

iface br0 inet6 auto

It is important that my NUC's network connectivity works correctly after it comes back from a power outage since its the primary DNS resolver handed out by DHCP in my LAN.

I have my router's forwarder as the secondary but I'd rather not the home network be in a degraded state.

|

my home LAN's resolver situation is as follows:

Primary - unbound recursor running on my NUC

Secondary - forwarder running on my router, forwarding to my ISP's PPPoE provided resolvers

I don't really like using the common public resolvers like Google Public DNS/OpenDNS/Cloudflare as a secondary especially when my ISP's resolvers don't NXDOMAIN hijack.

|

I have said it before but I consider NXDOMAIN hijacking a violation of the trust between an ISP and it's customers.

These ISPs are taking advantage of their customer base to make a few more bucks from them.

A customer base where the majority doesn't know how to run their own recursor or how to change to a different DNS provider, and I argue they don't have to, that's what they are paying you for.

Follow

Let me explain NXDOMAIN hijacking:

Say for example, you mistype a domain in your browser's URL bar, normally it would give you 'name not found' or similar error message or depending on how smart your browser is, redirect to a user configured search engine.

With NXDOMAIN hijacking, that typo would result in you landing on a search page provided by your ISP with ads on it which they make money from.

on a technical level it means that instead of the DNS query returning a NXDOMAIN like it should, your ISP's resolver software modifies it to return a server run by the ISP.

okay I'm gonna go out to get some lunch but when I come back, I'm going to offer some solutions if you are in a network with resolvers that hijack NXDOMAINs

okay so while Zelda downloads let's talk about getting around your ISP's NXDOMAIN hijacking

there are two basic ways:

1) using a public resolver service that does not NXDOMAIN hijack (example - Google Public DNS)

2) running your own recursor (example - unbound on your own machine or serving your network if you control the network)

using a public resolver service is the easier choice but comes with the cost of giving your DNS queries to a third party (Google/OpenDNS/Cloudflare)

decide for yourself if this is something you are okay with

How to change DNS settings on Windows 10:

windowscentral.com/how-change-

macOS:

support.apple.com/kb/PH25577?l

if you control the router and the network, look up your router's documentation on how to change it there

setting up your own recursor is slightly more involved, I recommend unbound:

unbound.net/documentation/howt

(ignore the part about compiling it)

you can get unbound in your Linux distro's repositories, so if you have a Raspberry Pi, you can install it there and use DHCP to have your whole LAN use it

if you only need it on a single machine, it can be as simple as

apt install unbound resolvconf

unbound listens and recurses for localhost by default

if you are on Windows, Unbound has a installer that you can use that comes with a Windows service so you can easily stop/start it:

unbound.net/downloads/unbound_

Install it, make sure the service is started, change your resolver to 127.0.0.1 and you should be good to go

that's pretty much it, this thread is long enough already and I should probably put it in a blog post

@staticsafe So many ISPs do this...

It makes me hate them immediately and irreparably.

@staticsafe Even a good "optional" DNS like Norton does this. It's one of the few that uses DNSSEC, and I refuse to use Google's DNS anymore, so I'm stuck with the NXDOMAIN hijacking. Honestly just thinking about forgetting about the DNSSEC so I can get back to a normal "name not found" result.

@staticsafe How much trouble is running your own recursor? I do have an always-online unix machine and it does seem more clean than relying on Google

@elomatreb @staticsafe really easy, especially with Unbound. I used to use dnsmasq but now I use Unbound.

@staticsafe that would be cool. Definitely interested in more of this.

@staticsafe I'm a fan of PowerDNS. Would be interesting to do a compare and contrast.

@nivex I've never actually used pdns' recursor functionality, its worth a look I guess

@staticsafe fun fact!!!! my ISP does this, but there are times where the DNS of their own site doesn't resolve.
it forms a loop until you get an http request too long error and the URL is thousands of characters long

Sign in to participate in the conversation
Zombocom

staticsafe's personal Mastodon instance.