[dns-operations] Should medium-sized companies run their own recursive resolver?

Doug Barton dougb at dougbarton.us
Mon Oct 14 18:46:05 UTC 2013

On 10/14/2013 11:03 AM, Warren Kumari wrote:
> On Oct 14, 2013, at 7:08 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>> A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP.
>> Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP?
> Depends. Seeing as you said "average IT talents" I'm saying "No". These days "average IT talents" for a 100-person company probably means "sorta kinda knows how to make Windows not fall over and also do some Exchange stuff".
> My wife does some consulting for a number of companies of this sort of size (and I give her a hand every now and then), and unless the IT folk are actively interested (and most are not) I think running recursive is simply a mistake for them.
> And auth doubly so….

My experience is the same as Warren's, and thus my answer is the same as 
well. In theory I agree with Paul about what they *should* do, but in 
practice (IME) the skills are not there, and they would end up doing 
more harm than good to themselves, and likely the net in general.

We of the DNS literati tend to forget just how difficult this stuff 
really is, and how hard it is for companies to prioritize spending money 
on things that usually "just work." I can't count the number of times I 
got "emergency" calls when I was consulting about how some enterprise 
needed my help right away because "the Internet is down" ... only to get 
a call 30 minutes later letting me know I wasn't needed because someone 
accidentally rebooted the right thing and now "the Internet" is working 
again. They don't care, and they don't *want* to care. They just want it 
to work.


PS, 2 IT folk for a 100 person company is extraordinarily generous.

More information about the dns-operations mailing list