Limiting recursion - was Re: [ednog] DNS server monitoring

Michael Sinatra michael at rancid.berkeley.edu
Tue Nov 29 19:28:05 EST 2005 

Kevin Miller wrote:
> Michael Sinatra wrote:
> 
>>Hi,
>>
>>What are EDU folks doing to monitor their nameservers?  I know I have 
>>posed this question before to individuals on this list, but I'd like to 
>>survey the group.  (I can summarize and post the summary if you just 
>>want to reply to me.)
> 
> 
> 
> Vaguely along the same lines, has anyone outsourced authoritative DNS 
> (or caching dns?) to hosted providers (e.g. UltraDNS)? Was it good/bad? 
> Do others that don't have comments on whether it would be a good or bad 
> thing? (perhaps trying to decouple cost from technical analysis)

I can imagine people who have outsourced authoritative DNS, or 
outsourced backup secondary DNS functions (as opposed to more 
traditional bilateral agreements between, say, people on this list), but 
I would certainly be interested in hearing from anyone who has 
outsourced the caching function.  That seems a bit odd to me, but who knows?

Since the topic is drifting, I have another question: What have folks 
done, or are doing, to restrict recursive queries to your caching 
nameservers?  A few years ago, I split the authoritative and caching 
functions between two sets of anycast addresses.  The authoritative 
service doesn't do recursion, but the well-known IP addresses of our 
caching boxes have been around forever and have been wide-open for at 
least that long.  I would definitely like to start tightening that up, 
as that was my plan all along, and there have been some increased 
reports of amplification attacks using open recursive DNS servers.  This 
is not going to be easy, as a lot of people at Berkeley still have 
nameserver addresses statically configured into their machines and they 
tend to move around.  I'd like to still offer recursion to some of the 
big ISPs in the Bay area (since our users use a lot of them).  That's a 
moving target--just a few weeks ago my DSL provider changed their 
netblock for San Francisco.  (Of course, they have yet to provide 
reverse DNS for this netblock.  Since that might lead you to question 
their competence, I will only refer to them by their initials--SBC, soon 
to be AT&T.)

One thought I had was to allow recursion from every netblock delegated 
from IANA to ARIN, plus select legacy IANA direct assignments.  That's a 
LOT, but it's a LOT LESS than "the whole world."

Has anyone moved in this direction?  Does anyone currently limit 
recursion?  If you moved from open to restricted, how did you proceed? 
What kinds of support issues were there?

thanks again,
michael

More information about the ednog mailing list