Limiting recursion - was Re: [ednog] DNS server monitoring
Michael Sinatra
michael at rancid.berkeley.edu
Tue Nov 29 19:28:05 EST 2005
Kevin Miller wrote:
> Michael Sinatra wrote:
>
>>Hi,
>>
>>What are EDU folks doing to monitor their nameservers? I know I have
>>posed this question before to individuals on this list, but I'd like to
>>survey the group. (I can summarize and post the summary if you just
>>want to reply to me.)
>
>
>
> Vaguely along the same lines, has anyone outsourced authoritative DNS
> (or caching dns?) to hosted providers (e.g. UltraDNS)? Was it good/bad?
> Do others that don't have comments on whether it would be a good or bad
> thing? (perhaps trying to decouple cost from technical analysis)
I can imagine people who have outsourced authoritative DNS, or
outsourced backup secondary DNS functions (as opposed to more
traditional bilateral agreements between, say, people on this list), but
I would certainly be interested in hearing from anyone who has
outsourced the caching function. That seems a bit odd to me, but who knows?
Since the topic is drifting, I have another question: What have folks
done, or are doing, to restrict recursive queries to your caching
nameservers? A few years ago, I split the authoritative and caching
functions between two sets of anycast addresses. The authoritative
service doesn't do recursion, but the well-known IP addresses of our
caching boxes have been around forever and have been wide-open for at
least that long. I would definitely like to start tightening that up,
as that was my plan all along, and there have been some increased
reports of amplification attacks using open recursive DNS servers. This
is not going to be easy, as a lot of people at Berkeley still have
nameserver addresses statically configured into their machines and they
tend to move around. I'd like to still offer recursion to some of the
big ISPs in the Bay area (since our users use a lot of them). That's a
moving target--just a few weeks ago my DSL provider changed their
netblock for San Francisco. (Of course, they have yet to provide
reverse DNS for this netblock. Since that might lead you to question
their competence, I will only refer to them by their initials--SBC, soon
to be AT&T.)
One thought I had was to allow recursion from every netblock delegated
from IANA to ARIN, plus select legacy IANA direct assignments. That's a
LOT, but it's a LOT LESS than "the whole world."
Has anyone moved in this direction? Does anyone currently limit
recursion? If you moved from open to restricted, how did you proceed?
What kinds of support issues were there?
thanks again,
michael
More information about the ednog
mailing list