Thank you, Comcast.

Rich Kulawiec rsk at
Fri Feb 26 17:21:27 UTC 2016

On Fri, Feb 26, 2016 at 11:04:49AM -0500, Curtis Maurand wrote:
> I run my own resolver from behind my firewall at my home.  I don't
> allow incoming port 53 traffic.  I realize there's not a lot of
> privacy on the net, but I don't like having my dns queries tracked
> in order to target advertising at me and for annoying failed queries
> to end up at some annoying search page.

Likewise, and I don't like getting back forged DNS responses because
some already-bloated ISP needs to tuck a few more dollars into their
executives' paychecks.  I've tested it fairly thoroughly in order to
ensure that it can't be conscripted into an attack and do so again every
time I make a firewall configuration change or a software upgrade.

I've also started running local resolvers on portable systems in order
to avoid the same set of problems when connecting to random networks.
It often occurs to me that if the engineers of those networks invested the
time that they spend corrupting DNS into preventing DNS-borne attacks
that the entire Internet would be better off.


More information about the NANOG mailing list