[dns-operations] Best practices for Linux/UNIX stub resolver

Joe Greco jgreco at ns.sol.net
Wed Apr 30 09:28:03 UTC 2014 

> Le 30 avr. 2014 à 12:47, Klaus Darilion a écrit :
> > I agree with the bad behavior of the stub resolver.
> > 
> > On 22.04.2014 21:04, Chuck Anderson wrote:
> >> 2. Use a local DNS daemon on every server with forwarders configured
> >>    to the network's nameservers, and fix resolv.conf to 127.0.0.1.
> > 
> > The problem here is that you add another single point of failure - your local resolver. If it crashes and is not automatically restarted (which is the case for default Unbound and Bind installations) your DNS is broken too.
> 
> If your local resolver crashes, you might have more concerns to think about than your local DNS service (memory exhaustion on your server for instance).
> Stable versions of unbound and bind run quite well during months or years without problems.

The local resolver is the most comprehensive solution.  However, we
all know it isn't completely reliable.  So since the '90's we've
been putting a forwarding+resolving nameserver on each host which 
attempts to use the sitewide resolvers (forwarders configuration)
but will fall back to visiting the roots if needed to resolve a 
name.  Then we wire in localhost and the sitewide resolvers into
resolv.conf.

The result is that things continue to work, albeit in a degraded 
mode, while the klaxons sound and someone comes to ascertain what
went wrong with whatever nameserver broke.

Back in the day, we used to have a wrapper script on the local named
process because of the relative likelihood of failure, but for some
reason we stopped doing that a while back and I can say that it's
better these days, as I cannot recall the last time we actually had
to restart a host's named.

If you want to compare that to Windows, please note that it's not
too horribly difficult to break its nameservice, which may be more
fragile than the typical Unbound or BIND installation.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the dns-operations mailing list