Public recursive resolver for Handshake
Tieshun Roquerre
Right now NextDNS.io is the only major DNS resolver that supports Handshake, but you need to sign up for an account to use them. This is more difficult to use than say Cloudflare's 1.1.1.1 and Google's 8.8.8.8 DNS resolvers, where you just need to enter in a single IP address. It would be very useful if the community has a public recursive resolver at a single IP address that people could point to.
S
Scott
Added this to the "directing efforts" board before I saw this here.
Matthew Zipkin
Be careful with this!
I run a public HNS recursive resolver but I had to firewall it, and only whitelist access to specific clients. So if you pursue this project, maybe add a website with a signup page so the server can white list your home IP.
S
Scott
Matthew Zipkin: Have you tried running the service under fail2ban with a filter on dns usage?
Matthew Zipkin
Scott: I actually have configured the firewall to DROP packets on port 53 with the DNS "recursion requested" bit set. That has stopped all the amplification attacks so far on my authoritative nameservers. For the public recursive resolver, the whitelist works fine, is easy enough. The problem with the amplification attacks is they spoof IP, so you can't ban them because you don't really know where the packet came from. Cloudflare has enough infrastructure to actually analyze packet origin and effectively filter spam.
S
Scott
Matthew Zipkin: thanks for taking the time to explain that. How are you managing the whitelist - is it directly in named.conf, or are you doing it at the network layer?
Matthew Zipkin
Scott: UFW (firewall) and iptables -- you got to thwart these attackers at as low a level as possible. If named is already dealing with them, it's too late.