[dns-operations] Should medium-sized companies run their own recursive resolver?

[Daniel Kalchev]

On 14.10.13 19:08, Paul Hoffman wrote:
> A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP.
>
> Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP?
>

As always, it depends.

Ideally everyone should run an validating caching resolver, preferably 
on each device. Considering we are far from this reality...

- if they intend to run the resolver on any kind of Windows, forget it. 
For many reasons. But let's say we have see enough resolver modifying 
malware.

- if their ISP is competent enough, which .. sadly few are, then using 
the ISP servers is an option. Especially if the company in questions 
does not have good resources to host/maintain "servers".

- public resolvers, such as Google or OpenDNS are an option too, 
although --- do we want to encourage the entire Internet to depend on a 
single point of failure (even if we ignore all other google considerations);

- recursive resolvers do not need much resources. I am actually curious 
why there is not large market for appliances of this kind. Perhaps 
because due to the low resource requirements, these are often installed 
in shared environments. An managed on-premises DNS resolver/cache 
appliance is the best option.

By the way, these days "average IT people" are crazy about 
virtualization "in the cloud". Running "your own" DNS resolver in the 
cloud makes little to no sense.

Daniel