[dns-operations] Should medium-sized companies run their own recursive resolver?

A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees, or should it continue

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

I run my own recursive server for my four machine network. So I guess the answer is just, 'of course'. On 10/14/13 2:08 PM, Paul Hoffman wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate connectivity

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On 10/14/13 7:18 PM, Carlos M. martinez wrote: > I run my own recursive server for my four machine network. So I guess > the answer is just, 'of course'. Especially if the ISP doesn't support DNSSEC validation ;-) (and you better run two, for redundancy) -- Marco > > > > On 10/14/13 2:08 PM,

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

I don't have enough information to answer this question. I don't know what "average" IT talents means. Do these 2 imaginary staff members know enough about caching resolvers to be able to figure out that the authoritative servers for exampledomain.tld have NS records that don't match their glu

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

I'll say no. They don't have resources to deal with 98 angry users when DNS fails. Using OpenDNS or the ISP is likely the best choice. Most large ISP dns servers are good. Jared Mauch > On Oct 14, 2013, at 7:08 PM, Paul Hoffman wrote: > > A fictitious 100-person company has an IT staff of 2

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

Paul Hoffman wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate connectivity for > the company's offices through an average large ISP. > > Should that company run its own recursive resolver for its emp

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On 10/14/2013 9:42 AM, Rich Goodson wrote: I default to "yes" as well, but if they only have the one local resolver, and don't have any kind of backup (Google/OpenDNS, etc as secondary/tertiary via DHCP or whatever means they use for workstation network configuration), these two imaginary IT

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 15, 2013, at 12:05 AM, "Paul Ferguson" wrote: > Or leaving the recursive resolvers open to the entire Internet for abuse. They generally must have internal recursive resolvers for their internal resources (split-horizon). Hopefully, they've another set of external resolvers they use f

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

Unless the company's line of business makes running a recursive server a "core competency:" +1, see http://en.wikipedia.org/wiki/Comparative_advantage for a basis for my reasoning. Did the company build their offices, manufacture their furniture, pave and reseal their parking lot? (I ask rhet

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

Em 14/10/2013, às 13:08:000, Paul Hoffman escreveu: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate connectivity for > the company's offices through an average large ISP. > > Should that company run its o

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Mon, 14 Oct 2013, Paul Hoffman wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate > connectivity for the company's offices through an average large ISP. > > Should that company run its own recursive res

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

If google concerns are irrelevant I'd say just use 8.8.8.8 (like many corps already do). Safety in numbers, deep pockets and lawyers ;-) Sent from my iPhone On Oct 14, 2013, at 9:09, "Paul Hoffman" wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. T

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

Naturally I am assuming a relatively low tech corp for a 2 to 100 it person ratio (and trading my DNSSEC hat for a pointy haired boss hat). Sent from my iPhone On Oct 14, 2013, at 10:42, "Richard Lamb" wrote: > If google concerns are irrelevant I'd say just use 8.8.8.8 (like many corps > alre

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

The problem that i see is that if you don't run your local DNS, then if your link with the outside world goes down, you're essentially toasted even for your own, locally hosted, services. This may not be a concern if you live in the more developed parts of the world, but down south here, trust me,

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Mon, Oct 14, 2013 at 09:08:33AM -0700, Paul Hoffman wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate connectivity for > the company's offices through an average large ISP. > > Should that company r

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 14, 2013, at 7:08 PM, Paul Hoffman wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate connectivity for > the company's offices through an average large ISP. > > Should that company run its own

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

While the concern about the link to the outside world is an issue, the same concern holds for whatever provides your connectivity. As a matter of practice, when designing for availability you want to focus on the least reliable layers in a stack before focusing on other layers, otherwise your avai

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

Agreed. However, at least in my experience, it is usually easy to achieve high availability figures running a linux box on relatively cheap hardware, while links are much less dependable. I've seen 400-day plus uptimes on very cheap, dubious looking, PC clones. Now that I think of it, rather than

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On 10/14/2013 11:03 AM, Warren Kumari wrote: On Oct 14, 2013, at 7:08 PM, Paul Hoffman wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 14, 2013, at 9:33 PM, Carlos M. Martinez wrote: > Agreed. However, at least in my experience, it is usually easy to > achieve high availability figures running a linux box on relatively > cheap hardware, while links are much less dependable. I've seen 400-day > plus uptimes on very cheap,

