Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On 2013-10-14 11:21, Marco Davids (SIDN) wrote: On 10/14/13 7:18 PM, Carlos M. martinez wrote: I run my own recursive server for my four machine network. So I guess the answer is just, 'of course'. Especially if the ISP doesn't support DNSSEC validation ;-) (and you better run two, for redundancy) -- Marco I missed all of this thread due to email problems, which still haven't been fully resolvedbut hasn't stopped the flow of other problems :( I was thinking back that I first started running my own recursive server (on the Linux server that I was doing NAT to share my connection) less than a year after I got home broadband service. Which on more than one occasion left me oblivious to the fact to my co-workers complaining of broadband outages... that didn't affect me. Yup, the ISPs recursive servers were down Having my own local DNS makes it a lot easier to have names for everything on my home network, now that it is getting harder to find an octet that isn't already in use that is meaningful to what I'm adding to my network. IE: I had two laptops, a 12.1 and a 14.1 x.x.x.121 and x.x.x.141 are they're IPs respectively. Then an 11.6 -- x.x.x.116. Though I was growing to 7 ReplayTV's...the x.x.x.11 - x.x.x.17, and, then I jumped to TiVo's, x.x.x.10, x.x.x.20 ... x.x.x.50. And, then I got a 50 TV...oops, already have something at x.x.x.50. Later I grew to running two servers at home. Don't recall if that was before or after I started having two broadband connections into my home network. But, I didn't get to setting up dhcp failover until much later. I know I had some bad home outages due to my server dying. Until recently, they had always been off-lease desktops... The only thing that has bit me once in a while...is that my home recursive servers require DNSSEC validation. Made it tricky getting into work, when the person updating our registrar selected type 7 instead of 8 for key type. Didn't occur to me that I should just bypass my own resolvers. So, now that I'm working for a much larger organizationI have 16 recursive serversand there aren't supposed to be any others, but others have insisted on trying to set up their own on campusmany of which end up being discovered as open resolvers... other's run into problems due to our split dns and not knowing where the internal authorities are. Of the 16, 6 are for general campus use, 2 are for our datacenter. And, the others are email related, and have extra stuff related to spamhaus. Our servers require DNSSEC validationand it seems I hear less and less about .gov DNSSEC problems because the people that have those problems, have found that using public recursive resolvers fixes the problem. There's some discussion of reducing all the datacenter and campus resolvers to a single appliance. Should be interesting to see how that goes. There were pitchforks and such when I said that in the near future one of the old recursive resolvers would be going away. It didn't go away until 2.5 years later, and the replacements had been up for almost 2 years (though nobody seems to want to change to it.) But, it was our datacenter DNS server located in an open (outside the firewall) subnet. Our authority servers also used to be in this range, and were also open resolvers. It had stopped being our datacenter DNS server after it got DoS'd by servers on campus. At that time there were 3 general campus resolvers. It was more about two locations on campus where the hardware was physically located..another time there had been discussion of going to 3 locations, possibly even 4 locations. And, that's just for main campus. There had been a server at our Salina campus, but local IT had blocked its users from it and were trying to get their own working (but couldn't resolve hosts inside the split...which they got around by passing post-its of the IP addresses.) One for our Olathe campus had been discussed, but nothing yet. Also interesting was that they were looking at utilizing some content filtering feed with the applianceprobably similar to spamhaus dblrpz (wonder if there's a way to take process my rblsync'd files to make an rpz...). But, how useful would it be, if users can just make their computers point to google or opendns instead? Or perhaps, they were talking about a different appliance to do this. I had wondered if they had looked at having all our authoritative DNS servers in the cloudthat way when they got DDoS'd, it wouldn't have the kind of impact that we had earlier this year. I know I thought about it. ;) Though would probably have to find somewhere in the cloud that isn't metered On 10/14/13 2:08 PM, Paul Hoffman wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On 17.10.13 00:12, Jared Mauch wrote: Even small networks (I have a friend with a ~100 user wisp) shouldn't run their own caches. The economics of it don't support this. Care to elaborate on this economic problem? Just an reference point: Most of today's smartphones already have more resources than the DNS resolvers many small ISPs already use and those ISPs don't suffer from any kind of trouble because of that. And, these smartphones are considered disposable tech. Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 17, 2013, at 4:09 AM, Daniel Kalchev dan...@digsys.bg wrote: On 17.10.13 00:12, Jared Mauch wrote: Even small networks (I have a friend with a ~100 user wisp) shouldn't run their own caches. The economics of it don't support this. Care to elaborate on this economic problem? Just an reference point: Most of today's smartphones already have more resources than the DNS resolvers many small ISPs already use and those ISPs don't suffer from any kind of trouble because of that. And, these smartphones are considered disposable tech. He's power/space constrained in some locations. It's also not cheap to get equipment that will run in a shed at the base of a tower that's not climate controlled. There is some hardware that could be used for this, but the cost of pointing at his upstream or someone else is much lower and reduces any possible OPEX on his side for it. There's also the need for monitoring, care and feeding, etc.. 100 subscribers and not a lot of profit means lack of capital to invest. easier to just outsource to upstream/3rd party. Also, customer CPE equipment is poor and doesn't scale well for the current rate of DNS queries needed to load a webpage and the volume of devices now in the home. Many pages will require 100+ elements or DNS queries to transact the basics. This means tech support calls for network is down or intermittent that require hard-coding to work around the busted CPE gear. (e.g.: use these resolvers instead of those i just got from DHCP). He's small so ends up making house calls to fix things for those that are unable to do it themselves. - Jared ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
