[dns-operations] Questions about DNS resolver servers best practices

Stephen L Johnson stephen.johnson at arkansas.gov
Wed Dec 8 16:29:41 UTC 2010

Even as long as I've been doing DNS, at times I still feel like a DNS
newbie. I'm about to build up a new resolver DNS infrastructure. And I
have some questions on best practices concerning a resolver only setup. 

First some background, I maintain DNS infrastructure of 5 public facing
DNS server which are authoritative server for the DNS domains I manage,
and they are public recursive resolvers. These servers are spread out
VLAN and geographically on the state network. I have 5 other servers
which are resolver only DNS servers within our data center. It's been
this way for years and virtually unchangeable due to sheer magnitude of
the sheer magnitude of dealing with RFC 2321 Layer 5 in trying to change

A new Network Security Policy is being implemented that says all DNS
resolver traffic traveling on the sate network has to go through state
provided resolvers. I can finally split my authoritative and recursive
DNS server. So my plan is to introduce a new dedicated set of recursive
resolvers and we'll publish those IPs for out clients to use. 

I had considered using ANYCAST DNS, but we are planning total network
revamp in the near future. I don't to have to implement and then
reimplement an Anycase setup. So I've settled on on using 2 or 3
discrete public IPs on some load balanced server clusters. And I'll be
placing those servers inside of out DMZ to for added security.  

Now my question is should what best practices should I consider in my
infrastructure design?

Thanks in advance. I do learn a lot from the collective wisdom of this
Stephen L Johnson  <stephen.johnson at arkansas.gov>
Unix Systems Administrator / DNS Hostmaster
Department of Information Systems
State of Arkansas

More information about the dns-operations mailing list