[dns-operations] Should medium-sized companies run their own recursive resolver?

Warren Kumari warren at kumari.net
Wed Oct 16 07:24:06 UTC 2013 

On Oct 16, 2013, at 9:41 AM, David Conrad <drc at virtualized.org> wrote:

> Florian,
> 
> On Oct 15, 2013, at 10:24 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
>> There's a tendency to selectively block DNS traffic, which can be a
>> pain to debug.  
> 
> True. Hate that. A lot.
> 
>> Various network issues might only affect DNS recursor traffic.
> 
> Given the information provided in the scenario, I feel it safe to assume a company of 100 with 2 full-time IT staff would have a clear channel for Internet traffic.  

And I wouldn't -- a company of 100 with 2 full-time IT folk probably have installed a heap-o-random "protection" devices that get in the way (some sort of "web firewall" type thing lSonicWall / websense, a Barracuda, etc), have configured their router[0] with some ACLs (because, you know, DNS only uses UDP 53, apart for some transfer thingie which we don't use, etc. ) There is a whole set of these sorts of appliances, and they are sold as an easy way to add "security" to your network. They have (usually) web gui's and folk like to click all the "protections".


Companies *seem*[1] to follow the trajectory of:
1: We have 1-10 employees, we'll just use whatever Netgear / Linksys someone had lying around / the DSL we ordered came with. This is largely a home network.

2: We now have 10-50 employees, let's get a consultant to give us a hand. Wheee, now we have a Windows <something> "server" and a (consumer) NAS.

3: Now we have 50-200 employees and 2 IT type folk. We are a "real" company and so have a slew of "servers", and probably some AD goodness. We are concerned about all of the time that our employees are spending on Facebook and doing their banking and such, so we need to monitor (and curtail) their usage of this sort of stuff. The IT group has a budget, and a large number of companies are willing to provide appliances that will undoubtedly make this problem (and that of viruses and "insecurity" and cyber-attacks and similar scary things) go away. One of the IT chappies does some network stuff, and so has configured the firewall to be secure -- there were some checkboxes for this. He also configured some ACLs on the router. This consisted (largely) of blocking everything and then allowing bits when folk complained. There is some monitoring now -- but the alerts are annoying, and so go to a mailbox that no-one looks at.

4: We now have 200-400 employees. We realized that our IT stuff was costing way more money than expected, and we had many issues. We "promoted" the current Director of IT out of the way and hired someone new. He spent much time finding many kludges and cruft. Things got very squirrely for a while, but are now looking much better. We removed all of the user behavior modifying stuff, and, bizarrely enough, productivity improved…

5: 400- more. This is very similar to #4, but with a few departments and specialization and such…

I suspect that the majority of folk on this list have a fairly different experience -- but, I suspect that this is because most folk on this list are involved in more technical organizations…

W
[0]: Well, the random consultant / friend of someone / guy who read a networking book once did.
[1]: This is from chatting with a large number of my wife's customers, helping some friends who do consulting for companies of this sort of size, etc.

> If not, I would agree with your caveat (and question the company's sanity).

It's not their sanity, it is just that they are in the moving business or are a construction company, or manufacture reflectors for LED lights or run cabs to the airport or fix your heating system when it explodes are 3AM on a Sunday.

This is just not something that they are familiar with….

W

> 
> Regards,
> -drc
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

--
My memory is failing, so I changed my password to "incorrect".
That way, when I login with the wrong password the computer tells me… "Your password is incorrect".



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131016/83e81c15/attachment.sig>

More information about the dns-operations mailing list