From: Jared Mauch ja...@puck.nether.net I think the difference is this is an -operations list, so I'm looking at/around things that can be done to operate the equipment. Then object to the hypothetical DNS appliances proposed by other on the grounds that Amazon doesn't sell them today instead of nonsense about technical impossibilities and pointing-and-clicking IP TTLs. GUI pointing and clicking to maintain a suitable stanza into a DNS server text configuration file would be almost as trivial. This certainly can be true, but the average operator isn't going to understand that IP TTL != DNS TTL, and may not even be aware of that part of the packet. That's irrelevant, because the user interface would not talk abut IP TTL any more than it now talks about IP fragmentation, wire format decompression, or other arcana. The UI might ask about the number of routers or address blocks in the organization. Better would be to not ask the user at all, but sell the box for use in organizations of at most 100 users and 5 IP address blocks. The 2 IT professionals in the scenario at issue would know their number of IP address blocks and routers and so a good upper bound on TTLs even if they can't spell IGP, because they'd be paying the ISP bill. The average user is going to use a document like this to configure their DNS: https://support.google.com/a/answer/48090 Yes, and so what? Knowing how many IP address blocks you've rented from Comcast is less obscure than messing with the MX and CNAME RRs that document talks about. To foreclose yet another nonsense objection, if you have 5 blocks, then a TTL of 6 or 10 would close your resolver. That a smaller TTL that depends on topology would also work is irrelevant. Most of these advanced DNS things like RRL, RPZ and others aren't for the faint of heart. Most people don't watch/monitor logs like those here. RPZ is easier to use in common cases than a classic DNSBL and RRL is even easier. Operators have trouble only because they insist on fiddling with knobs that they don't and don't need to understand. Instead of copying the 4 line configuration from the RRL web page, they read all of the documentation and set all of the knobs to crazy values because they understand less than they realize. When the glamour of RRL and RPZ has worn off, users will treat them as boring black boxes like DNSBLs in SpamAssassin, and most of the complaints will stop. I can't even get my vendors to fix their software bugs after months of saying it breaks when I do X, and I pay you $X mm/year to service these, including the software updates. Even for those advanced in the space, these things are difficult, unclear and fragile at best. From my perspective with decades on the vendor side, most of the problems are caused by users who insist on changing and controlling things that you haven't had and never will have time or inclination to really understand. Much of that lack of understanding comes from hard to understand documentation such as mine for RRL and RPZ, but the operational problem are caused by adminstrators who are incapable of saying or even thinking I don't know (and so should keep my mitts off), and so can't imagine or admit that `named -c/dev/null` might work fine. Talk about pointing-and-clicking IP TTLs to close resolvers is an example. The low level documentation and controls would necessarily talk about IP TTL, but the high level interface would be on and off, perhaps with off disabled or hidden. The troubles would come from use who don't understand, and think Some is good, more is better, and so set the TTL to 1 or too small is bad, to set the TTL to 200. (I'll scream if I have to argue with another user ignoring the suggested RRL limit in favor of 10X or 100X.) Your talk about pointing and clicking TTLs examplifies that problem of harmful obsessive knob fiddling. I didn't mention 3 or 5 at random, but because a TTL 3 and 10 would fit more than 80% of installations and safely close the resolver. More important, why do you ignore my point about required minimum competence? Long ago, you could buy an airplane and go into business I think the challenge here is that there is no true certifying authority for the industry. You speak of state or possible federal (or transnational licenses) regimes of inspection, licensing, authorities, etc. They don't exist here. It is a political problem, and political problems are addressed when enough of the punters demand solutions. Economics in this century have nothing to do with where and when local DNS caches are good or bad, necessary or useless. I think that's the point of the discussion though, Should medium-sized companies run their own recursive resolver. 100 subscribers, with possibly 500+ devices behind it (n*iPhone+n*iPad+n*Android+n*TV+n*Appliance) are common these days. You can easily assume that each person has at least *one* device,with average household
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
From: Carlos M. Martinez carlosm3...@gmail.com Also, customer CPE equipment is poor and ... Agreed. CPEs cannot be trusted. That fact is a poor argument for trusting the recursive resolvers of the organizations responsible for that worse than junk CPE. Most of that worse than trash CPE is specified, tested, provisioned, and maintained by the same outfits. Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Thu, 17 Oct 2013, Jared Mauch wrote: Most of these advanced DNS things like RRL, RPZ and others aren't for the faint of heart. Most people don't watch/monitor logs like those here. +1 I assumed in my it depends answer that whatever DNS service the company was presently using might have such advanced services /which they were happy with/. Some people say ISPs are lying with rewriting and so forth but let's assume, since it wasn't stated otherwise, that the company in question is happy with the service they receive. There are many reasons for this. They might even be using a third-party (off-prem) DNS/firewall solution. I don't like the implicit notion that well they're not big enough to need/deserve advanced features/toys like we get to have. To summarize my previous answer: I would expect the 2 IT bods would continue to argue for outsourcing; however there might be others within the organization with other concerns or objectives arguing otherwise. Let me add that rationally speaking IT is not likely to be a core competency in an organization where the IT resourcing is at a 1:50 ratio: this is not a software or internet services shop. -- Fred Morris ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Thank you Paul! if we had spent the man hours which have been used up by this thread, collaborating to build an ISO image in kvm, vmware, and xen formats, that did nothing but boot up and offer recursive dns to the local LAN, with auto-update of dnssec keys, default limits for rate limiting, and a subscription to an RPZ that was hosted say by DNS-OARC, then we'd be done by now. it could have a slightly custom kernel that allowed the server to specify IP.TTL=3 in sendmsg(). +1 that is, we could be done by now, shipping it, arguing about how to document it and support it and publicize its existence. we could be making the rounds of our respective friends and families to find all the openwrt forks and get each of them to offer identical functionality. somebody could write a BCP about it. done by now. out the door. boat in water. +1 Maybe some links for reasonable annual $upport next to the ISO links would be good too. -Rick ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Fred Morris wrote: ... Well Paul: I bought all of ISC's t-shirts in one go; when are they coming out with a new one? When is someone coming out with one for this project? i'm no longer affiliated with isc, and for all i know nlnetlabs, or dns-oarc, or cz.nic, will do it first. i'd say the race is on. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Florian, On Oct 15, 2013, at 10:24 PM, Florian Weimer f...@deneb.enyo.de wrote: There's a tendency to selectively block DNS traffic, which can be a pain to debug. True. Hate that. A lot. Various network issues might only affect DNS recursor traffic. Given the information provided in the scenario, I feel it safe to assume a company of 100 with 2 full-time IT staff would have a clear channel for Internet traffic. If not, I would agree with your caveat (and question the company's sanity). Regards, -drc signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 16, 2013, at 10:59 AM, Jared Mauch ja...@puck.nether.net wrote: On Oct 15, 2013, at 7:28 PM, Vernon Schryver v...@rhyolite.com wrote: Folks like Comcast have large validating resolvers. Their customers should use them. Folks here are surely going to do the right thing the majority of the time. The vast majority of others are going to set things up once and it *will* be left to rot. This isn't intentional, but it naturally happens. The question had nothing to do about J. Sixpack with 37 televisions, phones, and other devices behind a NAT router owned by and remotely maintained by Comcast. Instead the question concerned a business with 2 IT professionals. Relying on distant DNS servers is negligent and grossly incompetent for a professionally run network. As with many things we will have to disagree. Not everyone has the same skill set as those on this list, and that curve goes down rather quickly. Yup, but this *has* been an interesting thread -- it was sufficiently open-ended that everyone got to interpret it in whatever way wanted, and wander off in random but fascinating ways… W - Jared ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Hope is not a strategy. -- Ben Treynor, Google ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On 14.10.13 19:08, Paul Hoffman wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? As always, it depends. Ideally everyone should run an validating caching resolver, preferably on each device. Considering we are far from this reality... - if they intend to run the resolver on any kind of Windows, forget it. For many reasons. But let's say we have see enough resolver modifying malware. - if their ISP is competent enough, which .. sadly few are, then using the ISP servers is an option. Especially if the company in questions does not have good resources to host/maintain servers. - public resolvers, such as Google or OpenDNS are an option too, although --- do we want to encourage the entire Internet to depend on a single point of failure (even if we ignore all other google considerations); - recursive resolvers do not need much resources. I am actually curious why there is not large market for appliances of this kind. Perhaps because due to the low resource requirements, these are often installed in shared environments. An managed on-premises DNS resolver/cache appliance is the best option. By the way, these days average IT people are crazy about virtualization in the cloud. Running your own DNS resolver in the cloud makes little to no sense. Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
I think the problem with a DNS appliance is that it becomes an open DNS resolver, unless it is configured to know the subnet(s) used internally, and updated every time that changes. I don't think the firewall could reasonably be asked to block only recursive DNS traffic, although perhaps it could block all inbound DNS requests, except to an internal authoritative DNS if you had one. I cannot think of any other simple workaround. Users are likely to find some way to turn off the recursion limiting anyway, like setting the internal subnet to 0.0.0.0/0, which solves their problem of updating it when subnets change, but leaves it open to the world. -- Bob Harold DNS and DHCP, University of Michigan (disclaimer: not an official spokesman) Date: Wed, 16 Oct 2013 13:14:06 +0300 From: Daniel Kalchev dan...@digsys.bg To: dns-operati...@mail.dns-oarc.net Subject: Re: [dns-operations] Should medium-sized companies run their own recursive resolver? Message-ID: 525e66ee.9050...@digsys.bg Content-Type: text/plain; charset=windows-1252; format=flowed On 14.10.13 21:46, Doug Barton wrote: We of the DNS literati tend to forget just how difficult this stuff really is, and how hard it is for companies to prioritize spending money on things that usually just work. I can't count the number of times I got emergency calls when I was consulting about how some enterprise needed my help right away because the Internet is down ... only to get a call 30 minutes later letting me know I wasn't needed because someone accidentally rebooted the right thing and now the Internet is working again. They don't care, and they don't *want* to care. They just want it to work. Very true. The solution is to turn DNS resolves to appliances, with clear labels DNS resolver. Then we can leave the task of restarting the appliance to whoever needs Internet there. Just as they will do with any other device which has power switch or cord. Adding a label no user serviceable parts inside, in case of malfunction call ... will help further. For those who do not pretend to be ignorant, setting up and maintaining recursive DNS resolver is trivial. By the way, 10% is ok. ;-) Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 16, 2013, at 2:24 AM, Warren Kumari wrote: Companies *seem*[1] to follow the trajectory of: 1: We have 1-10 employees, we'll just use whatever Netgear / Linksys someone had lying around / the DSL we ordered came with. This is largely a home network. 2: We now have 10-50 employees, let's get a consultant to give us a hand. Wheee, now we have a Windows something server and a (consumer) NAS. As a former provider of IT outsourcing services for companies in the 1 and 2 categories, I'd absolutely agree with your characterizations, and add that these types of organizations are extremely averse to IT spending. One simple tweak that I liked to do on the local Windows server domain name server was to configure the local ISP resolvers as forwarders so that lookups for CDN cached content would get to the right place. People usually commented the Internet is much faster now. --Chris ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
