[dns-operations] Should medium-sized companies run their own recursive resolver?

Mark Andrews marka at isc.org
Tue Oct 15 01:06:59 UTC 2013


In message <alpine.DEB.2.00.1310151322200.27885 at green.darkmere.gen.nz>, Simon L
yall writes:
> On Mon, 14 Oct 2013, Doug Barton wrote:
> > We of the DNS literati tend to forget just how difficult this stuff really 
> > is, and how hard it is for companies to prioritize spending money on things
>  
> > that usually "just work."
> 
> I'm a little concerned at the answers here. Surely a recursive resolver is 
> one of the simplest services in the world to configure? You basically 
> enable it, make sure recursion is on[1] and update DHCP or whatever to use 
> it. Add another server for luck and put a "Turning this off breaks 
> Internet" sticker on it if you want it robust.
> 
> I'm not entirely sold on using Google DNS or OpenDNS. In my case there 
> are/were several thousand km and and few counties away so didn't produce 
> the best performance, they also introduce a dependence on upstream 
> services several hops away.
> 
> [1] If it is inside the firewall ignore the ACLs, Also ignore the logs 
> cause nobody will read them anyway. That leaves about a 6 line bind 
> config.

"named -c /dev/null" works well as a recursive server for a single
directly connected subnet.

"named -c /dev/null" works well as a recursive server for multiple
subnets when it is running on the router that is connecting all the
subnets together.

DNS gets more complicated when you add authoritative zones, dnssec,
views, etc.  but it still isn't rocket science and lots of people
run their own nameservers.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list