[dns-operations] Should medium-sized companies run their own recursive resolver?

Dan York york at isoc.org
Tue Oct 15 20:27:33 UTC 2013

On 10/14/13 4:24 PM, "Paul Hoffman" <paul.hoffman at vpnc.org> wrote:

>On Oct 14, 2013, at 12:43 PM, Suzanne Woolf <woolf at isc.org> wrote:
>> I've really enjoyed reading the responses to this,

+1. The variety of responses have been both interesting and useful.

>> and admit my own answer is (yet another flavor of) "It depends."
>That seems to be the median so far.

As is mine (an "it depends" variation)... from an ideal perspective and
being an advocate of DNSSEC, I'd like a DNSSEC-validating recursive
resolver to be deployed as close as possible to the end user so that the
potential for attackers to be in the path is as minimal as can be. In my
truly ideal world I'd like that DNSSEC validation to be occurring within
the operating system running on the user's computer or perhaps even in the
application they are using.  So on a macro level I definitely agree with
comments here by Paul Vixie and others.

That said, the answer really depends upon the quality of the IT staff and
what you consider "average IT talents".  I've seen any small organizations
such as that described where the 2 IT people run all the servers, run the
network infrastructure and provide great service to the users - and they
should definitely run their own recursive resolvers.  I've also seen other
organizations where the 2 IT people are so buried in firefighting all
their daily issues that they don't necessarily have the time, energy or
knowledge to do more than keep up with virus issues, password resets or
whatever other fires they are fighting. In those cases, even as simple as
a recursive resolver would be to operate the cases where there are
problems would be more than the IT staff couple truly handle - and they
would look to outsource that to the ISPs resolver (or Google or OpenDNS).
And in all honestly the users might be safer with that outsourced DNS

On a strategic level, I don't like this second answer...  but I understand
*why* it might be appropriate for some small organizations.

>> I'm wondering what motivated the question, particularly in such a
>>generic form.
>In various discussions on different DNS-related topics, some people have
>said that "obviously" everyone should have a resolver at X, where X had
>wildly different values. I thought it would be useful to create a
>"typical" use case and see if X converged in a community such as this.
>It didn't. That's a useful data point for people creating other protocols
>who have to listen to commenters who say where resolvers need to be.

Thanks for stimulating the discussion.


Dan York
Senior Content Strategist, Internet Society
york at isoc.org <mailto:york at isoc.org>   +1-802-735-1624
Jabber: york at jabber.isoc.org <mailto:york at jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork


More information about the dns-operations mailing list