Joe Greco wrote:
Unix machines set up by anyone with half a brain run a local caching
server, and use forwarders. IE, the nameserver process can establish a
persistent TCP connection to its trusted forwarders, if we just let it.
Organizations often choose not to do this because doing so involves more
risk and more things to update when the next vulnerability appears. In
many cases, you are suggesting additional complexity and management
requirements. A hosting company, for example, might have 20 racks of
machines with 40 machines each, which is 800 servers. If half of those
are UNIX, then you're talking about 402 nameservers instead of just 2.
[Customers] <--/UDP/--> [DNS Cache] <--/TCP/--> [DNS servers]
Not so?
Of course, one shouldn't let the rest of the internet touch your DNS
Cache query interface... but that's just obvious.
I mentioned this a while ago though, so I demand credit ;P Also, I think
there is probably an IETF DNS WG list where this fits on topic (I have
no idea what it may be though).
