Hi folks, This has been a really timely discussion for us as we are wrestling with the same kinds of questions as Adam mentions. With enough time (resources) and money, we would put a very robust DNS at each Direct Internet Access drain point. However, we have been aggressively moving to reduce our footprint at DIAs so that we can have more of them and they require less intervention and maintenance. Putting any kind of server there (Linux or otherwise) seems to complicate a pretty clean set up that is currently MikroTik and Powercode BMUs. In fact, that is one of the biggest concerns we have if we were to move to Sonar is the need to start putting Linux devices in DIAs and towers (a topic for another day). We do not provide authoritative DNS for customers and don’t need it for ourselves, so this is only a performance/cleanliness discussion. We see three main options:
1. Find an appliance based device/server that is easy as heck to maintain and doesn’t require site visits. Something like the Mikrotik CCRs. Put them at every DIA 2. Run a regionally centralized DNS server in a data center and have the closest DIAs point to their respective data center DNS server. This would reduce the number of servers and keep them in a data center environment 3. Rely on 3rd Party (google or otherwise). We don’t believe our servers will be more reliable than the combination of multiple 3rd party options, so this is a performance decision. I think the best decision would be a very simple appliance to sit in our DIA’s, but we haven’t looked into it enough to see what exists. By simple, we would be looking for something that we could do regular firmware updates only, and monitor with SNMP just like all our other network devices. Regards, David Coudron From: Af <[email protected]> On Behalf Of Adam Moffett Sent: Tuesday, April 3, 2018 9:04 AM To: [email protected] Subject: Re: [AFMUG] new DNS It's clearly not hard. It's obviously not expensive. I'm already doing it and have been for years. But it's more than $0. I've seen the geolocation issue in the past. More recently I tried to demonstrate it to someone and it turned out that Google DNS and our own DNS gave us Netflix content from the same source. If I used someone else's DNS and that 3rd party went away, then there are apparently 10 other "3rd parties" to choose from. I recognize the point that it's a 3rd party and we don't want to rely on 3rd parties: But can we honestly say that our DNS servers are more reliable than Google or Cloudflare? I'm not shutting down the DNS servers today, I'm just trying to look inward and analyze what we're doing and why. Are we doing it because it actually makes sense or are we doing it because we've always done it and we can't imagine another way? ------ Original Message ------ From: "Justin Wilson" <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Sent: 4/3/2018 8:48:33 AM Subject: Re: [AFMUG] new DNS You have your own DNS for one huge reason. GeoLocation for when it comes to Content Networks such as Netflix. One of the mechanisms they employ is using DNS Geolocation to serve you the closest content. Not only do they do a GeLocate on your IP, but some also do a check to make sure your DNS servers are coming from the same place as your customers. This is especially true if you or one of your upstreams is peered with Netflix or someone on an exchange. Otherwise, if you are using Google or other DNS you may be in Kansas, and you might be getting content from Netflix out of California, when you could be getting it literally next door. Makes the customer experience much better. There are RFCs that address this, but if they are implemented is a crapshoot. Secondly, relying on a 3rd party for such a critical service such as DNS can be troublesome. Would you rely on someone else to provide the wireless signal to your customers blindly? If so, then offloading DNS is okay for you. I want more control for such a critical service. I hear folks worry about the bandwidth DNS takes up. It’s not a concern either way. If your network can’t support the bandwidth of DNS queries then you have deeper issues. It’s hard. No it’s not. Tons of tutorials on Bind for every flavor of linux. Just about any old machine laying around can run DNS. If anyone wants to know how easy, and how cheap it is to spin up DNS (both recursive and authoritative) hit me up. I will gladly talk with you about some strategy. Justin Wilson [email protected]<mailto:[email protected]> www.mtin.net<http://www.mtin.net> www.midwest-ix.com<http://www.midwest-ix.com> On Apr 3, 2018, at 6:34 AM, Paul Stewart <[email protected]<mailto:[email protected]>> wrote: I know there is often debates on here about running any servers, some servers, or doing everything in-house (mail, web, DNS etc). Even if you outsource everything I would still run recursive caching DNS …. Performance and reliability the main reasons. Some CDN’s and other services determine the path to send you content based on where the DNS look up occurs and in our case that’s a significant factor … We operate our own anycasted DNS …actually two of them. One set of servers for recursive caching and another set for authoritative DNS. Paul From: Af <[email protected]<mailto:[email protected]>> on behalf of "Forrest Christian (List Account)" <[email protected]<mailto:[email protected]>> Reply-To: <[email protected]<mailto:[email protected]>> Date: Tuesday, April 3, 2018 at 4:33 AM To: af <[email protected]<mailto:[email protected]>> Subject: Re: [AFMUG] new DNS Because it's good for your customers, and it should take very little time to set one up. The main reason for this is so that websites serve data from the closest server due to the way that DNS anycast works. And, the biggest one - to have control over a critical piece of infrastructure for your customers. What happens if one of these public DNS services go down and you have hundreds of customers pointing at it? On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett <[email protected]<mailto:[email protected]>> wrote: Someone remind me again why I have my own recursive DNS. ------ Original Message ------ From: "Josh Reynolds" <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Sent: 4/2/2018 3:22:57 PM Subject: Re: [AFMUG] new DNS Yes, bunch of discussions over the past few days on NANOG and some of the vendor mailing lists. On Mon, Apr 2, 2018, 2:21 PM Travis Johnson <[email protected]<mailto:[email protected]>> wrote: https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587 Faster and more private than Google or others. :) Travis -- Forrest Christian CEO, PacketFlux Technologies, Inc. Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602 [email protected]<mailto:[email protected]> | http://www.packetflux.com<http://www.packetflux.com/>
