[dns-operations] Getting rid of ISP's recursive DNS servers? (Was: Eircom "DNS Attacks" ?

Stefan Schmidt stefan.schmidt at freenet.ag
Sun Jul 19 21:52:19 UTC 2009

On Sun, Jul 19, 2009 at 11:19:27PM +0200, Stefan Schmidt wrote:
> > An interesting point of view (Paul Jakma is a known BGP guru):
> > 
> > http://pjakma.wordpress.com/2009/07/15/sharing-dns-caches-considered-harmful/
> > 
> > I wonder what do the root name server operators think about his
> > suggestion?
> While not a root-server operator i still would like to give an opinion
> on operating large DNS caches.
> First things first: Operating shared caches surely isn't harmful when
> they are a) fast and b) not spoofable.

Sorry, i was not quite finished but accidentally hit the send-key.

So to explicate a bit, quite frequently i give advise to our server
operators to install and make use of local DNS caches that run on the
same machine as say a webservice.
Those services usually have a small yet frequently used working set in
DNS so running a local cache usually speeds up lookups and thus helps
the service despite the additional cpu usage for the recursive dns

On the other hand broadband users often browse new sites and services
and a larger set of users is likely to use the same quite large working
set on an ISPs recursive nameservice so for those actually using a
single cache might actually provide a faster browsing [1] experience.

Sadly in the past many broadband ISPs failed to provide scalable,
redundant and consistent recursive DNS but i still think it is easier to
educate system administrators on how to run a proper recursive DNS than
millions of - sorry - clueless broadband users worldwide.

The blog entry says OpenDNS is unhygienic but i don't think they have
been successfully been spoofed yet so i fail to see how they providing a
consistent view on DNS tree should be bad.

Executive summary: make your DNS more secure, not slower please.


[1] yeah, let's face it, the web is the biggest user of DNS.
Robot : Why did the robot cross the road? Because he was carbon bonded to the
- Lost In Space

More information about the dns-operations mailing list