[dns-operations] Should medium-sized companies run their own recursive resolver?

Bob Harold rharolde at umich.edu
Wed Oct 16 12:13:25 UTC 2013

I think the problem with a "DNS appliance" is that it  becomes an open DNS
resolver, unless it is configured to know the subnet(s) used internally,
and updated every time that changes.  I don't think the firewall could
reasonably be asked to block only recursive DNS traffic, although perhaps
it could block all inbound DNS requests, except to an internal
authoritative DNS if you had one.  I cannot think of any other simple
workaround.  Users are likely to find some way to "turn off" the recursion
limiting anyway, like setting the internal subnet to, which
"solves" their problem of updating it when subnets change, but leaves it
open to the world.

Bob Harold
DNS and DHCP, University of Michigan
(disclaimer: not an official spokesman)

Date: Wed, 16 Oct 2013 13:14:06 +0300
> From: Daniel Kalchev <daniel at digsys.bg>
> To: dns-operations at mail.dns-oarc.net
> Subject: Re: [dns-operations] Should medium-sized companies run their
>         own recursive resolver?
> Message-ID: <525E66EE.9050001 at digsys.bg>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> On 14.10.13 21:46, Doug Barton wrote:
> >
> >
> > We of the DNS literati tend to forget just how difficult this stuff
> > really is, and how hard it is for companies to prioritize spending
> > money on things that usually "just work." I can't count the number of
> > times I got "emergency" calls when I was consulting about how some
> > enterprise needed my help right away because "the Internet is down"
> > ... only to get a call 30 minutes later letting me know I wasn't
> > needed because someone accidentally rebooted the right thing and now
> > "the Internet" is working again. They don't care, and they don't
> > *want* to care. They just want it to work.
> >
> >
> Very true.
> The solution is to turn DNS resolves to appliances, with clear labels
> "DNS resolver". Then we can leave the task of restarting the appliance
> to whoever needs Internet there. Just as they will do with any other
> device which has power switch or cord.
> Adding a label "no user serviceable parts inside, in case of malfunction
> call ... " will help further.
> For those who do not pretend to be ignorant, setting up and
> "maintaining" recursive DNS resolver is trivial.
> By the way, 10% is ok. ;-)
> Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131016/9810170a/attachment.html>

More information about the dns-operations mailing list