[dns-operations] Best Resources for Deep Dive Understanding of DNS

Alexander Neilson alexander at neilson.net.nz
Wed Dec 31 13:05:35 UTC 2014

I am a relatively new operator of DNS servers and have inherited a rather messy existing system.

In the past year I have been learning more about the operations of DNS servers and some of the aspects that hadn’t been addresses before in our system.

Some of the changes implemented in the last year:
* Recursive resolvers now verify DNSSEC
* Improved ACL configuration to protect from attacks
* IPv6 access to resolving and authoritative servers
* Resolved Fragmentation issues to allow full 4096 EDNS resolution

We operate several DNS servers, new ones are either Recursive or Authoritative however we also have an older server deployment that does both at once. We are working on splitting these roles apart by migrating the Authoritative zones off to the new authoritative group.

What I am looking at is peoples advice as to where I can next study up to understand the deeper aspects of DNS. Particularly looking at performance tuning and resilient architecture however any good resources that provide a good understanding of the deeper details of the operation of DNS.

To give an idea of the current top questions I have (however not limiting myself to learning about these):

* prioritisation of root servers (my analysis of my server queries shows a high proportion of queries to a.root-servers.net however I have identified that this is one of the lowest response performance root server from where I am located), I would like to prefer the 6 root servers with the best response time (I have found 6 with RTT of less than 5ms and the rest show RTT ~180-200)

* Design considerations / advantages of pre loading the root zone (obviously I have root hints however what is the benefits of pre loading the root zone statically or just rely on resolving via the hints)

* Architecture advantages / disadvantages for building resilient systems (i.e. are there advantages to building a system with a “hidden” master with the public authoritative servers as slaves to this master, are DNS views recommended for resolving “internal” DNS results or is it just at risk of a fat finger errors to provide internal addresses to management teams)

We use Bind as our server at the moment however I prefer to have a deep understanding of both the protocol and process defined in the RFC’s (and real world practice / interpretation) plus how individual implementations handle it.

Please feel free to let me know if this is too far off topic for this list I apologise if so, I believe it would fall in under operational as a better understanding on the real world impacts of decisions however I may be drawing a bit of a long bow. If people feel its off topic please feel free to directly provide me any of this feedback off list so I don’t clog up peoples inboxes. 


Alexander Neilson
Neilson Productions Limited

alexander at neilson.net.nz
+64 21 329 681
+64 22 456 2326

More information about the dns-operations mailing list