Is it possible to create your own root DNS server?

security domain-name-system privacy

Solution 1:

DNS by design does not enable having an authoritative copy of all zones, as it utilizes a hierarchical naming system.

The root servers are authoritative for identifying the server responsible for the Top Level Domain (TLD) in question. For example, resolving www.example.net will first query a root server to identify the authoritative nameserver for .net. The .net nameserver will identify the authoritative nameserver for example.net, which will then return the record for www.example.net.

You cannot download a copy of all zones. However, you can run a local caching nameserver. The caching nameserver will provide a local copy of all records resolved, which expire using the Time To Live (TTL) specified for the record. Please keep in mind that my explanation is a simplistic description of the DNS protocol, which can be explored in detail by reading definitions in the Request For Comments.

While NXDOMAIN hijacking can be avoided by running a local cache, keep in mind that all DNS resolution traffic will still be transmitted via your Internet connection unencrypted. Your ISP could potentially monitor that traffic and still see the communication. The contracts you have with your ISP as well as your local laws are going to be your definitive means for establishing how your communications are treated. Your ISP's contracts will include the Terms of Service, Privacy Policies and any additional contracts that you may have with your ISP.

Using encrypted protocols is one of the best methods for insuring your data against eavesdropping during transit. However, even that has no guarantee of anonymity. There are additional protocols out there such as Tor and Freenet, which attempt to introduce anonymity to the Internet, as it was never designed to be truly anonymous.

Solution 2:

A few things:

If you configure your server to use the root hints instead of using forwarders then you don't have to worry about MITM issues (at least from ISP's and DNS hijackers). For all external DNS resolution your server would query the root hints, which would refer you to the gTLD servers for the top level domain in question (.com, etc.), which would then refer you to the NS servers for the domain in question.

If you really want to create your own root server you certainly can, although I don't see how it would do you much good. Here's how you do it on a Windows DNS server:

Download the DNS root zone file and save it as root.dns in the %systemroot%\system32\dns directory on your Windows DNS server, use the DNS zone creation wizard to create a new primary forward lookup zone named "." (without the quotes), deselect the option to create an AD integrated zone, type "." for the zone name (without the quotes), select the option to use an existing file and the zone file name field will automatically be populated with the name root.dns (if it isn't type it in), leave the option to not allow dynamic updates as is, click the finish button after you've cycled through each step of the wizard. You now have a root server with zones and zone records for all of the gTLD servers.

Note that this will disable the forwarding and root hints options on the server (since your server is now a root server) and also note that if the gTLD information changes, there's no way for your server to get notice of those changes.

Solution 3:

For closely related servers there are zone transfers. These function much like BGP announcements. For security reasons, these are usually blocked for other servers.

If you run a caching name server it will copy the root server list, and very soon have the roots for .com, .net, etc. There is a very good reason that DNS is distributed. Otherwise everyone would be working with obsolete data. The size of the database would be quite large, and the majority of the data of no interest to you.

There are options to decrease the risk of DNS poisoning and good software deals with the problems as they become known. There are organization which work at providing sanitized data which can be used as upstream providers. These will filter out some poisoning attempts. Look at using OpenDNS or google as upstream providers.

The root DNS zones are now signed, and I am increasingly seeing my mail server reporting that the DNS data was signed. The signing of DNS has been reported as a requirement for IPV6. Signed DNS makes cache poisoning very difficult, but adds to the difficulty of managing DNS.

Solution 4:

You can certainly set up your own server and make it authoritive for the root, but I don't know of any way you can prefill it with the root-servers' zonefiles. You cannot simply request a zonetransfer, so I guess you'll have to fill it by keeping your caches.

Modify the root.hints on your other nameservers to point them to your private root server, and let the testing begin.

But keep in mind that the root servers only know which servers are authoritive for the TLD's, nothing else. You'll essentially need to recreate the entire hierarchy of servers, which seems like an impossible task.

Related

Why does Windows command prompt stalls until a key is pressed when executing long batch files or programs
Multi-site high availability
How does one point a domain to a load balancer that doesn't have a stable IP?
Difference between an Azure AD "directory" and an Azure AD "tenant"?
Resources for the accidental DBA [closed]
Network Printers Offline (but not really)
Managing iptables rules in Linux
Supervisor always quit process with 'exit status 0; not expected'
Long-term storage of Business Critical data
Why can't I cd into a directory?
vsFTPd default uploaded file permissions on Ubuntu not working
Deploying VM from vmdk / vmx file