[dns-operations] Should medium-sized companies run their own recursive resolver?

Vernon Schryver vjs at rhyolite.com
Wed Oct 16 15:03:56 UTC 2013

> From: Bob Harold <rharolde at umich.edu>

> I think the problem with a "DNS appliance" is that it becomes an open DNS
> resolver, unless it is configured to know the subnet(s) used internally,
> and updated every time that changes. I don't think the firewall could
> reasonably be asked to block only recursive DNS traffic, although perhaps
> it could block all inbound DNS requests, except to an internal
> authoritative DNS if you had one. I cannot think of any other simple
> workaround. Users are likely to find some way to "turn off" the recursion
> limiting anyway, like setting the internal subnet to, which
> "solves" their problem of updating it when subnets change, but leaves it
> open to the world.

There is a trivial and easy way to keep a recursive DNS server intended
for an organization with a 2 person IT departement from being open to
the entire Internet.  Set the IP TTL on responses both TCP and UDP to
a small number such as 3 or 5.

There are business reasons to keep a small DNS appliance intended for
a small business with a 2 person IT department from being used by a
big outfit.  You might limit the number of DNS responses per second,
hour, or day, but it might be better instead or also to limit the
number of client IP address.  It would be trivial and easy for a DNS
appliance to require ACLs permitting no more than X IPv4 addresses and
Y IPv6 /64's.  Ship it configured with and have it refuse
to accept non-RFC 1918 ACLs with too big a total.

A little monitoring of requests from unexpected IP addresses and some
GUI sugar would make it easier for users to maintain their ACLs than
what I've seen in the DNS, AD, WINS, etc. settings of a Windows box.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list