I'm curious. I keep reading about how our ISPs and internet middle men record and keep track of all DNS requests basically leaving a trail of breadcrumbs in many logs, and also allowing DNS hijacking for advertising purposes(I'm looking at you Cox Communications!).
Regardless of other methods for privacy/security, I'd specifically like to know if it's possible to run a DNS server on your own local network, _that actually has the zone information of the root DNS servers(for .com,.net,.org) domains.
I know you can setup DNS that basically just maps machines in your domain, but is it possible to basically request a copy/transfer of the root DNS information to be stored on your own DNS server so you can bypass going out to the internet for DNS information at all for web browsing?
I hope I'm being clear. I do not want to my DNS server to only have information about my internal network — I want it to have duplicate information that the big internet DNS servers have, but I'd like that information locally on my DNS server.
Is there something like BGP Zone transfers but for DNS?
Update: Are there any products/OSS software that could basically "scrape" this information from the external DNS chain into the local cache in large quantities so they're ready when you need them, versus caching them when you explicitly request the domain records?
Best Answer
DNS by design does not enable having an authoritative copy of all zones, as it utilizes a hierarchical naming system.
The root servers are authoritative for identifying the server responsible for the Top Level Domain (TLD) in question. For example, resolving
www.example.netwill first query a root server to identify the authoritative nameserver for.net. The.netnameserver will identify the authoritative nameserver forexample.net, which will then return the record forwww.example.net.You cannot download a copy of all zones. However, you can run a local caching nameserver. The caching nameserver will provide a local copy of all records resolved, which expire using the Time To Live (TTL) specified for the record. Please keep in mind that my explanation is a simplistic description of the DNS protocol, which can be explored in detail by reading definitions in the Request For Comments.
While NXDOMAIN hijacking can be avoided by running a local cache, keep in mind that all DNS resolution traffic will still be transmitted via your Internet connection unencrypted. Your ISP could potentially monitor that traffic and still see the communication. The contracts you have with your ISP as well as your local laws are going to be your definitive means for establishing how your communications are treated. Your ISP's contracts will include the Terms of Service, Privacy Policies and any additional contracts that you may have with your ISP.
Using encrypted protocols is one of the best methods for insuring your data against eavesdropping during transit. However, even that has no guarantee of anonymity. There are additional protocols out there such as Tor and Freenet, which attempt to introduce anonymity to the Internet, as it was never designed to be truly anonymous.