exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:   | If You Block A Root DNS Server
Can you still do a DNS lookup? If so, what are the two DNS servers owned by Verisign? I'm gonna block em on my firewall and hosts file. |
|
slashman
Don't do it . ..
Premium
join:2003-10-01
Batavia, IL | Can't block em. They are root servers. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to exocet_cm
You can still do lookups, as long as you have not blocked all of the root servers.
If you don't run your own DNS server, but use those from your ISP, then you can block all DNS servers other than those of your ISP. |
|
gatorkram
Spelling and Grammer impared
Premium
join:2002-07-22
Winterville, NC
clubs: | reply to exocet_cm
Unless you are running your own dns server, you shouldn't be talking to root servers anyway.
--
Give me bandwidth or give me death!
»/testhistory/661871/4f240 |
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| reply to exocet_cm
DNS queries are recursive. If the query can't be answered at the first DNS server contacted - normally a close one, your own or your ISP's - it goes up the hierarchy. Generally the DNS server of the domain itself is authoritative, but large numbers of queries go to the root servers all the time when other sources don't have the info.
This is not like advertising where you can just black-hole servers of unwanted junk. DNS needs to work in this tree model. But it's not a privacy issue; they're not going to detect that Joe Schmoe is looking up weasel fetish sites or whatever. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| You are correct that lookups are recursive. However, the recursion is typically done by your ISP's DNS servers and not by the end-user system. It doesn't affect you unless you are running your own DNS server, or are manually doing recursion (via a command line lookup, such as using the "+trace" flag in "dig". |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| Right, thanks for making that clear. My point for the OP was that there's no way to opt out of this data-collection. You would normally never hit the root servers directly, and nothing you could do locally could prevent the servers you send queries to from consulting them when needed. |
|
Network Guy
join:2000-08-25
New York | reply to slashman
They are two of the available thirteen root servers.
If you run a local caching DNS server, yes you can. Just remove their IPs and host names from the list. If you forward all your queries to an external DNS server, you're shit out of luck. |
|
Network Guy
join:2000-08-25
New York | reply to nwrickert
This accomplishes nothing. The ISP still directs forward lookups to a root server, which may or may not be Verisign's. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | This accomplishes nothing. Agreed. But the question was not whether it accomplishes anything. |
|
zed260
join:2007-09-30
Cleveland, TN | no just use there dns servers instead waste more of there bandwith |
|
