What's surprising to me is that this sort of query traffic from Google to the root nameservers would imply that Google isn't running with its own copy of the DNS root - something which I would think would be trivial for them to do. The root zone file is around 2.5MB in portable text format and 1.75MB in bind 9's "raw" form, is entirely public, and is available by DNS zone transfer from a subset of the root name servers.
BTW, if you run your own local DNS resolver and want to do this, see RFC8806 (https://datatracker.ietf.org/doc/html/rfc8806). I use the setup operated by localroot.isi.edu (register with them and they send you a TSIG-protected DNS NOTIFY when the root zone changes).
Can you share some more information on this? I've been thinking of doing so with my OpenBSD server, but my DNS knowledge is limited to the client side.
If you know the steps -- install software, download root hints file, glance at default config (probably no changes needed), set packet filter rules, start daemon, update DHCP config -- you can be up and running in less than 10 minutes.
If it's your first time, but all of those steps are conceptually clear, I'd allot an hour or so.
I'd recommend Unbound[0] or Knot Resolver[1]. Either will give you fast local caching and private DNS history, with zero maintenance requirements. I literally have not touched my (Unbound) config in ten years.
Though, now that I think about it, there have probably been root hints[2] updates that I should download. (30 sec later: Done!)
Install bind, make your zone files, start it, and change your dhcp to give your computers the new DNS server address... shouldn't take longer than a half hour to set it all up.
An additional bit of setup can also integrate the equivalent of pihole using rpz.
I've tried most of the popular ones on Linux, these are the ones Ive got working all right with little enough hassle to recommend checking out:
unbound
knot-resolver
Technitium
Yadifa
(I find BIND tiresome and would only recommend core-dns if you know why you want it)
unbound would be my go-to.
---
General advice: Keep your resolver(s) for public DNS dedicated and as isolated as reasonable. Don't point your clients directly to it or configure any custom zones on it. Instead have your existing (I assume, otherwise spin up dnsmasq) DNS servers forward and cache all your actual lookups.
I wonder if this is related to the massive increase (quadrupling) in DNS traffic just to my own domains as of January 2020 that has become the new normal ever since. Figure 2 in the article lines up with mine exactly: https://i.imgur.com/5yuQ6rY.png
Mildly annoying because I was only paying my DNS host for 1 million queries-per-month and had to increase my plan. I only get aggregate statistics so I am unable investigate blame.
I did say “mildly” although this is still double what it used to be before DigiCert (read: Clearlake Capital wearing a DigiCert skin suit) bought DNSME: https://i.imgur.com/zhMjaFp.png
What's surprising to me is that this sort of query traffic from Google to the root nameservers would imply that Google isn't running with its own copy of the DNS root - something which I would think would be trivial for them to do. The root zone file is around 2.5MB in portable text format and 1.75MB in bind 9's "raw" form, is entirely public, and is available by DNS zone transfer from a subset of the root name servers.
BTW, if you run your own local DNS resolver and want to do this, see RFC8806 (https://datatracker.ietf.org/doc/html/rfc8806). I use the setup operated by localroot.isi.edu (register with them and they send you a TSIG-protected DNS NOTIFY when the root zone changes).
> BTW, if you run your own local DNS resolver
Can you share some more information on this? I've been thinking of doing so with my OpenBSD server, but my DNS knowledge is limited to the client side.
Running a local resolver is very simple.
If you know the steps -- install software, download root hints file, glance at default config (probably no changes needed), set packet filter rules, start daemon, update DHCP config -- you can be up and running in less than 10 minutes.
If it's your first time, but all of those steps are conceptually clear, I'd allot an hour or so.
I'd recommend Unbound[0] or Knot Resolver[1]. Either will give you fast local caching and private DNS history, with zero maintenance requirements. I literally have not touched my (Unbound) config in ten years.
Though, now that I think about it, there have probably been root hints[2] updates that I should download. (30 sec later: Done!)
0: https://www.nlnetlabs.nl/projects/unbound/about/
1: https://www.knot-resolver.cz/
2: https://www.internic.net/domain/named.root
I’ve also been running unbound for a few years now without issue.
The best document to properly run a private root zone dns server is this: https://datatracker.ietf.org/doc/html/rfc8806
Just read it quickly and you're good to go.
Install bind, make your zone files, start it, and change your dhcp to give your computers the new DNS server address... shouldn't take longer than a half hour to set it all up.
An additional bit of setup can also integrate the equivalent of pihole using rpz.
I've tried most of the popular ones on Linux, these are the ones Ive got working all right with little enough hassle to recommend checking out:
unbound
knot-resolver
Technitium
Yadifa
(I find BIND tiresome and would only recommend core-dns if you know why you want it)
unbound would be my go-to.
---
General advice: Keep your resolver(s) for public DNS dedicated and as isolated as reasonable. Don't point your clients directly to it or configure any custom zones on it. Instead have your existing (I assume, otherwise spin up dnsmasq) DNS servers forward and cache all your actual lookups.
knot-resolver
Can vouch.
It just works and has low resource utilization.
I wonder if this is related to the massive increase (quadrupling) in DNS traffic just to my own domains as of January 2020 that has become the new normal ever since. Figure 2 in the article lines up with mine exactly: https://i.imgur.com/5yuQ6rY.png
Mildly annoying because I was only paying my DNS host for 1 million queries-per-month and had to increase my plan. I only get aggregate statistics so I am unable investigate blame.
projectdisovery’s timeline matches https://github.com/projectdiscovery/shuffledns
how much could you be paying... even in big clouds it's pretty cheap at $0.40 / million
I did say “mildly” although this is still double what it used to be before DigiCert (read: Clearlake Capital wearing a DigiCert skin suit) bought DNSME: https://i.imgur.com/zhMjaFp.png
Google up to something evil