-Original Message- From: Chris Boyd cb...@gizmopartners.com Date: Wednesday, October 16, 2013 10:06 AM To: dns-operati...@mail.dns-oarc.net Operations dns-operati...@mail.dns-oarc.net Subject: Re: [dns-operations] Should medium-sized companies run their own recursive resolver? On Oct 16, 2013, at 2:24 AM, Warren Kumari wrote: Companies *seem*[1] to follow the trajectory of: 1: We have 1-10 employees, we'll just use whatever Netgear / Linksys someone had lying around / the DSL we ordered came with. This is largely a home network. 2: We now have 10-50 employees, let's get a consultant to give us a hand. Wheee, now we have a Windows something server and a (consumer) NAS. As a former provider of IT outsourcing services for companies in the 1 and 2 categories, I'd absolutely agree with your characterizations, and add that these types of organizations are extremely averse to IT spending. One simple tweak that I liked to do on the local Windows server domain name server was to configure the local ISP resolvers as forwarders so that lookups for CDN cached content would get to the right place. People usually commented the Internet is much faster now. It's been awhile, but I've been here as well. While large corporations certainly have plenty of secrets, I always found it somewhat ironic that smaller companies are often startups whose lifeblood depends on their intellectual property...but they routinely spend the least on protecting what's keeping them in business. DNS is certainly a part of this, but it's really the larger trend you raised of being averse to almost any IT spending. At 1-10 employees this might make sense, but at 10-50 you really can't justify not having at least one knowledgeable IT person in house. As a smaller company you certainly have to be more mindful of budget impact, but anything you save up front will be lost in productivity, security and consultant fees...and might ultimately put you out of business. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
From: Jared Mauch ja...@puck.nether.net phones, and other devices behind a NAT router owned by and remotely maintained by Comcast. Instead the question concerned a business with 2 IT professionals. Relying on distant DNS servers is negligent and grossly incompetent for a professionally run network. As with many things we will have to disagree. Not everyone has the same skill set as those on this list, and that curve goes down rather quickly. I can't help noticing that Jared Mauch noticed and disagreed with my conclusion about relying on distant DNS servers but overlooked or ignored the security reasons compelling the conclusion. He evidently also overlooked the contradiction or irony in his previous note: ] Everyone else should just use either their ISP (with NXDOMAIN ] rewriting turned off) ... ] Folks like Comcast have large validating resolvers. Their customers ] should use them. despite https://www.google.com/search?q=COMCAST+dns+hijacking If you check the pages found by that URL, you'll see - older reports that Comcast was phasing out DNS hijacking - more recent reports of redirection or hijacking of 58/UDP packets--not just falsified results from those big Comcast DNS servers but packet hijacking - far more complication, confusion, and mystification than is realistic to expect a two person IT department to resolve. It's clear that a simple, securite business DNS configuration does *not* involve a consumer grade ISP. (I don't mean to criticise any particular consumer grade ISP. They are all similar. I'm not even sure that DNS result or packet hijacking is a bad thing for consumer households.) However, not just tolerating but encouraging people without basic network and computer competence run Internet businesses is like aviation before the FAA. In the first years enthusiasts bought, built, or borrowed airplanes and went into the barnstorming or airmail businesses. Then the air industry got government licenses and regulations. From Kitty Hawk to the 1926 Air Commerce Act licensing pilots was 23 years. http://www.faa.gov/about/history/brief_history/ Whether you mark the start of public interest in the Internet with the 1972 CACM articles about the ARPANET (my DOC lab employer read those papers, got an appropriation, and linked our computers soon after), CSNET co in the early 1980s when many commercial outfits with got Internet connections, or a date between, it is more than 23 years later. I don't like the idea of government Internet licenses, but a two person IT shop using distant DNS servers, not to mention a consumer grade ISP, is as culpable as buying an old potato washer to clean your cantaloupe crop for market. I'm uncomfortable with the criminal charges against the Jensen brothers, but if that's what it takes to get people learn enough and do it right ... https://www.google.com/search?q=Jensen+cantaloupe Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
From: Bob Harold rharo...@umich.edu I think the problem with a DNS appliance is that it becomes an open DNS resolver, unless it is configured to know the subnet(s) used internally, and updated every time that changes. I don't think the firewall could reasonably be asked to block only recursive DNS traffic, although perhaps it could block all inbound DNS requests, except to an internal authoritative DNS if you had one. I cannot think of any other simple workaround. Users are likely to find some way to turn off the recursion limiting anyway, like setting the internal subnet to 0.0.0.0/0, which solves their problem of updating it when subnets change, but leaves it open to the world. There is a trivial and easy way to keep a recursive DNS server intended for an organization with a 2 person IT departement from being open to the entire Internet. Set the IP TTL on responses both TCP and UDP to a small number such as 3 or 5. There are business reasons to keep a small DNS appliance intended for a small business with a 2 person IT department from being used by a big outfit. You might limit the number of DNS responses per second, hour, or day, but it might be better instead or also to limit the number of client IP address. It would be trivial and easy for a DNS appliance to require ACLs permitting no more than X IPv4 addresses and Y IPv6 /64's. Ship it configured with 10.0.0.0/8 and have it refuse to accept non-RFC 1918 ACLs with too big a total. A little monitoring of requests from unexpected IP addresses and some GUI sugar would make it easier for users to maintain their ACLs than what I've seen in the DNS, AD, WINS, etc. settings of a Windows box. Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
