[dns-operations] Best Practices in DNS security

Geo. geoincidents at nls.net
Fri Mar 17 19:43:39 UTC 2006


> Peter was recommending djbdns in lieu of BIND; I'd hazard a guess
> that the platforms they both work on are a remarkably similar set-
> and that they both probably include MS Windows. Where was the
> problem here?

The problem is that you have half the internet using something where this
"oh just run 2 dns servers on the same physical machine with 2 IP addresses"
solution doesn't wash. Those people aren't going to change dns servers just
because you think they should. How many Exchange open relays were there on
the net before MS finally made exchange install with relay disabled? I mean
lets face the reality.

> Out of curiosity, how often are you flushing your nameservers'
> caches, and what impact do you believe that has on your customers'
> user experience?

rndc flush, why does it exist if it's not needed? Plenty of people who
manage their own dns don't understand TTL, they move something and you need
to flush cache or the rest of their company can't get to work. What do you
tell customers, "sorry sir but you'll have to wait 7 days because you were
too stupid to set a reasonable TTL"?

> Assuming that your dialup customers travel, have you considered
> whether they really need to use _your_ nameservers when they are
> in topologically distant?

Ok maybe this will help you. You have a customer who can't resolve some
domain, you discover he's using someone elses dns server dynamically
assigned by the dialup node. What do you suggest in order to cure his
problem? Do you tell him to use your dns server or do you just say sorry but
you can't get there from here? The goal is a happy customer isn't it?

> Do you believe that this practice is
> worth the increased latency for every query which they are forced
> to tolerate?

Oh I don't know, would I rather wait for 30ms or would I rather never get to
the site? Hmmm difficult choice.

> I may have only worked at atypical ISPs, but I never recall users
> calling to ask me to flush my nameserver's cache.

Well there could be other reasons for that, I've only talked to you once and
already I don't want to call you for support. <grin> But really, the
question is one of control, if I have customers using dns servers that I
don't control then I can't fix problems being caused by those servers. I
can't help you isn't an option so what else would you suggest?

Geo.




More information about the dns-operations mailing list