Seconding pretty much everything Dennis just said. One additional thing to
consider:

Having access to debug-level log files for every DNS query can be one quick
and highly effective method of identifying an individual customer/CPE that
has something virus/worm/trojan compromised on their home network. Not
saying you should blackhole DNS stuff but rather use the logs as one of a
set of diagnostic tools when you see suspicious traffic from a less than
technically clueful customer.



On Mon, Feb 12, 2018 at 2:35 PM, Dennis Burgess <dmburg...@linktechs.net>
wrote:

> I would not state that 8.8.8.8 or any of the public DNS servers out there
> that state that you can use their DNS servers are bad.  However, think of
> these two issues:
>
>
>
> 1.        What happens when that DNS server returns answers (still
> responds), just it takes 6000 ms to do so. ?  Who do you contact?
>
> 2.       If you are not paying for it, then what kind of influence can
> you have on it?   I look at Google. Is google within your circle of
> influence?   No?  You can’t pick up the phone and call them, you can barely
> find an e-mail to email them?   And even if you could call them, you are
> not paying them anything, why do they care what is occurring? They don’t!
>
>
>
> DNS is a required function to work on-line, simple as that, if its slow,
> etc., then it’s your service that’s slow not the DNS servers, hence, why
> you need a fast responding DNS server.
>
>
>
> In this case, using your upstream and caching at the MT is most likely
> fine and if you wish to put on a full blown DNS server, then you can do so
> at minimal cost, but don’t use something that you can’t influence.  I can
> tell people how many times I have found issues with DNS that they don’t own
> or control; and have little to say about how it operates..   Its wayyy to
> often.
>
>
>
>
>
> Dennis Burgess
>
> www.linktechs.net – 314-735-0270 x103 <(314)%20735-0270> –
> dmburg...@linktechs.net
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Sterling Jacobson
> *Sent:* Monday, February 12, 2018 3:10 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] ISP in a box
>
>
>
> I think that was me you asked about those three items.
>
>
>
> AND we still use 8.8.8.8 DNS resolvers.
>
>
>
> I know, it’s bad, but one of my upstreams is directly on Google CDN so it
> ‘applies’.
>
>
>
> I do like redundancy though.
>
>
>
> So if you use one CCR, get two of them for your project, they are
> relatively cheap.
>
>
>
> With fiber you really don’t need the extra servers for bandwidth shaping,
> I just shape at the CPE or switch port.
>
>
>
> So in one cabinet you put say a 144 count panel and splice on, then get a
> SFP switch and two CCR routers.
>
> I have used the 1036 CCR in some areas to start, and a pair of those
> running VRRP between them works great.
>
> Plug both into 10Gbps SFP+ ports on the switch/switches and you have
> ‘standard’ redundancy.
>
>
>
> Meaning you can bring in two 10Gbps links, one to each of the CCR units,
> and have redundant SFP+ links to the switch bank as well.
>
>
>
> They have more than enough horse power to run DHCP, NAT, DNS etc between
> them to fill the duties for the cabinet/site.
>
>
>
> Get a UPS, I use Alpha, and four batteries on it should work well.
>
>
>
> Cabinet can be 20AMP and run plenty of switches on that.
>
>
>
> I also buy an AC unit and attach it to the side of the cabinet.
>
>
>
> I put some monitoring in there on a separate managed network to keep track
> of power and heat/temp and track the switches/CPE’s etc.
>
>
>
> That’s about it.
>
>
>
> Rinse, repeat.
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of *Chuck McCown
> *Sent:* Monday, February 12, 2018 1:02 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] ISP in a box
>
>
>
> Guess I don’t need DNS.  8.8.8.8 seems cheap and easy...
>
>
>
> *From:* Chuck McCown
>
> *Sent:* Monday, February 12, 2018 12:59 PM
>
> *To:* af@afmug.com
>
> *Subject:* [AFMUG] ISP in a box
>
>
>
> Had a subdivision developer contact me, wanting service for their hundred
> or so homes.
>
> I can get DIA close to the area at a reasonable area.  It will require
> some build but that is OK, that is something I feel some level of
> expertise.
>
>
>
> Considering a minimal NOC build.
>
>
>
> I asked this question of someone once before and I cannot find their
> answer.  Not sure if asked on the list or not.  But the answer went
> something like this:
>
>
>
>    1. Buy a big CCR.
>    2. Hire Linktechs to configure it.
>    3. Put in a big switch for the AE SFPs and rock and roll.
>
>
>
> I am sure I would need at least one server.  DHCP, NAT, DNS?
>
> But can all of that be provided by the CCR?
>
>
>
> What is the smallest NOC configuration that could be created?
>
>
>
> Batts, rectifier, cooling.
>
>
>
> I really could put all this in a cabinet on the corner of the street.
>
>
>
>
>
>
>

Reply via email to