On Aug 22, 2012, at 15:47, /dev/rob0 wrote: > Google Public DNS seems to look up records again before the TTL > expires in their cache, so you are indeed likely to see a slight > improvement in your DNS response time without the doubling of your > external queries, when using their service. But is that in any way > something you could call "net-green"? Since they're ignoring the > published TTL, I think not.
Kinda depends on how they do their pre-fetching, really. Unbound also has an option do this, off by default. But if they were to pre-fetch in the last X minutes before expiry, that shouldn't really be a problem, as long as new data gets picked up on cue? The bigger problem we found with using someone else's recursors in terms of TTL is that quite a few of them seem to override the shorter TTL values. Like, anything less than four hours automatically picks up four hours as a minimum, that sort of thing. > Other benefits of running your own nameserver, not to be overlooked: > > 1. You're shielded from the impact of decisions of greedy business > types who don't understand DNS. Every so often one of them gets the > idea to replace NXDOMAIN responses with an IP address pointing to > their own web server. For a mail server doing DNSBL/DNSWL lookups, > the result of that can only be a disaster. And it can happen at any > time. Lots of ISPs do this, and they usually won't warn you in > advance of such a change. > > 2. You are in control of your own DNSSEC policy. You can strictly > validate all signatures, you can allow expired signatures, or you can > choose to ignore DNSSEC altogether. If a zone you know exists > suddenly comes up as SERVFAIL, you know what to check. Conversely, if > DNS for a signed zone is hijacked while you are checking signatures, > you are not going to fall for the bogus data. > > 3. You control your own cache. If you are aware of cached data being > wrong, you can flush that data and move ahead; whereas you cannot > flush your forwarder, and you have to wait for the TTL to expire. > "Propagation" is a myth propagated by and for people who don't > understand DNS. 4. Relative immunity to DoS attacks, since you can lock down your resolvers to only provide access to your own network, which is usually a whole lot smaller than whatever public or semi-public resolvers you might be using otherwise. 5. The ability to insert your own overrides and redirects. You won't need to override something very often, but it's great to be able to redirect certain queries to rbldnsd running on a different port, for example, if you want to run custom DNS based blacklists. > I go for one nameserver per site, or at a bigger site, maybe two. For those running just one or two servers, this can even be as simple as running a recursor on your localhost interface, making sure it starts before everything else does. Cya, Jona
