I think Colin just said everything I said, but in 1/10'th the words. And he posted before me. Drats. --Patrick Darden -----Original Message----- From: Colin Alston [mailto:karnaugh@karnaugh.za.net] Sent: Monday, August 11, 2008 8:38 AM To: Joe Greco Cc: nanog@merit.edu Subject: Re: maybe a dumb idea on how to fix the dns problems i don't know.... Joe Greco wrote:
Unix machines set up by anyone with half a brain run a local caching server, and use forwarders. IE, the nameserver process can establish a persistent TCP connection to its trusted forwarders, if we just let it.
Organizations often choose not to do this because doing so involves more risk and more things to update when the next vulnerability appears. In many cases, you are suggesting additional complexity and management requirements. A hosting company, for example, might have 20 racks of machines with 40 machines each, which is 800 servers. If half of those are UNIX, then you're talking about 402 nameservers instead of just 2.
[Customers] <--/UDP/--> [DNS Cache] <--/TCP/--> [DNS servers] Not so? Of course, one shouldn't let the rest of the internet touch your DNS Cache query interface... but that's just obvious. I mentioned this a while ago though, so I demand credit ;P Also, I think there is probably an IETF DNS WG list where this fits on topic (I have no idea what it may be though).