[dns-operations] Should medium-sized companies run their own recursive resolver?
vjs at rhyolite.com
Wed Oct 16 22:39:37 UTC 2013
> From: Jared Mauch <jared at puck.nether.net>
> Understanding how this works is not networking or DNS 101. Limiting
> the scope with TTL isn't that easy.
> Can you point someone at docs for how to do that in a point and click fashion?
Can you address the issues instead of dragging in irrelevancies?
The operating system on that hypothetical, as yet non-existent "DNS
appliance" that could use the TTL to keep it from being an open resolver
might need a new setsockopt or socket ioctl to set a per socket TTL.
You have my opinion as someone who has done such things professionally
that in at least the BSD stack, such a change, if necessary, would be
trivial. I strongly suspect that would also be trivial in the Linux
code. That assumes that your DNS server code does not use other,
existing but less application-programmer friendly mechanisms.
GUI pointing and clicking to maintain a suitable stanza into a DNS
server text configuration file would be almost as trivial.
} From: Jared Mauch <jared at puck.nether.net>
} Comcast doesn't give me broken name servers to use, there is no cognitive dissonance here :-)
That statement asserts facts not in evidence.
} You are a DNS expert. Most end users when DNS fails think everything has failed, including the network.
} I type URLs into my browser. Do you know how many people type google into the google search box? Or the yahoo box?
Yes, and as I wrote, it is unrealistic, unnecessary, and wrong to
expect users such as the IT professionals in that 2-person department
to determine whether an ISP DNS servers is broken. It should be
realistic and should be required that one of them to be able to determine
whether BIND or NSD on a whitebox is working. The intentional breakage
of ISP DNS servers is too subtle. It's not merely NXDOMAIN rewriting
but other craziness like AAAA filtering for IPv4 clients. (Again, in
the context of consumer households, that crazy breakage might be good
and even necessary.)
} You seem disconnected from the average user and average user tech support.
Why do you always descend to ad hominem? I have some experience with
"average user tech support," thank you very much. Your mail was to
me delayed while I wrestled with CenturyLink's Asian (he refused to
be more specific, but I heard Hindi when he got confused with his mute
button and in the background when his squelch hiccuped) "average user
tech support" that wanted me to "reboot the modem" and tell him the
version of Windows on "the" computer. (After the third time I blew
up, he started listening and called someone who helped him, so that
we ended the call with my DSL carrier restored and the ticket closed.)
Why do you insist on talking about irrelevant scenarios involving end
users? Neither of the people in that 2 persion IT department would
admit being average end users. Of course they would not know as much
about DNS as they might, but they could understand that hypothetical
DNS appliance at least as well as their LDAP, AD, HTTP, and SQL servers.
More important, why do you ignore my point about required minimum
competence? Long ago, you could buy an airplane and go into business
with it without getting permission. Not so long ago, you could buy
or lease 5 acres and grow olives, melons, or corn with no worries about
licenses or going to jail if an animal happens to defecate upstream.
Neither is possible today. (In at least Calif you need state health
inspections and licenses to sell your own olive oil.) You don't need
a degree in aeronautical engineering to be a pilot or in communicable
diseases to farm, but you must demonstrate minimal competence. It
should also not be possible to get a job in the 2 person IT department
at issue without understanding enough about DNS to install and maintain
a white box run a simple BIND, NSD, or other recursive DNS server.
} Even small networks (I have a friend with a ~100 user wisp) shouldn't run their own caches. The economics of it don't support this.
"Economics" in this century have nothing to do with where and when
local DNS caches are good or bad, necessary or useless.
I am offended on behalf of those hypothetical IT professionals by your
persistent infantilizing them. Attitudes like yours in ISPs are why
there there is so little BCP38 compliance and so many open resolvers.
If ISPs would refuse to route packets to customers that can't comply
with BCP38 or that run unnecessary open resolvers or open resolvers
unprotected by rate limiting, then a lot of problems would go away.
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations