[dns-operations] Should medium-sized companies run their own recursive resolver?

Vernon Schryver vjs at rhyolite.com
Tue Oct 15 23:28:06 UTC 2013

> From: Jared Mauch <jared at puck.nether.net>

> >  ... "Mercedes"...
> Have you ever driven one?  They are mighty nice :)
> Back in the 90's I would agree everyone should run a DNS server as
> the network wasn't as robust as it is today.

On the contrary, in the relevant sense, the network today is less
"robust" than it has ever been.  You don't want a commodity luxury
sedan while driving across Syria, Iraq, Afghanistan, or the Gobi Desert
despite the fact that many roads in Europe and N.America are more
"robust" than they've ever been.  Where roads are bad or non-existent
or where there are significantly security hazards, you need something
with more armor, ground clearance, spare fuel, water, emergency supplies,
or even guns than are economical or safest elsewhere.

> Some folks may need local elements (e.g.: MS DNS/AD, but these should not be exposed to the internet...
> Everyone else should just use either their ISP (with NXDOMAIN rewriting turned off) or someone like OpenDNS that can help enforce some security policies and practices with a few knobs being turned at most.
> Folks like Comcast have large validating resolvers.  Their customers should use them.  Folks here are surely going to do the right thing the majority of the time.  The vast majority of others are going to set things up once and it *will* be left to rot.  This isn't intentional, but it naturally happens.

The question had nothing to do about J. Sixpack with 37 televisions,
phones, and other devices behind a NAT router owned by and remotely
maintained by Comcast.  Instead the question concerned a business with
2 IT professionals.  Relying on distant DNS servers is negligent and
grossly incompetent for a professionally run network.  When the DNS
servers in question are to known lie, it should be as much a crime as
failing to wash your cantaloupes in Clorox.
The same applies when there are Great or small firewalls between the
DNS client and distant validating recursive resolvers.

Even Joe and Joan Sixpack should, if they can, think carefully about
relying on distant DNS servers.  If you wouldn't give your ISP your
bank passwords, then you shouldn't rely on your ISP to validate your
RRs.  Those who control your RRs can get your passwords, albeit with
varying effort.

Should Joe and Joan rely on government approved DNS servers while they
are in China, Iran, or Syria?

Never mind that if the U.S. NSA, FBI, CIA, etc. are competent, they've
used DNS creatively such as to install software on the computers of
their targets or deploy MX RRs to monitor email.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list