[dns-operations] resolvers considered harmful

Florian Weimer fw at deneb.enyo.de
Thu Oct 23 19:22:55 UTC 2014

* Paul Vixie:

> BIND9 runs fine on windows and macos laptops. so, without even touching
> the real growth area of the edge (which is mobile devices like smart
> phones), you can get a sense of how rarely you'll be able to perform dns
> lookups, if you just switch to as your name server (override
> this in your dhcp settings) and run a recursive dns server there.

I have run recursive resolvers on more-or-less consumer-grade Internet
connectivity for more than a decade.  It works reasonably well,
although adjusting the EDNS buffer size might be necessary, and some
resolver hardening options result in so many UDP flows that NAT
devices give up.

But the only time I ran into persistent problems running my own
resolver was when I still used a host in data center for VPN
termination, and the data center operator blocked 53/UDP to the
ISC.ORG name servers.

More information about the dns-operations mailing list