[dns-operations] Should medium-sized companies run their own recursive resolver?
Lawrence K. Chen, P.Eng.
lkchen at ksu.edu
Tue Nov 19 23:29:41 UTC 2013
On 2013-10-14 11:21, Marco Davids (SIDN) wrote:
> On 10/14/13 7:18 PM, Carlos M. martinez wrote:
>> I run my own recursive server for my four machine network. So I guess
>> the answer is just, 'of course'.
> Especially if the ISP doesn't support DNSSEC validation ;-)
> (and you better run two, for redundancy)
I missed all of this thread due to email problems, which still haven't been
fully resolved....but hasn't stopped the flow of other problems :(
I was thinking back that I first started running my own recursive server (on
the Linux server that I was doing NAT to share my connection) less than a
year after I got home broadband service. Which on more than one occasion
left me oblivious to the fact to my co-workers complaining of broadband
outages... that didn't affect me. Yup, the ISPs recursive servers were
Having my own local DNS makes it a lot easier to have names for everything on
my home network, now that it is getting harder to find an octet that isn't
already in use that is meaningful to what I'm adding to my network.
IE: I had two laptops, a 12.1" and a 14.1".... x.x.x.121 and x.x.x.141 are
they're IPs respectively. Then an 11.6" -- x.x.x.116.
Though I was growing to 7 ReplayTV's...the x.x.x.11 -> x.x.x.17, and, then I
jumped to TiVo's, x.x.x.10, x.x.x.20 ... x.x.x.50. And, then I got a 50"
TV...oops, already have something at x.x.x.50.
Later I grew to running two servers at home. Don't recall if that was before
or after I started having two broadband connections into my home network.
But, I didn't get to setting up dhcp failover until much later. I know I had
some bad home outages due to my server dying. Until recently, they had
always been off-lease desktops...
The only thing that has bit me once in a while...is that my home recursive
servers require DNSSEC validation. Made it tricky getting into work, when
the person updating our registrar selected type 7 instead of 8 for key type.
Didn't occur to me that I should just bypass my own resolvers.
So, now that I'm working for a much larger organization....I have 16
recursive servers....and there aren't supposed to be any others, but others
have insisted on trying to set up their own on campus....many of which end up
being discovered as open resolvers... other's run into problems due to our
split dns and not knowing where the internal authorities are.
Of the 16, 6 are for general campus use, 2 are for our datacenter. And, the
others are email related, and have extra stuff related to spamhaus.
Our servers require DNSSEC validation....and it seems I hear less and less
about .gov DNSSEC problems because the people that have those problems, have
found that using public recursive resolvers fixes the problem.
There's some discussion of reducing all the datacenter and campus resolvers
to a single appliance. Should be interesting to see how that goes. There
were pitchforks and such when I said that in the near future one of the old
recursive resolvers would be going away. It didn't go away until 2.5 years
later, and the replacements had been up for almost 2 years (though nobody
seems to want to change to it.) But, it was our datacenter DNS server
located in an open (outside the firewall) subnet. Our authority servers also
used to be in this range, and were also open resolvers.
It had stopped being our datacenter DNS server after it got DoS'd by servers
on campus. At that time there were 3 general campus resolvers.
It was more about two locations on campus where the hardware was physically
located..another time there had been discussion of going to 3 locations,
possibly even 4 locations.
And, that's just for main campus. There had been a server at our Salina
campus, but local IT had blocked its users from it and were trying to get
their own working (but couldn't resolve hosts inside the split...which they
got around by passing post-its of the IP addresses.) One for our Olathe
campus had been discussed, but nothing yet.
Also interesting was that they were looking at utilizing some content
filtering feed with the appliance....probably similar to spamhaus dblrpz
(wonder if there's a way to take process my rblsync'd files to make an
rpz...). But, how useful would it be, if users can just make their computers
point to google or opendns instead?
Or perhaps, they were talking about a different appliance to do this.
I had wondered if they had looked at having all our authoritative DNS servers
in the cloud....that way when they got DDoS'd, it wouldn't have the kind of
impact that we had earlier this year. I know I thought about it. ;)
Though would probably have to find somewhere in the cloud that isn't
>> On 10/14/13 2:08 PM, Paul Hoffman wrote:
>>> A fictitious 100-person company has an IT staff of 2 who have average IT
>>> talents. They run some local servers, and they have adequate connectivity
>>> for the company's offices through an average large ISP.
>>> Should that company run its own recursive resolver for its employees, or
>>> should it continue to rely on its ISP?
>>> --Paul Hoffman
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
More information about the dns-operations