[dns-operations] Should medium-sized companies run their own recursive resolver?

[Paul Vixie]

Paul Hoffman wrote:
> A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP.
>
> Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP?

every campus even a single-lan household should have its own local
recursive name server. apps have always assumed that an answer,
especially a negative answer, was only a few milliseconds away. no
matter how many anycasted mirrors google or opendns makes of their
global rdns, they will not be close enough to the average app.

for the health of the internet ecosystem, it's also necessary to push
innovations such as dnssec validation and dns firewalling (for example,
with RPZ) and dnssec lookaside validatoin (for example, with ISC DLV) as
close to the end-users as possible.

so, yes, unqualified. and i realize that during my long decades at ISC i
neglected to publish commodity packages for windows, macos, and android
that would have let every laptop and smart phone provide their own rdns.
i'm not at ISC any more but they would probably be responsive to
restricted grants along these lines.

vixie