Whence one obtains proxy DNS service

You've come to this page because you've asked a question similar to the following:

From whence can I obtain proxy DNS service ? What publically available proxy DNS servers exist ?

or because you've provided the wrong answer to such questions by saying something similar to the following:

Just look up the IP addresses of an ISP's/university's DNS servers with the relevant "NS" and "A" queries, and configure your DNS Client to send its queries to those addresses.

This is the Frequently Given Answer to those questions and such statements.

There are basically two places that one goes in order to obtain proxy DNS service (either for one's DNS clients or for the back-ends of one's forwarding proxy DNS servers):

Provision of proxy DNS service is something that happens by private arrangement. Anyone who intends to provide you with proxy DNS service will have told you directly what IP address(es) to employ to obtain it.

Local proxy DNS servers

The best source of proxy DNS service is, of course, a proxy DNS server that one (or one's organization) owns, and runs onesself. It provides one with full control over the server, its security, the machine(s) that it runs on, and the view of the DNS namespace that it provides. It's simple with most operating systems to do this. Many, including Unices and Linux, come bundled with DNS server softwares, and even have alternative softwares such as djbdns available. OS/2 has the Internet Utilities for OS/2 and ports of BIND. Microsoft Windows has Microsoft's DNS server (bundled with the "Server" flavours of Windows) and ports of BIND.

A proxy DNS server run locally in accordance with best practice listens on site-local IP addresses that the rest of the world cannot reach. And those IP addresses are the addresses that one uses for proxy DNS service.

If you are part of a large organization, there is a good chance that the network administrators run a local proxy DNS server for the organization, on machines internal to the organization's network. And that is what you use. If you run your network yourself, then simply set up such a proxy DNS server somewhere on that network.

Proxy DNS servers provided by ISPs

ISPs often provide proxy DNS service to their paying customers, as part of the private service arrangements between the ISP and the customers. If you are a customer of such an ISP, you will have been told about the IP addresses of its proxy DNS servers in one of several ways:

If your ISP does not provide you with proxy DNS service, or if the proxy DNS service that it provides is unsatisfactory (for example, because it is not secure against cache poisoning, because it provides the wrong view of the DNS namespace, or because it can leak information about your DNS lookups to other customers) then one option that you have is to run your own resolving proxy DNS server, of course.

Mis-use of content DNS servers

One does not look to content DNS servers for proxy DNS service.

A few organizations have content DNS servers, listed in the public DNS database, that also just happen to provide proxy DNS service. Some people think that one can go to content DNS servers for proxy DNS service as well, just by picking the IP addresses of content DNS servers out of the DNS database. One cannot do this and assume that it will work, because it usually will not nowadays.

This is because more and more organizations, over the years, have adopted what has long been known to be best practice for DNS service: not providing promiscuous proxy DNS service to the world, tightening up one's listed DNS services to provide only content DNS service. This best practice is recommended by most DNS software authors (such as Dan Bernstein here, for example), most good books on DNS, and many experts in the field. More and more organizations have gradually come to realize that it isn't in their interests to provide free proxy DNS service to complete strangers. The number of content DNS servers that also double as proxy DNS servers has dwindled, and should eventually, should everyone adopt best practice, reach zero.

(Hitting an organisation's listed content DNS server for proxy DNS service is a good way to draw a DNS administrator's attention, via the increased cost and resource usage, to the fact that xe is unwisely providing promiscuous proxy DNS service and should stop doing so.)

The listings in the public DNS database indicate where to find an organization's content DNS servers, not where to find its proxy DNS servers. Indeed, if an organization is employing best practice, its proxy DNS server won't actually be listening on an IP address that you can reach.

Public proxy providers

There are several organizations that explicitly provide promiscuous proxy DNS service for use by the public at large. They list the IP address(es) of their public proxy DNS servers on a WWW page or some such, and give instructions on how to reconfigure the DNS clients on one's machines to use their resolving proxy DNS servers instead.

It is fair to observe that there are a few organizations that do this out of genuinely altruistic motivations. Organizations such as the Pacific Root, for example, provide promiscuous proxy DNS servers for the benefits of those (few) people who cannot run their own proxy DNS servers, and whose ISPs' proxy DNS servers provide only the diminutive root. But such organizations are (lamentably, but not unexpectedly) outnumbered by those that provide proxy DNS service for other reasons, less beneficial to the service users.

Always bear in mind this maxim: Using someone else's proxy DNS service hands over full control of what one's view of the DNS namespace is to that person. This is why it is important that if one entrusts proxy DNS service to someone else, it be someone with whom one has a contractual relationship for service, such as an Internet Service Provider. Without the contractual relationship, there's no redress and no incentive for providing an aboveboard service.

Case study: Comodo hi-jacking domain names that it doesn't own

One example of a promiscuous proxy DNS service provider with ulterior motives is Comodo, who, as of March 2010, is providing promiscuous proxy DNS service for free, advertising it in its sales blurb on the grounds of its security. Aside from the fact that running one's own resolving proxy DNS server locally, as long as one does so in accordance with best practice (as aforementioned), will yield just as secure a server that additionally isn't as far away across Internet as Comodo's servers are and whose outages one can fix onesself, briefly mentioned in the blurb is the fact that Comodo's servers will make up fake answers for mis-spelled non-existent domain names.

Here's an example of this in action, first querying an ordinary, secure, local proxy DNS server, then querying the Comodo promiscuous proxy DNS server, and finally looking up the non-mis-spelled name.

[H:\]dnsgeta www.micrsfoot.com.
IUZ0036: DNS lookups failed to find a server for the domain name. "www.micrsfoot.com."
[H:\]dnsgeta /serverip www.micrsfoot.com.
[H:\]dnsgeta www.microsoft.com.

Notice that Comodo's promiscuous proxy DNS servers map the mis-spelled name to an IP address that isn't Microsoft's. Mis-spell Microsoft's name, and Comodo won't, contrary to the sales blurb, "automatically detect and forward" lookups for non-existent mis-spelled domain names to the right place. It detects them all right, but it directs them to IP addresses controlled by Comodo itself. Mis-spell Microsoft's name, and you'll end up talking to Comodo's WWW/mail/file/time servers, not Microsoft's as you might think from the sales blurb.

Similarly, according to Comodo there's a Hogwart's University in the U.S., and a U.S. Government Department of Silly Walks:

[H:\]dnsgeta /serverip hogwarts.edu.
[H:\]dnsgeta /serverip silly-walks.gov.

Touted as a feature, this is in fact a simple recurrence of the same sort of Internet coup that Verisign tried in 2003 with SiteFinder. The problems with such an idea are many, and can be found detailed in the aforelinked Frequently Given Answer as well as in technical reports from ICANN and the IAB. Suffice it to say that this is a bad idea that the world has learned better than to do.

The alternative root services aren't motivated by domain name hi-jacking. They will still delegate control of (for examples) the entirety of com. and net. to Verisign. They extend the root, providing top-level domains that the diminutive roots have been, historically, glacially slow to provide. Organizations like Comodo, in contrast, are hi-jacking non-existent domain names within all of the top-level domains, and mapping them to their own IP addresses.

And there is, of course, nothing stopping Comodo deciding do this with domain names that actually exist, as well. In (almost) the words of the well-known slogan: Where do you think www.microsoft.com. will go, today?

© Copyright 2003,2010 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.