[dns-operations] Best Practices in DNS security

Matt Ghali matt at snark.net
Fri Mar 17 19:07:56 UTC 2006

On Fri, 17 Mar 2006, Geo. wrote:

> Because there are an aweful lot of Windows servers out there running MSdns
> and you can't run 2 instances of it on one machine. Not everyone runs bind.
> If you are going to come up with a workable solution then it pretty much
> needs to work for just about everyone. You can't have half the internet
> saying no it doesn't work.

I apologize for not coming up with a workable solution for people 
who insist on using unworkable operating systems.

Peter was recommending djbdns in lieu of BIND; I'd hazard a guess 
that the platforms they both work on are a remarkably similar set- 
and that they both probably include MS Windows. Where was the 
problem here?

> I've been trying to find a good solution for this for us but this whole
> "lock down your recursive servers" thing is just a nightmare for most
> smaller ISPs. There are problems other than just the number of dns servers
> ISPs run.

I keep hoping you will enumerate why this is a nightmare for you, 
but I am still in suspense. I've worked at several ISPS of varying 
size, ranging from the first dialup ISP in Hawaii to AS1, whatever 
it was called at the time. What was the problem here?

> For example we have our own IP block but we also have a leased nationwide
> dialup service so customers can travel. So when a customer travels and the
> local dns server (which I don't control) for that national node can't
> resolve just one domain I fix that by setting them to use our recursive
> servers since I do control them. (I can't flush the cache on some elses dns
> server even though it affects my customer)

Ah, this is where you are going. OK.

Out of curiosity, how often are you flushing your nameservers' 
caches, and what impact do you believe that has on your customers' 
user experience?

Assuming that your dialup customers travel, have you considered 
whether they really need to use _your_ nameservers when they are 
in topologically distant? Do you believe that this practice is 
worth the increased latency for every query which they are forced 
to tolerate?

I may have only worked at atypical ISPs, but I never recall users 
calling to ask me to flush my nameserver's cache.

> Not having that capability will cause a tremoundous headache as will dealing
> with all the customers who aren't using dynamic assignment of their dns
> servers. But nobody working on the fix ever considers how much of a headache
> this stuff is going to cause because well it's the solution for their
> problems...

Or perhaps no other operators are getting headaches?

> Heck, just look at the problems blocking outbound smtp has caused and is
> STILL causing today. Now we're going to open up another can of worms like
> that for dns?

I've lost track, are you advocating tinyDNS, Windows, open recursive 
nameservers, open SMTP relays, or some other horrible idea?


--matt at snark.net------------------------------------------<darwin><
               The only thing necessary for the triumph
               of evil is for good men to do nothing. - Edmund Burke

More information about the dns-operations mailing list