[dns-operations] Should medium-sized companies run their own recursive resolver?
vjs at rhyolite.com
Wed Oct 16 14:37:22 UTC 2013
> From: Jared Mauch <jared at puck.nether.net>
> > phones, and other devices behind a NAT router owned by and remotely
> > maintained by Comcast. Instead the question concerned a business with
> > 2 IT professionals. Relying on distant DNS servers is negligent and
> > grossly incompetent for a professionally run network.
> As with many things we will have to disagree.
> Not everyone has the same skill set as those on this list, and that curve goes down rather quickly.
I can't help noticing that Jared Mauch noticed and disagreed with my
conclusion about relying on distant DNS servers but overlooked or
ignored the security reasons compelling the conclusion. He evidently
also overlooked the contradiction or irony in his previous note:
] Everyone else should just use either their ISP (with NXDOMAIN
] rewriting turned off) ...
] Folks like Comcast have large validating resolvers. Their customers
] should use them.
If you check the pages found by that URL, you'll see
- older reports that Comcast was phasing out DNS hijacking
- more recent reports of redirection or hijacking of 58/UDP
packets--not just falsified results from those big Comcast DNS
servers but packet hijacking
- far more complication, confusion, and mystification than is
realistic to expect a two person IT department to resolve.
It's clear that a simple, securite business DNS configuration does
*not* involve a consumer grade ISP. (I don't mean to criticise any
particular consumer grade ISP. They are all similar. I'm not even
sure that DNS result or packet hijacking is a bad thing for consumer
However, not just tolerating but encouraging people without basic
network and computer competence run Internet businesses is like aviation
before the FAA. In the first years enthusiasts bought, built, or
borrowed airplanes and went into the barnstorming or airmail businesses.
Then the air industry got government licenses and regulations. From
Kitty Hawk to the 1926 Air Commerce Act licensing pilots was 23 years.
Whether you mark the start of public interest in the Internet with the
1972 CACM articles about the ARPANET (my DOC lab employer read those
papers, got an appropriation, and linked our computers soon after),
CSNET &co in the early 1980s when many commercial outfits with got
Internet connections, or a date between, it is more than 23 years later.
I don't like the idea of government Internet licenses, but a two person
IT shop using distant DNS servers, not to mention a consumer grade
ISP, is as culpable as buying an old potato washer to clean your
cantaloupe crop for market. I'm uncomfortable with the criminal charges
against the Jensen brothers, but if that's what it takes to get people
learn enough and do it right ...
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations