On Feb 16, 2010, at 11:35 PM, Frank Bulk wrote:
Our nameservers handle both the authoritative and recursive traffic, but we use ACLs to restrict recursive queries to just our users.
Speaking strictly about the recursive servers (others have covered the auth + recusive on one box thing), thank you for the ACLs. Open RNSes are difficult to secure against being used as an amplification attack vector.
If I understand your second sentence correctly, then yes, our DHCP server hands out the DNS servers, of which one of the three is outside our own network.
While I am all for redundancy, and believe having authorities off-net is useful and good, I am not sure the same holds for RNSes. I like putting authoritative servers on multiple ASes because if my AS[*] dies, I may have good reason to want the hostnames to still resolve. The could very well have significance even when the AS is down (e.g. A records pointing to addresses outside my AS, backup MX records, etc.). But if my AS is down, my users cannot get to anything so what use is having a server happily working where they cannot reach it? Especially one firewalled so only they can use it? I cannot come up with a realistic failure mode where the user has good connectivity to the "outside world", but multiple, geographically & topologically disparate servers inside the AS are all unreachable. On the other hand, I can easily come up with several failure modes where the external RNSes are b0rk'ed, causing either your users or the rest of the Internet harm. In summary, could someone educate me on the benefits of having RNSes outside your network? -- TTFN, patrick [*] Since I Am Not An ISP, this is the hypothetical or general "my AS", not my actual AS.
-----Original Message----- From: Patrick W. Gilmore [mailto:patrick@ianai.net] Sent: Tuesday, February 16, 2010 9:33 PM To: NANOG list Subject: Re: History of 4.2.2.2. What's the story?
On Feb 16, 2010, at 10:24 PM, Frank Bulk wrote:
We do. It's at our upstream provider, just in case we had an upstream connectivity issue or some internal meltdown that prevented those in the outside world to hit our (authoritative) DNS servers. Of course, that's most helpful for DNS records that resolve to IPs *outside* our network.
What you describe - authorities used by people off your network to resolve A records with IP addresses outside your network - is not what Joe was describing. What the recursive name server your end users queried to resolve names, the IP address in their desktop's control panel, outside your network?
I can see a small ISP using its upstream's recursive name server. But to the rest of the world, most small ISPs look like a part of their upstream's network.
-- TTFN, patrick
=== <snip>
For what it's worth, I have never heard of an ISP, big or small, deciding to place resolvers used by their customers in someone else's network. Perhaps I just need to get out more.
Joe