著者: Adam Borowski 日付: To: dng 題目: Re: [Dng] nameservers
On Sun, Mar 29, 2015 at 08:27:01PM -0400, Hendrik Boom wrote: > Why I've never understood is why it's not the default for a Debian
> installation to have its own nameserver.
>
> Is there a reason to trust anyone else's nameserver?
Without DNSSEC, it's a fair tradeoff (no caching, but you have one less
daemon to run) -- and anyone on the path can feed you bogus data anyway.
But if we're trying to be secure, running the last mile over an untrusted
network means you could as well not bother with DNSSEC. And outside of
controlled setups, the only trusted network is localhost.
So even with the most benevolent DNS server operator, you should run one
locally. But in this case, we're talking of a company whose income relies
on gathering tracking data. By defaulting to 8.8.8.8, resolvd effectively
feeds metadata on almost any TCP/IP connection you make to Google.
In other words, the bug that's being wontfixed here is a massive
security/privacy hole.
--
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets. Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.