Use nameservers that support DNS COOKIE (RFC 7873) and enable it if it is not already on by default. If the nameserver vendor that you are currently using doesn’t support DNS COOKIE find a better nameserver. DNS COOKIE provides cheap protection against off path DNS spoofing but it only provides protection if both server and client support it.
It’s been 9 years since RFC 7873 was published and in that time just about all of the servers with broken EDNS implementations that failed to ignore unknown EDNS options, as per RFC 6981, have been replaced with ones that are RFC compliant. If you previously disabled sending DNS COOKIE requests in the past it is time to re-enable it. Mark > On 8 Aug 2025, at 10:44, DurgaPrasad - DatasoftComnet via NANOG > <[email protected]> wrote: > > Hello all, > Do you have any recommendations for recursive DNS servers for a medium sized > (20-30k users) ISP. > We have used powerdns and unbound but sometimes find the caching times a bit > on upper side. Any suggestions between these two or anything new? > Also need points on how much we tune the settings > pros and cons if any. > > Thank you /DP > _______________________________________________ > NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/SUTKDISSISPWQY3YGF25FBQNN2JD5HDP/ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/OQ3H56AJA6LRKV3KRIDI7OMFCMV55PGI/