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

* Paul Hoffman: > A fictitious 100-person company has an IT staff of 2 who have > average IT talents. They run some local servers, and they have > adequate connectivity for the company's offices through an average > large ISP. > > Should that company run its own recursive resolver for its > employ

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

> So, if AD counts as "DNS" then, well… MS Active Directory explicitly requires local DNS servers (as DNS is used to locate everything to do with authentication and management). That doesn't have to be MS DNS, but DNS is non-negotiable requirement regardless of organisation size and, to a large ex

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Mon, Oct 14, 2013 at 09:08:33AM -0700, Paul Hoffman wrote: > Should that company run its own recursive resolver for its employees, or > should it continue to rely on its ISP? you could as well have asked for the IT staff's average shoe size. Are they running their own AD server? Mail server?

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

I've really enjoyed reading the responses to this, and admit my own answer is (yet another flavor of) "It depends." I'm wondering what motivated the question, particularly in such a generic form. Discuss? Suz On Oct 14, 2013, at 12:08 PM, Paul Hoffman wrote: > A fictitious 100-person compa

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On 10/14/2013 12:43 PM, Suzanne Woolf wrote: I'm wondering what motivated the question, particularly in such a generic form. Maybe this? http://openresolverproject.org/ - ferg -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect a

Re: [dns-operations] using DNSSEC to mitigate domain hijacking via the registrar channel

On 13 Oct 2013, at 08:26, Marco Davids (SIDN) wrote: > Interesting thought, but I don't know, Jim. Sounds like some way of > circular dependency to me? Maybe Marco. I did say I was hand-waving though. :-) That said, there might be some merit in a scheme like the one I outlined. Assuming of cou

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 14, 2013, at 12:43 PM, Suzanne Woolf wrote: > I've really enjoyed reading the responses to this, +1 > and admit my own answer is (yet another flavor of) "It depends." That seems to be the median so far. > I'm wondering what motivated the question, particularly in such a generic > for

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 14, 2013, at 12:08 PM, Paul Hoffman wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate connectivity for > the company's offices through an average large ISP. > > Should that company run its ow

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that company run its own recursive resolver for its employees,

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Mon, 14 Oct 2013, Doug Barton wrote: We of the DNS literati tend to forget just how difficult this stuff really is, and how hard it is for companies to prioritize spending money on things that usually "just work." I'm a little concerned at the answers here. Surely a recursive resolver is o

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

In message , Simon L yall writes: > On Mon, 14 Oct 2013, Doug Barton wrote: > > We of the DNS literati tend to forget just how difficult this stuff really > > is, and how hard it is for companies to prioritize spending money on things > > > that usually "just work." > > I'm a little concerned

[dns-operations] Fwd: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention - Denial of Service Attack

Begin forwarded message: From: James Braunegg mailto:james.braun...@micron21.com>> Date: October 15, 2013 at 5:34:08 AM GMT+3 To: "aus...@ausnog.net" mailto:aus...@ausnog.net>> Subject: [AusNOG] Layer 7 - Distrusted Source (within a single AS) Distrusted Distention -

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

Simon Lyall wrote: > On Mon, 14 Oct 2013, Doug Barton wrote: >> We of the DNS literati tend to forget just how difficult this stuff >> really is, and how hard it is for companies to prioritize spending >> money on things that usually "just work." > > I'm a little concerned at the answers here. e

Re: [dns-operations] using DNSSEC to mitigate domain hijacking via the registrar channel

On 13 okt 2013, at 10:26, Marco Davids (SIDN) wrote: > For instance, what would happen if the registrar would upload the wrong > DNSKEY/DS to the parent and want to correct that? Would be impossible, > because validation is broken at that time? This is a rat hole. We have had the discussion ma

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 14, 2013, at 7:08 PM, Paul Hoffman wrote: > A fictitious 100-person company has an IT staff of 2 who have average IT > talents. They run some local servers, and they have adequate connectivity for > the company's offices through an average large ISP. > > Should that company run its own r

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Mon, Oct 14, 2013 at 01:24:27PM -0700, Paul Hoffman wrote: > It didn't. That's a useful data point for people creating other protocols who > have to listen to commenters who say where resolvers need to be. sure. Yet another instance of "the DNS people have said ...". Come on. -Peter