[dns-operations] Should medium-sized companies run their own recursive resolver?

Dobbins, Roland rdobbins at arbor.net
Mon Oct 14 17:12:04 UTC 2013

On Oct 15, 2013, at 12:05 AM, "Paul Ferguson" <fergdawgster at mykolab.com> wrote:

> Or leaving the recursive resolvers open to the entire Internet for abuse.

They generally must have internal recursive resolvers for their internal resources (split-horizon).  Hopefully, they've another set of external resolvers they use for external recursive lookups - and aren't running them open.

In practice, a lot of enterprise organizations, especially smaller ones, conflate at least some of their recursive DNS servers with their authoritative ones (which they lack the expertise to run in the first place), and all too many of those are also open recursors.

Then they place the whole mess behind a stateful firewall and can't figure out why their DNS servers keep going down, while their transit bills keep going up.


Roland Dobbins <rdobbins at arbor.net>

More information about the dns-operations mailing list