[dns-operations] Should medium-sized companies run their own recursive resolver?

David Conrad drc at virtualized.org
Tue Oct 15 05:56:20 UTC 2013

On Oct 14, 2013, at 7:08 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP.
> Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP?

Given the information provided (and interpolating): they should run their own recursive servers.

Running a recursive server is (should be) far easier than running the vast majority of other "local servers".  If it isn't, they're using the wrong recursive server.  With the exception of root key rollover, running a recursive server is a fire-and-forget type service (modulo some initial configuration to avoid being an open resolver).

Given the role DNS has, if they do not run their own resolver they are investing a vast amount of trust both in the resolver operator and the wire (air, in the case of wireless) between their stubs and their resolver.  That trust is constantly being violated through crap like redirection. Further, in a DNSSEC environment, validation is pointless if the channel between the resolver and the stub is subject to attack.  Until that channel can be protected, it is far safer to run local resolvers if you are interested in security.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131015/9a07923b/attachment.sig>

More information about the dns-operations mailing list