PH == Paul Hoffman paul.hoff...@vpnc.org writes: PH Should that company run its own recursive resolver for its PH employees, or should it continue to rely on its ISP? *Every* site should run its own (preferably verifying) resolver. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/16/2013 1:44 PM, James Cloos wrote: PH == Paul Hoffmanpaul.hoff...@vpnc.org writes: PH Should that company run its own recursive resolver for its PH employees, or should it continue to rely on its ISP? *Every* site should run its own (preferably verifying) resolver. I have no problem with that as long as they are not open resolvers -- we already have somewhere in the neighborhood of 28-30 million of them that pose a direct threat to the health wellbeing of the Internet at-large because they can be used to facilitate DNS amplification attacks. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 2317) Charset: utf-8 wj8DBQFSXv3jq1pz9mNUZTMRAtqnAKCP+X8u6KY7bM8tcRbE4OqR3vdFSgCfUFsP lYcnCGhTPGDYZ2Z1atVB6/8= =VvXW -END PGP SIGNATURE- -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID -- Connect and Collaborate -- www.internetidentity.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Comcast doesn't give me broken name servers to use, there is no cognitive dissonance here :-) You are a DNS expert. Most end users when DNS fails think everything has failed, including the network. I type URLs into my browser. Do you know how many people type google into the google search box? Or the yahoo box? You seem disconnected from the average user and average user tech support. Even small networks (I have a friend with a ~100 user wisp) shouldn't run their own caches. The economics of it don't support this. - Jared On Oct 16, 2013, at 10:37 AM, Vernon Schryver v...@rhyolite.com wrote: Folks like Comcast have large validating resolvers. Their customers ] should use them. despite https://www.google.com/search?q=COMCAST+dns+hijacking If you check the pages found by that URL, you'll see - older reports that Comcast was phasing out DNS hijacking - more recent reports of redirection or hijacking of 58/UDP packets--not just falsified results from those big Comcast DNS servers but packet hijacking - far more complication, confusion, and mystification than is realistic to expect a two person IT department to resolve. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Mon, Oct 14, 2013 at 01:24:27PM -0700, Paul Hoffman wrote: It didn't. That's a useful data point for people creating other protocols who have to listen to commenters who say where resolvers need to be. sure. Yet another instance of the DNS people have said Come on. -Peter ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On 10/14/13 4:24 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Oct 14, 2013, at 12:43 PM, Suzanne Woolf wo...@isc.org wrote: I've really enjoyed reading the responses to this, +1 +1. The variety of responses have been both interesting and useful. and admit my own answer is (yet another flavor of) It depends. That seems to be the median so far. As is mine (an it depends variation)... from an ideal perspective and being an advocate of DNSSEC, I'd like a DNSSEC-validating recursive resolver to be deployed as close as possible to the end user so that the potential for attackers to be in the path is as minimal as can be. In my truly ideal world I'd like that DNSSEC validation to be occurring within the operating system running on the user's computer or perhaps even in the application they are using. So on a macro level I definitely agree with comments here by Paul Vixie and others. That said, the answer really depends upon the quality of the IT staff and what you consider average IT talents. I've seen any small organizations such as that described where the 2 IT people run all the servers, run the network infrastructure and provide great service to the users - and they should definitely run their own recursive resolvers. I've also seen other organizations where the 2 IT people are so buried in firefighting all their daily issues that they don't necessarily have the time, energy or knowledge to do more than keep up with virus issues, password resets or whatever other fires they are fighting. In those cases, even as simple as a recursive resolver would be to operate the cases where there are problems would be more than the IT staff couple truly handle - and they would look to outsource that to the ISPs resolver (or Google or OpenDNS). And in all honestly the users might be safer with that outsourced DNS resolver. On a strategic level, I don't like this second answer... but I understand *why* it might be appropriate for some small organizations. I'm wondering what motivated the question, particularly in such a generic form. In various discussions on different DNS-related topics, some people have said that obviously everyone should have a resolver at X, where X had wildly different values. I thought it would be useful to create a typical use case and see if X converged in a community such as this. It didn't. That's a useful data point for people creating other protocols who have to listen to commenters who say where resolvers need to be. Thanks for stimulating the discussion. Dan -- Dan York Senior Content Strategist, Internet Society y...@isoc.org mailto:y...@isoc.org +1-802-735-1624 Jabber: y...@jabber.isoc.org mailto:y...@jabber.isoc.org Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 15, 2013, at 2:12 AM, Peter Koch p...@denic.de wrote: sure. Yet another instance of the DNS people have said Come on. This is akin to asking the founding member of the local mercedes car club what sort of car you should get. :) sarcasmIs there something wrong with this?/sarcasm - Jared ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 15, 2013, at 1:36 PM, Jared Mauch ja...@puck.nether.net wrote: On Oct 15, 2013, at 2:12 AM, Peter Koch p...@denic.de wrote: sure. Yet another instance of the DNS people have said Come on. This is akin to asking the founding member of the local mercedes car club what sort of car you should get. :) sarcasmIs there something wrong with this?/sarcasm It could have been, but the responses were a few on one pole, a few on the other, and a lot of it depends. Some of the it depends responses leaned in one direction, but some leaned in the the other. And I don't think anyone said Mercedes... --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
I think it is a meaningful question, if I want to buy I car I would like to hear what folks experienced with the car have to say. I may not agree entirely and may add other input to the discussion, but I still want to hear how the Mercedes dealer defends the idea that his car is better. The answer to nearly everything in life depends (with the exception of mathematics and a few moral questions), particularly technology decisions - it is helpful to hear from both poles (as Paul puts it) and then take an informed decision. -- Glen Wiley KK4SFV Sr. Engineer The Hive, Verisign, Inc. On 10/15/13 4:58 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Oct 15, 2013, at 1:36 PM, Jared Mauch ja...@puck.nether.net wrote: On Oct 15, 2013, at 2:12 AM, Peter Koch p...@denic.de wrote: sure. Yet another instance of the DNS people have said Come on. This is akin to asking the founding member of the local mercedes car club what sort of car you should get. :) sarcasmIs there something wrong with this?/sarcasm It could have been, but the responses were a few on one pole, a few on the other, and a lot of it depends. Some of the it depends responses leaned in one direction, but some leaned in the the other. And I don't think anyone said Mercedes... --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 15, 2013, at 4:58 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Oct 15, 2013, at 1:36 PM, Jared Mauch ja...@puck.nether.net wrote: On Oct 15, 2013, at 2:12 AM, Peter Koch p...@denic.de wrote: sure. Yet another instance of the DNS people have said Come on. This is akin to asking the founding member of the local mercedes car club what sort of car you should get. :) sarcasmIs there something wrong with this?