> From: Jared Mauch <[email protected]> > > phones, and other devices behind a NAT router owned by and remotely > > maintained by Comcast. Instead the question concerned a business with > > 2 IT professionals. Relying on distant DNS servers is negligent and > > grossly incompetent for a professionally run network. > > As with many things we will have to disagree. > > Not everyone has the same skill set as those on this list, and that curve > goes down rather quickly.
I can't help noticing that Jared Mauch noticed and disagreed with my conclusion about relying on distant DNS servers but overlooked or ignored the security reasons compelling the conclusion. He evidently also overlooked the contradiction or irony in his previous note: ] Everyone else should just use either their ISP (with NXDOMAIN ] rewriting turned off) ... ] Folks like Comcast have large validating resolvers. Their customers ] should use them. despite https://www.google.com/search?q=COMCAST+dns+hijacking If you check the pages found by that URL, you'll see - older reports that Comcast was phasing out DNS hijacking - more recent reports of redirection or hijacking of 58/UDP packets--not just falsified results from those big Comcast DNS servers but packet hijacking - far more complication, confusion, and mystification than is realistic to expect a two person IT department to resolve. It's clear that a simple, securite business DNS configuration does *not* involve a consumer grade ISP. (I don't mean to criticise any particular consumer grade ISP. They are all similar. I'm not even sure that DNS result or packet hijacking is a bad thing for consumer households.) However, not just tolerating but encouraging people without basic network and computer competence run Internet businesses is like aviation before the FAA. In the first years enthusiasts bought, built, or borrowed airplanes and went into the barnstorming or airmail businesses. Then the air industry got government licenses and regulations. From Kitty Hawk to the 1926 Air Commerce Act licensing pilots was 23 years. http://www.faa.gov/about/history/brief_history/ Whether you mark the start of public interest in the Internet with the 1972 CACM articles about the ARPANET (my DOC lab employer read those papers, got an appropriation, and linked our computers soon after), CSNET &co in the early 1980s when many commercial outfits with got Internet connections, or a date between, it is more than 23 years later. I don't like the idea of government Internet licenses, but a two person IT shop using distant DNS servers, not to mention a consumer grade ISP, is as culpable as buying an old potato washer to clean your cantaloupe crop for market. I'm uncomfortable with the criminal charges against the Jensen brothers, but if that's what it takes to get people learn enough and do it right ... https://www.google.com/search?q=Jensen+cantaloupe Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
