Hi Michael, On 11/22/21 9:59 AM, Michael Peddemors via mailop wrote:
Operating a DNS server is so easy, and latency is such a tiny bit of overhead, with proper caching,
I agree. I've been using local recursive DNS servers on any network I administer for two decades, my personal, employers, and clients.
would someone explain why they would use (share) a 3rd party DNS server at all?
I don't know.I've come to determine that so many people think that DNS is more problematic than turn-key operation that they just don't want to bother. What's more is that they can use their ISP's DNS, one of the quad* DNS servers, or even other thirds party DNS servers. So, with that in mind, they seem to think why bother running a local DNS server?
oh.. grr.. this is kind of off topic to the list, but DNS lookups are critical to email infrastructure, not sure if we should continue the thread, but..
;-)
I can see from a technical perspective, that a large shared server has greater caching ability in a recursive environment, but mathematically, the performance boost seems negligible compared to all the aspects of connectivity..
I've never stopped to think about the math and probability of a centralized cache.
I look at it more as a naming authority within an organization and that said naming authority has the capability to filter names that come into the organization when querying names outside the organization, e.g. deny-answer-addresses / deny-answer-aliases / RPZ / etc..
And almost every very high volume mail server probably needs to perform more dns lookups than most other services, and they seem to have no problem doing queries against their own servers.
Agreed.
And with many services blocking queries from open resolvers, including quad-1 and quad-8, aside from of course the arguments on how that data is used by 3rd parties, and privacy arguments..
Regarding privacy, I've long wondered about malicious ISPs intercepting ~> hijacking outbound DNS queries (from local recursive DNS servers or clients to non-ISP DNS servers) and doing something other than / more than simply moving the bits. -- DNSSEC will help ensure that the data hasn't been tampered with (at least for signed zones). But the ISP can still monitor / inspect deep into packets the queries that clients are making.
I look forward to the day when we have the option to do ubiquitous encrypted communications between recursive server and authoritative server. Sadly, DoH / DoT don't have much to do with this today.
Please enlighten me why do people want to use an open resolver? It can't be uptime ;)
I don't know. I can only surmise something between lazy and making it Somebody Else's Problem. -- The S.E.P. seems to be big in business wherein management thinks they can legally hold S.E. accountable.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