/sarcasm It could have been, but the responses were a few on one pole, a few on the other, and a lot of it depends. Some of the it depends responses leaned in one direction, but some leaned in the the other. And I don't think anyone said Mercedes... Have you ever driven one? They are mighty nice :) Back in the 90's I would agree everyone should run a DNS server as the network wasn't as robust as it is today. Some folks may need local elements (e.g.: MS DNS/AD, but these should not be exposed to the internet. They lack the ability to scope responses based on the query source to prevent them being global open resolvers. They are just fine for behind a firewall/NAT to take stub queries and meet the internal IT needs. Everyone else should just use either their ISP (with NXDOMAIN rewriting turned off) or someone like OpenDNS that can help enforce some security policies and practices with a few knobs being turned at most. Folks like Comcast have large validating resolvers. Their customers should use them. Folks here are surely going to do the right thing the majority of the time. The vast majority of others are going to set things up once and it *will* be left to rot. This isn't intentional, but it naturally happens. - Jared ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
From: Jared Mauch ja...@puck.nether.net ... Mercedes... Have you ever driven one? They are mighty nice :) Back in the 90's I would agree everyone should run a DNS server as the network wasn't as robust as it is today. On the contrary, in the relevant sense, the network today is less robust than it has ever been. You don't want a commodity luxury sedan while driving across Syria, Iraq, Afghanistan, or the Gobi Desert despite the fact that many roads in Europe and N.America are more robust than they've ever been. Where roads are bad or non-existent or where there are significantly security hazards, you need something with more armor, ground clearance, spare fuel, water, emergency supplies, or even guns than are economical or safest elsewhere. Some folks may need local elements (e.g.: MS DNS/AD, but these should not be exposed to the internet... Everyone else should just use either their ISP (with NXDOMAIN rewriting turned off) or someone like OpenDNS that can help enforce some security policies and practices with a few knobs being turned at most. Folks like Comcast have large validating resolvers. Their customers should use them. Folks here are surely going to do the right thing the majority of the time. The vast majority of others are going to set things up once and it *will* be left to rot. This isn't intentional, but it naturally happens. The question had nothing to do about J. Sixpack with 37 televisions, phones, and other devices behind a NAT router owned by and remotely maintained by Comcast. Instead the question concerned a business with 2 IT professionals. Relying on distant DNS servers is negligent and grossly incompetent for a professionally run network. When the DNS servers in question are to known lie, it should be as much a crime as failing to wash your cantaloupes in Clorox. https://www.google.com/search?q=COMCAST+dns+hijacking https://www.google.com/search?q=jensen+farms+criminal The same applies when there are Great or small firewalls between the DNS client and distant validating recursive resolvers. Even Joe and Joan Sixpack should, if they can, think carefully about relying on distant DNS servers. If you wouldn't give your ISP your bank passwords, then you shouldn't rely on your ISP to validate your RRs. Those who control your RRs can get your passwords, albeit with varying effort. Should Joe and Joan rely on government approved DNS servers while they are in China, Iran, or Syria? Never mind that if the U.S. NSA, FBI, CIA, etc. are competent, they've used DNS creatively such as to install software on the computers of their targets or deploy MX RRs to monitor email. Vernon Schryverv...@rhyolite.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On 10/14/13 7:18 PM, Carlos M. martinez wrote: I run my own recursive server for my four machine network. So I guess the answer is just, 'of course'. Especially if the ISP doesn't support DNSSEC validation ;-) (and you better run two, for redundancy) -- Marco On 10/14/13 2:08 PM, Paul Hoffman wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
I don't have enough information to answer this question. I don't know what average IT talents means. Do these 2 imaginary staff members know enough about caching resolvers to be able to figure out that the authoritative servers for exampledomain.tld have NS records that don't match their glue records and the NS records don't have matching A records, and that's why exampledomain.tld works fine for a day, but then goes dark for the next 24 hours, then repeats? Does this company have a reason for doing their own caching? ISP does NXDOMAIN redirection, they want to do DNSSEC validation, want to use RPZ, etc. Do they have a local mail server that would benefit from a closer cache? I default to yes as well, but if they only have the one local resolver, and don't have any kind of backup (Google/OpenDNS, etc as secondary/tertiary via DHCP or whatever means they use for workstation network configuration), these two imaginary IT staff members could be setting themselves up for an embarrassing outage. -Rich On Oct 14, 2013, at 11:08 AM, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
I'll say no. They don't have resources to deal with 98 angry users when DNS fails. Using OpenDNS or the ISP is likely the best choice. Most large ISP dns servers are good. Jared Mauch On Oct 14, 2013, at 7:08 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On 10/14/2013 9:42 AM, Rich Goodson wrote: I default to yes as well, but if they only have the one local resolver, and don't have any kind of backup (Google/OpenDNS, etc as secondary/tertiary via DHCP or whatever means they use for workstation network configuration), these two imaginary IT staff members could be setting themselves up for an embarrassing outage. Or leaving the recursive resolvers open to the entire Internet for abuse. - ferg -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID -- Connect and Collaborate -- www.internetidentity.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 15, 2013, at 12:05 AM, Paul Ferguson fergdawgs...@mykolab.com wrote: Or leaving the recursive resolvers open to the entire Internet for abuse. They generally must have internal recursive resolvers for their internal resources (split-horizon). Hopefully, they've another set of external resolvers they use for external recursive lookups - and aren't running them open. In practice, a lot of enterprise organizations, especially smaller ones, conflate at least some of their recursive DNS servers with their authoritative ones (which they lack the expertise to run in the first place), and all too many of those are also open recursors. Then they place the whole mess behind a stateful firewall and can't figure out why their DNS servers keep going down, while their transit bills keep going up. ; - Roland Dobbins rdobb...