[dns-operations] Should medium-sized companies run their own recursive resolver?

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Tue Nov 19 23:29:41 UTC 2013 

On 2013-10-14 11:21, Marco Davids (SIDN) wrote:
> On 10/14/13 7:18 PM, Carlos M. martinez wrote:
> 
>> I run my own recursive server for my four machine network. So I guess
>> the answer is just, 'of course'.
> 
> Especially if the ISP doesn't support DNSSEC validation ;-)
> (and you better run two, for redundancy)
> 
> --
> Marco
> 

I missed all of this thread due to email problems, which still haven't been 
fully resolved....but hasn't stopped the flow of other problems :(

I was thinking back that I first started running my own recursive server (on 
the Linux server that I was doing NAT to share my connection) less than a 
year after I got home broadband service.  Which on more than one occasion 
left me oblivious to the fact to my co-workers complaining of broadband 
outages... that didn't affect me.  Yup, the ISPs recursive servers were 
down....

Having my own local DNS makes it a lot easier to have names for everything on 
my home network, now that it is getting harder to find an octet that isn't 
already in use that is meaningful to what I'm adding to my network.

IE: I had two laptops, a 12.1" and a 14.1".... x.x.x.121 and x.x.x.141 are 
they're IPs respectively.  Then an 11.6" -- x.x.x.116.

Though I was growing to 7 ReplayTV's...the x.x.x.11 -> x.x.x.17, and, then I 
jumped to TiVo's, x.x.x.10, x.x.x.20 ... x.x.x.50.  And, then I got a 50" 
TV...oops, already have something at x.x.x.50.

Later I grew to running two servers at home.  Don't recall if that was before 
or after I started having two broadband connections into my home network.  
But, I didn't get to setting up dhcp failover until much later.  I know I had 
some bad home outages due to my server dying.  Until recently, they had 
always been off-lease desktops...

The only thing that has bit me once in a while...is that my home recursive 
servers require DNSSEC validation.  Made it tricky getting into work, when 
the person updating our registrar selected type 7 instead of 8 for key type.  
Didn't occur to me that I should just bypass my own resolvers.

So, now that I'm working for a much larger organization....I have 16 
recursive servers....and there aren't supposed to be any others, but others 
have insisted on trying to set up their own on campus....many of which end up 
being discovered as open resolvers... other's run into problems due to our 
split dns and not knowing where the internal authorities are.

Of the 16, 6 are for general campus use, 2 are for our datacenter.  And, the 
others are email related, and have extra stuff related to spamhaus.

Our servers require DNSSEC validation....and it seems I hear less and less 
about .gov DNSSEC problems because the people that have those problems, have 
found that using public recursive resolvers fixes the problem.

There's some discussion of reducing all the datacenter and campus resolvers 
to a single appliance.  Should be interesting to see how that goes.  There 
were pitchforks and such when I said that in the near future one of the old 
recursive resolvers would be going away.  It didn't go away until 2.5 years 
later, and the replacements had been up for almost 2 years (though nobody 
seems to want to change to it.)  But, it was our datacenter DNS server 
located in an open (outside the firewall) subnet.  Our authority servers also 
used to be in this range, and were also open resolvers.

It had stopped being our datacenter DNS server after it got DoS'd by servers 
on campus.  At that time there were 3 general campus resolvers.

It was more about two locations on campus where the hardware was physically 
located..another time there had been discussion of going to 3 locations, 
possibly even 4 locations.

And, that's just for main campus.  There had been a server at our Salina 
campus, but local IT had blocked its users from it and were trying to get 
their own working (but couldn't resolve hosts inside the split...which they 
got around by passing post-its of the IP addresses.)  One for our Olathe 
campus had been discussed, but nothing yet.

Also interesting was that they were looking at utilizing some content 
filtering feed with the appliance....probably similar to spamhaus dblrpz 
(wonder if there's a way to take process my rblsync'd files to make an 
rpz...).  But, how useful would it be, if users can just make their computers 
point to google or opendns instead?

Or perhaps, they were talking about a different appliance to do this.

I had wondered if they had looked at having all our authoritative DNS servers 
in the cloud....that way when they got DDoS'd, it wouldn't have the kind of 
impact that we had earlier this year.  I know I thought about it. ;)

Though would probably have to find somewhere in the cloud that isn't 
metered....

>> 
>> 
>> 
>> On 10/14/13 2:08 PM, Paul Hoffman wrote:
>>> A fictitious 100-person company has an IT staff of 2 who have average IT 
>>> talents. They run some local servers, and they have adequate connectivity 
>>> for the company's offices through an average large ISP.
>>> 
>>> Should that company run its own recursive resolver for its employees, or 
>>> should it continue to rely on its ISP?
>>> 
>>> --Paul Hoffman

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally

More information about the dns-operations mailing list