BIND9 Feature Request: 'fowarders' priority & round-robin pools
Reindl Harald
h.reindl at thelounge.net
Mon Aug 24 18:23:04 UTC 2015
Am 24.08.2015 um 20:19 schrieb nrgd at eml.cc:
> On Mon, Aug 24, 2015, at 11:10 AM, Darcy Kevin (FCA) wrote:
>> Forwarders are selected based on an RTT(round-trip-time)-based algorithm ....
>
> There's an invalid presumption there -- that 'fastest' == 'most desired / highest priority'. Regardless of any specific case, the requested feature allows the user to say, simply, what goes where an when -- rather than having to deal with auto-assumptions.
>
>> Have you considered the option of not forwarding *at*all*?
>
> No. And ...
>
>> talking directly to the authoritative nameservers should allay the privacy concerns associated with talking through a third party....
>
> Not entirely accurate IIUC.
>
> The goal is to NOT allow any DNS traffic to traverse over my ISP connection in unencrypted form -- unless it's the absolutely lowest priority (as I defined it) fallback case.
>
> For example in my current case,
>
> class (1) traffic is over my VPN 'past' my ISP to my hosted resolver, then out directly to the authoritative NSs
>
> class (2) traffic is forwarded to/through a dnscrypt-proxy on my bind-instance machine out to dnscrypt'd servers
>
> class (3) traffic is the fallback case.
and you gain what?
one of your forwarding resolvers needs to do recursion an dguess what
it's unencrypted - and even if you prefer 1) for whatever reasons
(instead change to a ISP you trust) why not just make that VPN
connection relieable and fault tolerant instead abuse named?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150824/a6c578bc/attachment.bin>
More information about the bind-users
mailing list