Author: marc Date: To: dng@lists.dyne.org Subject: Re: [DNG] how to clear DNS cache
Simon Hobson wrote:
> The current version of the system resolver has a hard coded fall-back - if you don't specify any resolvers then it will automatically use Google's (silently) !
> Short version - a bug was raised, DD responded that it's important to protect people from having no DNS and rejected all criticisms. Security and privacy issues were rejected with "got any evidence". Can't remember what excuse was given as to why someone shouldn't be allowed to specify no resolvers.
> Basically, it came down to - some people find themselves on a broken network (DHCP doesn't give resolvers) so we need to fix this for them. So the bug is "won't fix, it's not broken" :-/
It turns out that if one goes to netpatterns.blogspot.com one can
see Brad Hein providing evidence that "free" infrastructure is
already being deployed to harvest IPv6 addresses to be port scanned.
Using such "bait" infrastructure during installation seems
particularly dangerous, as that is the time when the system
might not be buttoned down as well, and thus most likely
to be broken in to.
What is even more puzzling is that *if* people would really
care about having a successful install in the face of
flaky DNS, then it would seem more productive to write the
IPs of the mirrors directly into /etc/hosts. I don't think
that would be advisable without many loud warnings, but
it would achieve the stated goal more directly.
All this makes one appreciate the work of the devuan
contributers even more - at least we have a chance of
escaping some of the insanity. Thanks.
And Rick's idea of having a local recursive nameserver
sounds excellent.