[dns-operations] Should medium-sized companies run their own recursive resolver?

Jared Mauch jared at puck.nether.net
Tue Oct 15 22:10:26 UTC 2013


On Oct 15, 2013, at 4:58 PM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:

> On Oct 15, 2013, at 1:36 PM, Jared Mauch <jared at puck.nether.net> wrote:
> 
>> On Oct 15, 2013, at 2:12 AM, Peter Koch <pk at DENIC.DE> wrote:
>> 
>>> sure. Yet another instance of "the DNS people have said ...". Come on.
>> 
>> This is akin to asking the founding member of the local mercedes car club what sort of car you should get. :)
>> 
>> <sarcasm>Is there something wrong with this?</sarcasm>
> 
> It could have been, but the responses were a few on one pole, a few on the other, and a lot of "it depends". Some of the "it depends" responses leaned in one direction, but some leaned in the the other. And I don't think anyone said "Mercedes"...

Have you ever driven one?  They are mighty nice :)

Back in the 90's I would agree everyone should run a DNS server as the network wasn't as robust as it is today.

Some folks may need local elements (e.g.: MS DNS/AD, but these should not be exposed to the internet.  They lack the ability to scope responses based on the query source to prevent them being global open resolvers.  They are just fine for behind a firewall/NAT to take stub queries and meet the internal IT needs.

Everyone else should just use either their ISP (with NXDOMAIN rewriting turned off) or someone like OpenDNS that can help enforce some security policies and practices with a few knobs being turned at most.

Folks like Comcast have large validating resolvers.  Their customers should use them.  Folks here are surely going to do the right thing the majority of the time.  The vast majority of others are going to set things up once and it *will* be left to rot.  This isn't intentional, but it naturally happens.

- Jared


More information about the dns-operations mailing list