@arbor.net ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Unless the company's line of business makes running a recursive server a core competency: +1, see http://en.wikipedia.org/wiki/Comparative_advantage for a basis for my reasoning. Did the company build their offices, manufacture their furniture, pave and reseal their parking lot? (I ask rhetorically/sarcastically.) On Oct 14, 2013, at 19:54, Jared Mauch wrote: I'll say no. They don't have resources to deal with 98 angry users when DNS fails. Using OpenDNS or the ISP is likely the best choice. Most large ISP dns servers are good. Jared Mauch On Oct 14, 2013, at 7:08 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStarYou can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Em 14/10/2013, às 13:08:000, Paul Hoffman escreveu: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? Every answer to this question will be qualified with IMHO I guess, but IMHO the company should run a single recursive server and offer both its own server and another server of its choosing to its users. Most platforms these days will take two servers and ask both of them for that information, so agility can be achieved by a fast internal recursive server, and if that server goes down, the slower external server will still be answering requests. The choice of external server may prove somewhat tricky; they might want to restrict to servers that perform DNSSEC validation like 8.8.8.8 if their own server is doing validation. https://code.google.com/p/namebench/ is a very straightforward tool to evaluate recursive DNS choices, and I'm not afraid to recommend it to average or below average IT personnel. If one of the committers in this project is reading this, my only feature request would be to also test for DNSSEC (https://code.google.com/p/namebench/issues/detail?id=124). Rubens ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Mon, 14 Oct 2013, Paul Hoffman wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? I'd say it depends. If they have a staff of only 2, it is unlikely they have specific requirements or concerns with regard to DNS... and wouldn't know how to troubleshoot any issues (or have the work cycles to do so). If I was one of the 2 IT bods, I'd be telling my employer to keep outsourcing. Depending on the line of work though, somebody else in the organization could very well be lobbying for the opposite, with specific concerns in mind. -- Fred Morris ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
If google concerns are irrelevant I'd say just use 8.8.8.8 (like many corps already do). Safety in numbers, deep pockets and lawyers ;-) Sent from my iPhone On Oct 14, 2013, at 9:09, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Naturally I am assuming a relatively low tech corp for a 2 to 100 it person ratio (and trading my DNSSEC hat for a pointy haired boss hat). Sent from my iPhone On Oct 14, 2013, at 10:42, Richard Lamb richard.l...@icann.org wrote: If google concerns are irrelevant I'd say just use 8.8.8.8 (like many corps already do). Safety in numbers, deep pockets and lawyers ;-) Sent from my iPhone On Oct 14, 2013, at 9:09, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
The problem that i see is that if you don't run your local DNS, then if your link with the outside world goes down, you're essentially toasted even for your own, locally hosted, services. This may not be a concern if you live in the more developed parts of the world, but down south here, trust me, it is. Granted, you can teach your users to access your printers and local file servers by IP, but that hardly seems a sane approach in the long run. Here in the true 'deep south', people run 30-40 people SOHOs behind dynamic-IP ADSL lines, which change addresses every 12 hours. Some of them even do clever tricks to load-balance cheap DSL lines. So, yes, I think running your own DNS is something important to do, not only for recursion but for resolving local resources as well. Cheers! ~Carlos On 10/14/13 3:41 PM, Richard Lamb wrote: If google concerns are irrelevant I'd say just use 8.8.8.8 (like many corps already do). Safety in numbers, deep pockets and lawyers ;-) Sent from my iPhone On Oct 14, 2013, at 9:09, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
While the concern about the link to the outside world is an issue, the same concern holds for whatever provides your connectivity. As a matter of practice, when designing for availability you want to focus on the least reliable layers in a stack before focusing on other layers, otherwise your availability improvements are potentially nil. If you can run a more reliable recursive server than your provider (or google or whoever) then by all means, however there are probably more meaningful places to spend your resources if you have a small company. On the other hand, if there is a functional reason for running your own recursive server that is entirely different, for example filtering via DNS, split view zones etc. -- Glen Wiley KK4SFV Sr. Engineer The Hive, Verisign, Inc. On 10/14/13 1:48 PM, Carlos M. Martinez carlosm3...@gmail.com wrote: The problem that i see is that if you don't run your local DNS, then if your link with the outside world goes down, you're essentially toasted even for your own, locally hosted, services. This may not be a concern if you live in the more developed parts of the world, but down south here, trust me, it is. Granted, you can teach your users to access your printers and local file servers by IP, but that hardly seems a sane approach in the long run. Here in the true 'deep south', people run 30-40 people SOHOs behind dynamic-IP ADSL lines, which change addresses every 12 hours. Some of them even do clever tricks to load-balance cheap DSL lines. So, yes, I think running your own DNS is something important to do, not only for recursion but for resolving local resources as well. Cheers! ~Carlos On 10/14/13 3:41 PM, Richard Lamb wrote: If google concerns are irrelevant I'd say just use 8.8.8.8 (like many corps already do). Safety in numbers, deep pockets and lawyers ;-) Sent from my iPhone On Oct 14, 2013, at 9:09, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 14, 2013, at 9:33 PM, Carlos M. Martinez carlosm3...