Free DNS Resolver

Free DNS Resolver

Vuoi sperimentare il nostro servizio gratuito di risoluzione dei nomi?

Di che si tratta?

I fornitori di accesso a Internet operanti nel territorio italiano devono onorare almeno tre diverse blacklist (implementate sul DNS) per rispettare le vigente normativa.

Questo significa che gli utenti italiani, usando i resolver messi a disposizione dagli ISP operanti in Italia, non devono poter raggiungere determinati nomi a dominio.

Le liste sono principalmente di tre tipi:

  • CNCPO (siti pedo-pornografici);
  • AAMS (siti illegali di scommesse on-line);
  • MANUAL (nomi a dominio bloccati per ordine delle autorità).

Il servizio che vorremmo testare assieme ad altre Pubbliche Amministrazioni italiane è basato sul resolver DNS Unbound che rimanda a una pagina di blocco per tutti i nomi a dominio presenti nelle tre liste.

Dato che per noi nell’AS59715 gli aspetti di privacy e sicurezza sono molto importanti, il nostro sistema implementa i più recenti standard disponibili per il DNS. Ecco una lista (in inglese), non esaustiva, delle caratteristiche che abbiamo a disposizione:

Very small EDNS buffer sizes from queries are ignored. Default is off, since it is legal protocol wise to send these, and unbound tries to give very small answers to these queries, where possible.

Very large queries are ignored. Default is off, since it is legal protocol wise to send these, and could be necessary for operation if TSIG or EDNS payload is very large.

Will trust glue only if it is within the servers authority.

Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes bogus. If turned off, and no DNSSEC data is received (or the DNSKEY data fails to validate), then the zone is made insecure, this behaves like there is no trust anchor. You could turn this off if you are sometimes behind an intrusive firewall (of some sort) that removes DNSSEC data from packets, or a zone changes from signed to unsigned to badly signed often. If turned off you run the risk of a downgrade attack that disables security for a zone.

From draft-vixiednsextresimprove, returns nxdomain to queries for a name below another name that is already known to be nxdomain.  DNSSEC mandates noerror for empty nonterminals, hence this is possible.  Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this.  To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC.  Default is off.  Currently, draft-ietfdnsopnxdomain-cut promotes this technique.

Harden against algorithm downgrade when multiple algorithms are advertised in the DS record.  If no, allows the weakest algorithm to validate the zone.  Default is no.  Zone signers must produce zones that allow this feature to work, but sometimes they do not, and turning this option off avoids that validation failure.

Send minimum amount of information to upstream servers to enhance privacy. Only sent minimum required labels of the QNAME and set QTYPE to A when possible. Best effort approach; full QNAME and original QTYPE will be sent when upstream replies with a RCODE other than NOERROR, except when receiving NXDOMAIN from a DNSSEC signed zone.

Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDO- MAIN and other denials, using information from previous NXDOMAINs answers. Default is no. It helps to reduce the query rate towards targets that get a very high nonexistent name lookup rate.

Use 0x20-encoded random bits in the query to foil spoof attempts. This perturbs the lowercase and uppercase of query names sent to authority servers and checks if the reply still has the correct casing. Disabled by default. This feature is an experimental implementation of draft dns-0x20.

If yes, Unbound doesn’t insert authority/additional sections into response messages when those sections are not required. This reduces response size significantly, and may avoid TCP fallback for some responses. This may cause a slight speedup. The default is yes, even though the DNS protocol RFCs mandate these sections, and the additional content could be of use and save roundtrips for clients. Because they are not used, and the saved roundtrips are easier saved with prefetch, whilst this is faster.

Root key trust anchor sentinel.

Instruct the validator to remove data from the additional section of secure messages that are not signed properly. Messages that are insecure, bogus, indeterminate or unchecked are not affected. Default is yes. Use this setting to protect the users that rely on this validator for authentication from potentially bad data in the additional section.

If enabled, the server provider TLS service on its TCP sockets. The clients have to use tls-upstream: yes. The file is the private key for the TLS session. The public certificate is in the tls-service-pem file. Default is “”, turned off. Requires a restart (a reload is not enough) if changed, because the private key is read while root permissions are held and before chroot (if any). Normal DNS TCP service is not provided and gives errors, this service is best run with a different port: config or @port suffixes in the interface config.

Enable ratelimiting of queries sent to nameserver for performing recursion. If 0, the default, it is disabled. This option is experimental at this time. The ratelimit is in queries per second that are allowed. More queries are turned away with an error (servfail). This stops recursive floods, eg. random query names, but not spoofed reflection floods. Cached responses are not rate- limited by this setting. The zone of the query is determined by examining the nameservers for it, the zone name is used to keep track of the rate. For example, 1000 may be a suitable value to stop the server from being overloaded with random names, and keeps unbound from sending traffic to the nameservers for those zones.

Enable global ratelimiting of queries accepted per ip address. If 0, the default, it is disabled. This option is experimental at this time. The ratelimit is in queries per second that are allowed. More queries are completely dropped and will not receive a reply, SERVFAIL or otherwise. IP ratelimiting happens before looking in the cache. This may be useful for mitigating amplification attacks.

E, ovviamente, abbiamo implementato anche DNS over HTTPS.

Se desideri sperimentare con noi questo servizio (ancòra in versione beta) inviaci il modulo qui sotto. Ti risponderemo il prima possibile con tutti i dettagli.

[RM_Form id=’7′]