@gmail.com wrote: Agreed. However, at least in my experience, it is usually easy to achieve high availability figures running a linux box on relatively cheap hardware, while links are much less dependable. I've seen 400-day plus uptimes on very cheap, dubious looking, PC clones. Yup, me too -- however, average IT talents and Linux do not go together in the same sentence. You are most definitely not an average IT person…. Now that I think of it, rather than the recursive DNS function, the local resolution of local resources is, IMO, a more important driver for running your local DNS. If you cater for a 100 person office, you probably have some printers, maybe a file server or two, some form of backup servicea, VoIP telephone service and maybe a local intranet/wiki. Hard-coding IPs for all these services in 100 workstations seems crazy to me. The, if you run a DNS for local services, also configuring it for recursion should be straightforward. Yup, once agin, Windows AD and / or Bonjour type things come to the rescue -- you plugs in the printer and then click browse and then something happens somehow and you can print. So, if AD counts as DNS then, well… W regards, ~Carlos On 10/14/13 4:09 PM, Wiley, Glen wrote: While the concern about the link to the outside world is an issue, the same concern holds for whatever provides your connectivity. As a matter of practice, when designing for availability you want to focus on the least reliable layers in a stack before focusing on other layers, otherwise your availability improvements are potentially nil. If you can run a more reliable recursive server than your provider (or google or whoever) then by all means, however there are probably more meaningful places to spend your resources if you have a small company. On the other hand, if there is a functional reason for running your own recursive server that is entirely different, for example filtering via DNS, split view zones etc. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- When it comes to glittering objects, wizards have all the taste and self-control of a deranged magpie. -- Terry Pratchett ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
So, if AD counts as DNS then, well… MS Active Directory explicitly requires local DNS servers (as DNS is used to locate everything to do with authentication and management). That doesn't have to be MS DNS, but DNS is non-negotiable requirement regardless of organisation size and, to a large extent, the capabilities of IT staff. At the very least the use of MS AD dictates the need for internal authoritative servers and limits the choice to use Forwarders, or use Root Hints for everything else. Chris ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
I've really enjoyed reading the responses to this, and admit my own answer is (yet another flavor of) It depends. I'm wondering what motivated the question, particularly in such a generic form. Discuss? Suz On Oct 14, 2013, at 12:08 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On 10/14/2013 12:43 PM, Suzanne Woolf wrote: I'm wondering what motivated the question, particularly in such a generic form. Maybe this? http://openresolverproject.org/ - ferg -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID -- Connect and Collaborate -- www.internetidentity.com ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 14, 2013, at 12:43 PM, Suzanne Woolf wo...@isc.org wrote: I've really enjoyed reading the responses to this, +1 and admit my own answer is (yet another flavor of) It depends. That seems to be the median so far. I'm wondering what motivated the question, particularly in such a generic form. In various discussions on different DNS-related topics, some people have said that obviously everyone should have a resolver at X, where X had wildly different values. I thought it would be useful to create a typical use case and see if X converged in a community such as this. It didn't. That's a useful data point for people creating other protocols who have to listen to commenters who say where resolvers need to be. --Paul Hoffman ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 14, 2013, at 12:08 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? Are you asking whether an executive decision should be made to run recursives and that resources should be dedicated to that problem or whether admins should make a technical decision to run recursives and the given resources they have be applied to the problem. -- Mike ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? To who do you ask this questions? From who do you expect an answer? jaap ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Mon, 14 Oct 2013, Doug Barton wrote: We of the DNS literati tend to forget just how difficult this stuff really is, and how hard it is for companies to prioritize spending money on things that usually just work. I'm a little concerned at the answers here. Surely a recursive resolver is one of the simplest services in the world to configure? You basically enable it, make sure recursion is on[1] and update DHCP or whatever to use it. Add another server for luck and put a Turning this off breaks Internet sticker on it if you want it robust. I'm not entirely sold on using Google DNS or OpenDNS. In my case there are/were several thousand km and and few counties away so didn't produce the best performance, they also introduce a dependence on upstream services several hops away. [1] If it is inside the firewall ignore the ACLs, Also ignore the logs cause nobody will read them anyway. That leaves about a 6 line bind config. -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
Simon Lyall wrote: On Mon, 14 Oct 2013, Doug Barton wrote: We of the DNS literati tend to forget just how difficult this stuff really is, and how hard it is for companies to prioritize spending money on things that usually just work. I'm a little concerned at the answers here. even https://lists.dns-oarc.net/pipermail/dns-operations/2013-October/010765.html ? Surely a recursive resolver is one of the simplest services in the world to configure? You basically enable it, make sure recursion is on[1] and update DHCP or whatever to use it. Add another server for luck and put a Turning this off breaks Internet sticker on it if you want it robust. +1. for opendns to have 20M+ unique ip's per day using their service, the general presumption has to be that rdns is hard, which is to say, the general presumption is as usual wrong. I'm not entirely sold on using Google DNS or OpenDNS. In my case there are/were several thousand km and and few counties away so didn't produce the best performance, they also introduce a dependence on upstream services several hops away. as i said, https://lists.dns-oarc.net/pipermail/dns-operations/2013-October/010765.html . vixie ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Should medium-sized companies run their own recursive resolver?
On Oct 14, 2013, at 7:08 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue to rely on its ISP? Given the information provided (and interpolating): they should run their own recursive servers. Running a recursive server is (should be) far easier than running the vast majority of other local servers. If it isn't, they're using the wrong recursive server. With the exception of root key rollover, running a recursive server is a fire-and-forget type service (modulo some initial configuration to avoid being an open resolver). Given the role DNS has, if they do not run their own resolver they are investing a vast amount of trust both in the resolver operator and the wire (air, in the case of wireless) between their stubs and their resolver. That trust is constantly being violated through crap like redirection. Further, in a DNSSEC environment, validation is pointless if the channel between the resolver and the stub is subject to attack. Until that channel can be protected, it is far safer to run local resolvers if you are interested in security. Regards, -drc signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs