[AFMUG] new DNS

[Travis Johnson]

https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587

Faster and more private than Google or others. :)

Travis

Re: [AFMUG] new DNS

[Josh Reynolds]

Yes, bunch of discussions over the past few days on NANOG and some of the
vendor mailing lists.

On Mon, Apr 2, 2018, 2:21 PM Travis Johnson  wrote:

>
> https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587
>
> Faster and more private than Google or others. :)
>
> Travis
>
>

Re: [AFMUG] new DNS

[Jason McKemie]

I fail to see how this is going to protect the user from their evil spying
ISP in any meaningful way.

On Mon, Apr 2, 2018 at 2:21 PM, Travis Johnson  wrote:

> https://gizmodo.com/how-to-speed-up-your-internet-and-protec
> t-your-privacy-1824256587
>
> Faster and more private than Google or others. :)
>
> Travis
>
>

Re: [AFMUG] new DNS

[Jaime Solorza]

You sure it's not an April's Fool gag?

Jaime Solorza

On Mon, Apr 2, 2018, 1:21 PM Travis Johnson  wrote:

>
> https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587
>
> Faster and more private than Google or others. :)
>
> Travis
>
>

Re: [AFMUG] new DNS

[Josh Reynolds]

It's not

On Mon, Apr 2, 2018, 2:24 PM Jaime Solorza 
wrote:

> You sure it's not an April's Fool gag?
>
> Jaime Solorza
>
> On Mon, Apr 2, 2018, 1:21 PM Travis Johnson  wrote:
>
>>
>> https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587
>>
>> Faster and more private than Google or others. :)
>>
>> Travis
>>
>>

Re: [AFMUG] new DNS

[chuck]

Wonder how they got that IP address.

From: Josh Reynolds 
Sent: Monday, April 2, 2018 1:33 PM
To: af@afmug.com 
Subject: Re: [AFMUG] new DNS

It's not

On Mon, Apr 2, 2018, 2:24 PM Jaime Solorza  wrote:

  You sure it's not an April's Fool gag? 


  Jaime Solorza

  On Mon, Apr 2, 2018, 1:21 PM Travis Johnson  wrote:


https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587

Faster and more private than Google or others. :)

Travis

Re: [AFMUG] new DNS

[Seth Mattinen]

On 4/2/18 12:43, ch...@wbmfg.com wrote:

Wonder how they got that IP address.


APNIC has it and agreed to let cloudflare use it or something, 
apparently there's some upset about it not being a transparent process, 
but I don't follow APNIC happenings. I guess they felt left out from the 
public DNS resolver party.

Re: [AFMUG] new DNS

[Josh Baird]

From APNIC..

Sent from my iPhone

> On Apr 2, 2018, at 3:43 PM,   wrote:
> 
> Wonder how they got that IP address.
>  
> From: Josh Reynolds
> Sent: Monday, April 2, 2018 1:33 PM
> To: af@afmug.com
> Subject: Re: [AFMUG] new DNS
>  
> It's not
>  
>> On Mon, Apr 2, 2018, 2:24 PM Jaime Solorza  wrote:
>> You sure it's not an April's Fool gag? 
>> 
>> Jaime Solorza
>>  
>>> On Mon, Apr 2, 2018, 1:21 PM Travis Johnson  wrote:
>>> https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587
>>> 
>>> Faster and more private than Google or others. :)
>>> 
>>> Travis
>>> 

Re: [AFMUG] new DNS

[Josh Reynolds]

If you guys aren't on NANOG, you really should be.

On Mon, Apr 2, 2018, 2:50 PM Seth Mattinen  wrote:

> On 4/2/18 12:43, ch...@wbmfg.com wrote:
> > Wonder how they got that IP address.
>
> APNIC has it and agreed to let cloudflare use it or something,
> apparently there's some upset about it not being a transparent process,
> but I don't follow APNIC happenings. I guess they felt left out from the
> public DNS resolver party.
>

Re: [AFMUG] new DNS

[chuck]

So many lists, so many time.  It would cut into my TV watching I am afraid...

From: Josh Reynolds 
Sent: Monday, April 2, 2018 2:15 PM
To: af@afmug.com 
Subject: Re: [AFMUG] new DNS

If you guys aren't on NANOG, you really should be.

On Mon, Apr 2, 2018, 2:50 PM Seth Mattinen  wrote:

  On 4/2/18 12:43, ch...@wbmfg.com wrote:
  > Wonder how they got that IP address.

  APNIC has it and agreed to let cloudflare use it or something,
  apparently there's some upset about it not being a transparent process,
  but I don't follow APNIC happenings. I guess they felt left out from the
  public DNS resolver party.

Re: [AFMUG] new DNS

[Seth Mattinen]

On 4/2/18 13:30, ch...@wbmfg.com wrote:
So many lists, so many time.  It would cut into my TV watching I am 
afraid...



I used to work really hard all the time, but since but August of last 
year I decided it's been enough for what I'm getting out of it and 
shifted focus to remodeling, TV, movies, and video games.

Re: [AFMUG] new DNS

[chuck]

That is my dream too.  Play with grandkids more.  But I keep starting 
businesses...


-Original Message- 
From: Seth Mattinen

Sent: Monday, April 2, 2018 2:39 PM
To: af@afmug.com
Subject: Re: [AFMUG] new DNS

On 4/2/18 13:30, ch...@wbmfg.com wrote:
So many lists, so many time.  It would cut into my TV watching I am 
afraid...



I used to work really hard all the time, but since but August of last
year I decided it's been enough for what I'm getting out of it and
shifted focus to remodeling, TV, movies, and video games. 

Re: [AFMUG] new DNS

[Adam Moffett]

Someone remind me again why I have my own recursive DNS.


-- Original Message --
From: "Josh Reynolds" 
To: af@afmug.com
Sent: 4/2/2018 3:22:57 PM
Subject: Re: [AFMUG] new DNS

Yes, bunch of discussions over the past few days on NANOG and some of 
the vendor mailing lists.


On Mon, Apr 2, 2018, 2:21 PM Travis Johnson  wrote:

https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587

Faster and more private than Google or others. :)

Travis

Re: [AFMUG] new DNS

[Forrest Christian (List Account)]

Because it's good for your customers, and it should take very little time
to set one up.

The main reason for this is so that websites serve data from the closest
server due to the way that DNS anycast works.

And, the biggest one - to have control over a critical piece of
infrastructure for your customers.  What happens if one of these public DNS
services go down and you have hundreds of customers pointing at it?

On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett  wrote:

> Someone remind me again why I have my own recursive DNS.
>
>
> -- Original Message --
> From: "Josh Reynolds" 
> To: af@afmug.com
> Sent: 4/2/2018 3:22:57 PM
> Subject: Re: [AFMUG] new DNS
>
> Yes, bunch of discussions over the past few days on NANOG and some of the
> vendor mailing lists.
>
> On Mon, Apr 2, 2018, 2:21 PM Travis Johnson  wrote:
>
>> https://gizmodo.com/how-to-speed-up-your-internet-and-
>> protect-your-privacy-1824256587
>>
>> Faster and more private than Google or others. :)
>>
>> Travis
>>
>>


-- 
*Forrest Christian* *CEO**, PacketFlux Technologies, Inc.*
Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
forre...@imach.com | http://www.packetflux.com
<http://www.linkedin.com/in/fwchristian>  <http://facebook.com/packetflux>
<http://twitter.com/@packetflux>

Re: [AFMUG] new DNS

[Paul Stewart]

I know there is often debates on here about running any servers, some servers, 
or doing everything in-house (mail, web, DNS etc).  Even if you outsource 
everything I would still run recursive caching DNS …. Performance and 
reliability the main reasons.  Some CDN’s and other services determine the path 
to send you content based on where the DNS look up occurs and in our case 
that’s a significant factor … 

 

We operate our own anycasted DNS …actually two of them.  One set of servers for 
recursive caching and another set for authoritative DNS.

 

Paul

 

 

From: Af  on behalf of "Forrest Christian (List Account)" 

Reply-To: 
Date: Tuesday, April 3, 2018 at 4:33 AM
To: af 
Subject: Re: [AFMUG] new DNS

 

Because it's good for your customers, and it should take very little time to 
set one up.

 

The main reason for this is so that websites serve data from the closest server 
due to the way that DNS anycast works.

 

And, the biggest one - to have control over a critical piece of infrastructure 
for your customers.  What happens if one of these public DNS services go down 
and you have hundreds of customers pointing at it?   

 

On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett  wrote:

Someone remind me again why I have my own recursive DNS.

 

 

-- Original Message --

From: "Josh Reynolds" 

To: af@afmug.com

Sent: 4/2/2018 3:22:57 PM

Subject: Re: [AFMUG] new DNS

 

Yes, bunch of discussions over the past few days on NANOG and some of the 
vendor mailing lists.

 

On Mon, Apr 2, 2018, 2:21 PM Travis Johnson  wrote:

https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587

Faster and more private than Google or others. :)

Travis



 

-- 

Forrest Christian CEO, PacketFlux Technologies, Inc.Tel: 406-449-3345 | 
Address: 3577 Countryside Road, Helena, MT 59602
forre...@imach.com | http://www.packetflux.com  

Re: [AFMUG] new DNS

[Justin Wilson]

You have your own DNS for one huge reason. GeoLocation for when it comes to 
Content Networks such as Netflix.  One of the mechanisms they employ is using 
DNS Geolocation to serve you the closest content.  Not only do they do a 
GeLocate on your IP, but some also do a check to make sure your DNS servers are 
coming from the same place as your customers. This is especially true if you or 
one of your upstreams is peered with Netflix or someone on an exchange. 
Otherwise, if you are using Google or other DNS you may be in Kansas, and you 
might be getting content from Netflix out of California, when you could be 
getting it literally next door.  Makes the customer experience much better. 
There are RFCs that address this, but if they are implemented is a crapshoot.

Secondly, relying on a 3rd party for such a critical service such as DNS can be 
troublesome.  Would you rely on someone else to provide the wireless signal to 
your customers blindly? If so, then offloading DNS is okay for you.  I want 
more control for such a critical service.  

I hear folks worry about the bandwidth DNS takes up.  It’s not a concern either 
way.  If your network can’t support the bandwidth of DNS queries then you have 
deeper issues.

It’s hard.  No it’s not.  Tons of tutorials on Bind for every flavor of linux.  
Just about any old machine laying around can run DNS.  

If anyone wants to know how easy, and how cheap it is to spin up DNS (both 
recursive and authoritative) hit me up.  I will gladly talk with you about some 
strategy.

Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com

> On Apr 3, 2018, at 6:34 AM, Paul Stewart  wrote:
> 
> I know there is often debates on here about running any servers, some 
> servers, or doing everything in-house (mail, web, DNS etc).  Even if you 
> outsource everything I would still run recursive caching DNS …. Performance 
> and reliability the main reasons.  Some CDN’s and other services determine 
> the path to send you content based on where the DNS look up occurs and in our 
> case that’s a significant factor … 
>  
> We operate our own anycasted DNS …actually two of them.  One set of servers 
> for recursive caching and another set for authoritative DNS.
>  
> Paul
>  
>  
> From: Af  on behalf of "Forrest Christian (List 
> Account)" 
> Reply-To: 
> Date: Tuesday, April 3, 2018 at 4:33 AM
> To: af 
> Subject: Re: [AFMUG] new DNS
>  
> Because it's good for your customers, and it should take very little time to 
> set one up. <>
>  
> The main reason for this is so that websites serve data from the closest 
> server due to the way that DNS anycast works.
>  
> And, the biggest one - to have control over a critical piece of 
> infrastructure for your customers.  What happens if one of these public DNS 
> services go down and you have hundreds of customers pointing at it?   
>  
> On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett  <mailto:dmmoff...@gmail.com>> wrote:
>> Someone remind me again why I have my own recursive DNS.
>>  
>>  
>> -- Original Message ------
>> From: "Josh Reynolds" mailto:j...@kyneticwifi.com>>
>> To: af@afmug.com <mailto:af@afmug.com>
>> Sent: 4/2/2018 3:22:57 PM
>> Subject: Re: [AFMUG] new DNS
>>  
>>> Yes, bunch of discussions over the past few days on NANOG and some of the 
>>> vendor mailing lists.
>>>  
>>> On Mon, Apr 2, 2018, 2:21 PM Travis Johnson >> <mailto:t...@ida.net>> wrote:
>>>> https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587
>>>>  
>>>> <https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587>
>>>> 
>>>> Faster and more private than Google or others. :)
>>>> 
>>>> Travis
>>>> 
> 
> 
> 
>  
> -- 
> Forrest Christian CEO, PacketFlux Technologies, Inc.
> Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
> forre...@imach.com <mailto:forre...@imach.com> | http://www.packetflux.com 
> <http://www.packetflux.com/>

Re: [AFMUG] new DNS

[Steve Jones]

If I can run DNS anyone can run DNS

On Tue, Apr 3, 2018 at 7:48 AM, Justin Wilson  wrote:

> You have your own DNS for one huge reason. GeoLocation for when it comes
> to Content Networks such as Netflix.  One of the mechanisms they employ is
> using DNS Geolocation to serve you the closest content.  Not only do they
> do a GeLocate on your IP, but some also do a check to make sure your DNS
> servers are coming from the same place as your customers. This is
> especially true if you or one of your upstreams is peered with Netflix or
> someone on an exchange. Otherwise, if you are using Google or other DNS you
> may be in Kansas, and you might be getting content from Netflix out of
> California, when you could be getting it literally next door.  Makes the
> customer experience much better. There are RFCs that address this, but if
> they are implemented is a crapshoot.
>
> Secondly, relying on a 3rd party for such a critical service such as DNS
> can be troublesome.  Would you rely on someone else to provide the wireless
> signal to your customers blindly? If so, then offloading DNS is okay for
> you.  I want more control for such a critical service.
>
> I hear folks worry about the bandwidth DNS takes up.  It’s not a concern
> either way.  If your network can’t support the bandwidth of DNS queries
> then you have deeper issues.
>
> It’s hard.  No it’s not.  Tons of tutorials on Bind for every flavor of
> linux.  Just about any old machine laying around can run DNS.
>
> If anyone wants to know how easy, and how cheap it is to spin up DNS (both
> recursive and authoritative) hit me up.  I will gladly talk with you about
> some strategy.
>
> Justin Wilson
> j...@mtin.net
>
> www.mtin.net
> www.midwest-ix.com
>
> On Apr 3, 2018, at 6:34 AM, Paul Stewart  wrote:
>
> I know there is often debates on here about running any servers, some
> servers, or doing everything in-house (mail, web, DNS etc).  Even if you
> outsource everything I would still run recursive caching DNS …. Performance
> and reliability the main reasons.  Some CDN’s and other services determine
> the path to send you content based on where the DNS look up occurs and in
> our case that’s a significant factor …
>
> We operate our own anycasted DNS …actually two of them.  One set of
> servers for recursive caching and another set for authoritative DNS.
>
> Paul
>
>
> *From: *Af  on behalf of "Forrest Christian (List
> Account)" 
> *Reply-To: *
> *Date: *Tuesday, April 3, 2018 at 4:33 AM
> *To: *af 
> *Subject: *Re: [AFMUG] new DNS
>
> Because it's good for your customers, and it should take very little time
> to set one up.
>
> The main reason for this is so that websites serve data from the closest
> server due to the way that DNS anycast works.
>
> And, the biggest one - to have control over a critical piece of
> infrastructure for your customers.  What happens if one of these public DNS
> services go down and you have hundreds of customers pointing at it?
>
> On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett  wrote:
>
> Someone remind me again why I have my own recursive DNS.
>
>
> -- Original Message --
> From: "Josh Reynolds" 
> To: af@afmug.com
> Sent: 4/2/2018 3:22:57 PM
> Subject: Re: [AFMUG] new DNS
>
>
> Yes, bunch of discussions over the past few days on NANOG and some of the
> vendor mailing lists.
>
> On Mon, Apr 2, 2018, 2:21 PM Travis Johnson  wrote:
>
> https://gizmodo.com/how-to-speed-up-your-internet-and-
> protect-your-privacy-1824256587
>
> Faster and more private than Google or others. :)
>
> Travis
>
>
>
>
> --
> *Forrest Christian* *CEO, PacketFlux Technologies, Inc.*
> Tel: 406-449-3345 <(406)%20449-3345> | Address: 3577 Countryside Road,
> Helena, MT 59602
> <https://maps.google.com/?q=3577+Countryside+Road,+Helena,+MT+59602&entry=gmail&source=g>
> forre...@imach.com | http://www.packetflux.com
>
>
>

Re: [AFMUG] new DNS

[Dave]

LOL +1
Ive been running DNS since day one and never looked back. Had to upgrade 
hardware from some old intel dual core machines
to i5 intel with 16GB of ram and 250GB SSD performance is overrated 
these days :)
Thats all they do is DNS except primary dns has html speed test for 
techs to test internal stuff.



On 04/03/2018 08:35 AM, Steve Jones wrote:

If I can run DNS anyone can run DNS

On Tue, Apr 3, 2018 at 7:48 AM, Justin Wilson <mailto:li...@mtin.net>> wrote:


You have your own DNS for one huge reason. GeoLocation for when it
comes to Content Networks such as Netflix.  One of the mechanisms
they employ is using DNS Geolocation to serve you the closest
content.  Not only do they do a GeLocate on your IP, but some also
do a check to make sure your DNS servers are coming from the same
place as your customers. This is especially true if you or one of
your upstreams is peered with Netflix or someone on an exchange.
Otherwise, if you are using Google or other DNS you may be in
Kansas, and you might be getting content from Netflix out of
California, when you could be getting it literally next door. 
Makes the customer experience much better. There are RFCs that
address this, but if they are implemented is a crapshoot.

Secondly, relying on a 3rd party for such a critical service such
as DNS can be troublesome.  Would you rely on someone else to
provide the wireless signal to your customers blindly? If so, then
offloading DNS is okay for you.  I want more control for such a
critical service.

I hear folks worry about the bandwidth DNS takes up. It’s not a
concern either way.  If your network can’t support the bandwidth
of DNS queries then you have deeper issues.

It’s hard.  No it’s not.  Tons of tutorials on Bind for every
flavor of linux.  Just about any old machine laying around can run
DNS.

If anyone wants to know how easy, and how cheap it is to spin up
DNS (both recursive and authoritative) hit me up.  I will gladly
talk with you about some strategy.

Justin Wilson
j...@mtin.net <mailto:j...@mtin.net>

www.mtin.net <http://www.mtin.net>
www.midwest-ix.com <http://www.midwest-ix.com>


On Apr 3, 2018, at 6:34 AM, Paul Stewart mailto:p...@paulstewart.org>> wrote:

I know there is often debates on here about running any servers,
some servers, or doing everything in-house (mail, web, DNS etc). 
Even if you outsource everything I would still run recursive
caching DNS …. Performance and reliability the main reasons. 
Some CDN’s and other services determine the path to send you
content based on where the DNS look up occurs and in our case
that’s a significant factor …
We operate our own anycasted DNS …actually two of them.  One set
of servers for recursive caching and another set for
authoritative DNS.
Paul
*From:*Af mailto:af-boun...@afmug.com>> on
behalf of "Forrest Christian (List Account)"
mailto:li...@packetflux.com>>
*Reply-To:*mailto:af@afmug.com>>
*Date:*Tuesday, April 3, 2018 at 4:33 AM
    *To:*af mailto:af@afmug.com>>
*Subject:*Re: [AFMUG] new DNS
Because it's good for your customers, and it should take very
little time to set one up.
The main reason for this is so that websites serve data from the
closest server due to the way that DNS anycast works.
And, the biggest one - to have control over a critical piece of
infrastructure for your customers.  What happens if one of these
public DNS services go down and you have hundreds of customers
pointing at it?
On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett
mailto:dmmoff...@gmail.com>> wrote:

Someone remind me again why I have my own recursive DNS.
-- Original Message --
From: "Josh Reynolds"
mailto:j...@kyneticwifi.com>>
    To:af@afmug.com<mailto:af@afmug.com>
Sent: 4/2/2018 3:22:57 PM
Subject: Re: [AFMUG] new DNS

Yes, bunch of discussions over the past few days on NANOG and
some of the vendor mailing lists.
On Mon, Apr 2, 2018, 2:21 PM Travis Johnson
mailto:t...@ida.net>> wrote:



https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587<https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587>

Faster and more private than Google or others. :)

Travis




--
*Forrest Christian*/CEO, PacketFlux Technologies, Inc./
Tel: 406-449-3345  | Address: 3577
Countryside Road, Helena, MT 59602

<https://maps.google.com/?q=3577+Countryside+Road,+Helena,+MT+59602&entry=gmail&source=g>
forre...@imach.com<mailto:forre...@imach.com>|
http://www.packetflux.com <http://www.packetflux.com/>






--

Re: [AFMUG] new DNS

[Adam Moffett]

It's clearly not hard.  It's obviously not expensive. I'm already doing 
it and have been for years.  But it's more than $0.


I've seen the geolocation issue in the past.  More recently I tried to 
demonstrate it to someone and it turned out that Google DNS and our own 
DNS gave us Netflix content from the same source.


If I used someone else's DNS and that 3rd party went away, then there 
are apparently 10 other "3rd parties" to choose from.  I recognize the 
point that it's a 3rd party and we don't want to rely on 3rd parties: 
But can we honestly say that our DNS servers are more reliable than 
Google or Cloudflare?


I'm not shutting down the DNS servers today, I'm just trying to look 
inward and analyze what we're doing and why.  Are we doing it because it 
actually makes sense or are we doing it because we've always done it and 
we can't imagine another way?




-- Original Message --
From: "Justin Wilson" 
To: af@afmug.com
Sent: 4/3/2018 8:48:33 AM
Subject: Re: [AFMUG] new DNS

You have your own DNS for one huge reason. GeoLocation for when it 
comes to Content Networks such as Netflix.  One of the mechanisms they 
employ is using DNS Geolocation to serve you the closest content.  Not 
only do they do a GeLocate on your IP, but some also do a check to make 
sure your DNS servers are coming from the same place as your customers. 
This is especially true if you or one of your upstreams is peered with 
Netflix or someone on an exchange. Otherwise, if you are using Google 
or other DNS you may be in Kansas, and you might be getting content 
from Netflix out of California, when you could be getting it literally 
next door.  Makes the customer experience much better. There are RFCs 
that address this, but if they are implemented is a crapshoot.


Secondly, relying on a 3rd party for such a critical service such as 
DNS can be troublesome.  Would you rely on someone else to provide the 
wireless signal to your customers blindly? If so, then offloading DNS 
is okay for you.  I want more control for such a critical service.


I hear folks worry about the bandwidth DNS takes up.  It’s not a 
concern either way.  If your network can’t support the bandwidth of DNS 
queries then you have deeper issues.


It’s hard.  No it’s not.  Tons of tutorials on Bind for every flavor of 
linux.  Just about any old machine laying around can run DNS.


If anyone wants to know how easy, and how cheap it is to spin up DNS 
(both recursive and authoritative) hit me up.  I will gladly talk with 
you about some strategy.


Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com


On Apr 3, 2018, at 6:34 AM, Paul Stewart  wrote:

I know there is often debates on here about running any servers, some 
servers, or doing everything in-house (mail, web, DNS etc).  Even if 
you outsource everything I would still run recursive caching DNS …. 
Performance and reliability the main reasons.  Some CDN’s and other 
services determine the path to send you content based on where the DNS 
look up occurs and in our case that’s a significant factor …


We operate our own anycasted DNS …actually two of them.  One set of 
servers for recursive caching and another set for authoritative DNS.


Paul


From: Af  on behalf of "Forrest Christian (List 
Account)" 

Reply-To: 
Date: Tuesday, April 3, 2018 at 4:33 AM
To: af 
Subject: Re: [AFMUG] new DNS

Because it's good for your customers, and it should take very little 
time to set one up.


The main reason for this is so that websites serve data from the 
closest server due to the way that DNS anycast works.


And, the biggest one - to have control over a critical piece of 
infrastructure for your customers.  What happens if one of these 
public DNS services go down and you have hundreds of customers 
pointing at it?


On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett  
wrote:

Someone remind me again why I have my own recursive DNS.


-- Original Message --
From: "Josh Reynolds" 
To: af@afmug.com
Sent: 4/2/2018 3:22:57 PM
Subject: Re: [AFMUG] new DNS

Yes, bunch of discussions over the past few days on NANOG and some 
of the vendor mailing lists.


On Mon, Apr 2, 2018, 2:21 PM Travis Johnson  wrote:

https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587

Faster and more private than Google or others. :)

Travis





--
Forrest Christian CEO, PacketFlux Technologies, Inc.
Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
forre...@imach.com | http://www.packetflux.com 
<http://www.packetflux.com/>

Re: [AFMUG] new DNS

[Matt Hoppes]

So.

8.8.8.8
Query time: 40 msec

1.1.1.1
Query time: 2 msec

172.16.0.21
Query time: 30 msec


Wait... what?!?!  How is CLoudFlare faster than my own local caching 
resolver?


On 4/3/18 10:03 AM, Adam Moffett wrote:
It's clearly not hard.  It's obviously not expensive. I'm already doing 
it and have been for years.  But it's more than $0.


I've seen the geolocation issue in the past.  More recently I tried to 
demonstrate it to someone and it turned out that Google DNS and our own 
DNS gave us Netflix content from the same source.


If I used someone else's DNS and that 3rd party went away, then there 
are apparently 10 other "3rd parties" to choose from.  I recognize the 
point that it's a 3rd party and we don't want to rely on 3rd parties: 
But can we honestly say that our DNS servers are more reliable than 
Google or Cloudflare?


I'm not shutting down the DNS servers today, I'm just trying to look 
inward and analyze what we're doing and why.  Are we doing it because it 
actually makes sense or are we doing it because we've always done it and 
we can't imagine another way?




-- Original Message --
From: "Justin Wilson" mailto:li...@mtin.net>>
To: af@afmug.com <mailto:af@afmug.com>
Sent: 4/3/2018 8:48:33 AM
Subject: Re: [AFMUG] new DNS

You have your own DNS for one huge reason. GeoLocation for when it 
comes to Content Networks such as Netflix.  One of the mechanisms they 
employ is using DNS Geolocation to serve you the closest content.  Not 
only do they do a GeLocate on your IP, but some also do a check to 
make sure your DNS servers are coming from the same place as your 
customers. This is especially true if you or one of your upstreams is 
peered with Netflix or someone on an exchange. Otherwise, if you are 
using Google or other DNS you may be in Kansas, and you might be 
getting content from Netflix out of California, when you could be 
getting it literally next door.  Makes the customer experience much 
better. There are RFCs that address this, but if they are implemented 
is a crapshoot.


Secondly, relying on a 3rd party for such a critical service such as 
DNS can be troublesome.  Would you rely on someone else to provide the 
wireless signal to your customers blindly? If so, then offloading DNS 
is okay for you.  I want more control for such a critical service.


I hear folks worry about the bandwidth DNS takes up.  It’s not a 
concern either way.  If your network can’t support the bandwidth of 
DNS queries then you have deeper issues.


It’s hard.  No it’s not.  Tons of tutorials on Bind for every flavor 
of linux.  Just about any old machine laying around can run DNS.


If anyone wants to know how easy, and how cheap it is to spin up DNS 
(both recursive and authoritative) hit me up.  I will gladly talk with 
you about some strategy.


Justin Wilson
j...@mtin.net <mailto:j...@mtin.net>

www.mtin.net <http://www.mtin.net>
www.midwest-ix.com <http://www.midwest-ix.com>

On Apr 3, 2018, at 6:34 AM, Paul Stewart <mailto:p...@paulstewart.org>> wrote:


I know there is often debates on here about running any servers, some 
servers, or doing everything in-house (mail, web, DNS etc).  Even if 
you outsource everything I would still run recursive caching DNS …. 
Performance and reliability the main reasons.  Some CDN’s and other 
services determine the path to send you content based on where the 
DNS look up occurs and in our case that’s a significant factor …
We operate our own anycasted DNS …actually two of them.  One set of 
servers for recursive caching and another set for authoritative DNS.

Paul
*From:*Af mailto:af-boun...@afmug.com>> on 
behalf of "Forrest Christian (List Account)" <mailto:li...@packetflux.com>>

*Reply-To:*mailto:af@afmug.com>>
*Date:*Tuesday, April 3, 2018 at 4:33 AM
*To:*af mailto:af@afmug.com>>
*Subject:*Re: [AFMUG] new DNS
Because it's good for your customers, and it should take very little 
time to set one up.
The main reason for this is so that websites serve data from the 
closest server due to the way that DNS anycast works.
And, the biggest one - to have control over a critical piece of 
infrastructure for your customers.  What happens if one of these 
public DNS services go down and you have hundreds of customers 
pointing at it?
On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett 
mailto:dmmoff...@gmail.com>> wrote:

Someone remind me again why I have my own recursive DNS.
------ Original Message --
From: "Josh Reynolds" 
mailto:j...@kyneticwifi.com>>

To:af@afmug.com<mailto:af@afmug.com>
Sent: 4/2/2018 3:22:57 PM
Subject: Re: [AFMUG] new DNS
Yes, bunch of discussions over the past few days on NANOG and some 
of the vendor mailing lists.
On Mon, Apr 2, 2018, 2:21 PM Travis Johnson 
mailto:t...@ida.net>> wrote:


https://gizmodo.com/how-to-speed-up

Re: [AFMUG] new DNS

[Matt Hoppes]

Never mind apparently we weren't cached..

172.16.0.21
Query time: 3 msec

On 4/3/18 10:04 AM, Matt Hoppes wrote:

So.

8.8.8.8
Query time: 40 msec

1.1.1.1
Query time: 2 msec

172.16.0.21
Query time: 30 msec


Wait... what?!?!  How is CLoudFlare faster than my own local caching 
resolver?


On 4/3/18 10:03 AM, Adam Moffett wrote:
It's clearly not hard.  It's obviously not expensive. I'm already 
doing it and have been for years.  But it's more than $0.


I've seen the geolocation issue in the past.  More recently I tried to 
demonstrate it to someone and it turned out that Google DNS and our 
own DNS gave us Netflix content from the same source.


If I used someone else's DNS and that 3rd party went away, then there 
are apparently 10 other "3rd parties" to choose from.  I recognize the 
point that it's a 3rd party and we don't want to rely on 3rd parties: 
But can we honestly say that our DNS servers are more reliable than 
Google or Cloudflare?


I'm not shutting down the DNS servers today, I'm just trying to look 
inward and analyze what we're doing and why.  Are we doing it because 
it actually makes sense or are we doing it because we've always done 
it and we can't imagine another way?




-- Original Message --
From: "Justin Wilson" mailto:li...@mtin.net>>
To: af@afmug.com <mailto:af@afmug.com>
Sent: 4/3/2018 8:48:33 AM
Subject: Re: [AFMUG] new DNS

You have your own DNS for one huge reason. GeoLocation for when it 
comes to Content Networks such as Netflix.  One of the mechanisms 
they employ is using DNS Geolocation to serve you the closest 
content.  Not only do they do a GeLocate on your IP, but some also do 
a check to make sure your DNS servers are coming from the same place 
as your customers. This is especially true if you or one of your 
upstreams is peered with Netflix or someone on an exchange. 
Otherwise, if you are using Google or other DNS you may be in Kansas, 
and you might be getting content from Netflix out of California, when 
you could be getting it literally next door.  Makes the customer 
experience much better. There are RFCs that address this, but if they 
are implemented is a crapshoot.


Secondly, relying on a 3rd party for such a critical service such as 
DNS can be troublesome.  Would you rely on someone else to provide 
the wireless signal to your customers blindly? If so, then offloading 
DNS is okay for you.  I want more control for such a critical service.


I hear folks worry about the bandwidth DNS takes up.  It’s not a 
concern either way.  If your network can’t support the bandwidth of 
DNS queries then you have deeper issues.


It’s hard.  No it’s not.  Tons of tutorials on Bind for every flavor 
of linux.  Just about any old machine laying around can run DNS.


If anyone wants to know how easy, and how cheap it is to spin up DNS 
(both recursive and authoritative) hit me up.  I will gladly talk 
with you about some strategy.


Justin Wilson
j...@mtin.net <mailto:j...@mtin.net>

www.mtin.net <http://www.mtin.net>
www.midwest-ix.com <http://www.midwest-ix.com>

On Apr 3, 2018, at 6:34 AM, Paul Stewart <mailto:p...@paulstewart.org>> wrote:


I know there is often debates on here about running any servers, 
some servers, or doing everything in-house (mail, web, DNS etc).  
Even if you outsource everything I would still run recursive caching 
DNS …. Performance and reliability the main reasons.  Some CDN’s and 
other services determine the path to send you content based on where 
the DNS look up occurs and in our case that’s a significant factor …
We operate our own anycasted DNS …actually two of them.  One set of 
servers for recursive caching and another set for authoritative DNS.

Paul
*From:*Af mailto:af-boun...@afmug.com>> on 
behalf of "Forrest Christian (List Account)" <mailto:li...@packetflux.com>>

*Reply-To:*mailto:af@afmug.com>>
*Date:*Tuesday, April 3, 2018 at 4:33 AM
*To:*af mailto:af@afmug.com>>
*Subject:*Re: [AFMUG] new DNS
Because it's good for your customers, and it should take very little 
time to set one up.
The main reason for this is so that websites serve data from the 
closest server due to the way that DNS anycast works.
And, the biggest one - to have control over a critical piece of 
infrastructure for your customers.  What happens if one of these 
public DNS services go down and you have hundreds of customers 
pointing at it?
On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett 
mailto:dmmoff...@gmail.com>> wrote:

Someone remind me again why I have my own recursive DNS.
-- Original Message --
From: "Josh Reynolds" 
mailto:j...@kyneticwifi.com>>

To:af@afmug.com<mailto:af@afmug.com>
Sent: 4/2/2018 3:22:57 PM
Subject: Re: [AFMUG] new DNS
Yes, bunch of discussions over the past few days on NANOG and some 
of the vendor mailing li

Re: [AFMUG] new DNS

[Josh Reynolds]

Traceroute that. Look at the route for it. You might have used it for an
OSPF router ID.

On Tue, Apr 3, 2018, 9:04 AM Matt Hoppes 
wrote:

> So.
>
> 8.8.8.8
> Query time: 40 msec
>
> 1.1.1.1
> Query time: 2 msec
>
> 172.16.0.21
> Query time: 30 msec
>
>
> Wait... what?!?!  How is CLoudFlare faster than my own local caching
> resolver?
>
> On 4/3/18 10:03 AM, Adam Moffett wrote:
> > It's clearly not hard.  It's obviously not expensive. I'm already doing
> > it and have been for years.  But it's more than $0.
> >
> > I've seen the geolocation issue in the past.  More recently I tried to
> > demonstrate it to someone and it turned out that Google DNS and our own
> > DNS gave us Netflix content from the same source.
> >
> > If I used someone else's DNS and that 3rd party went away, then there
> > are apparently 10 other "3rd parties" to choose from.  I recognize the
> > point that it's a 3rd party and we don't want to rely on 3rd parties:
> > But can we honestly say that our DNS servers are more reliable than
> > Google or Cloudflare?
> >
> > I'm not shutting down the DNS servers today, I'm just trying to look
> > inward and analyze what we're doing and why.  Are we doing it because it
> > actually makes sense or are we doing it because we've always done it and
> > we can't imagine another way?
> >
> >
> >
> > -- Original Message --
> > From: "Justin Wilson" mailto:li...@mtin.net>>
> > To: af@afmug.com <mailto:af@afmug.com>
> > Sent: 4/3/2018 8:48:33 AM
> > Subject: Re: [AFMUG] new DNS
> >
> >> You have your own DNS for one huge reason. GeoLocation for when it
> >> comes to Content Networks such as Netflix.  One of the mechanisms they
> >> employ is using DNS Geolocation to serve you the closest content.  Not
> >> only do they do a GeLocate on your IP, but some also do a check to
> >> make sure your DNS servers are coming from the same place as your
> >> customers. This is especially true if you or one of your upstreams is
> >> peered with Netflix or someone on an exchange. Otherwise, if you are
> >> using Google or other DNS you may be in Kansas, and you might be
> >> getting content from Netflix out of California, when you could be
> >> getting it literally next door.  Makes the customer experience much
> >> better. There are RFCs that address this, but if they are implemented
> >> is a crapshoot.
> >>
> >> Secondly, relying on a 3rd party for such a critical service such as
> >> DNS can be troublesome.  Would you rely on someone else to provide the
> >> wireless signal to your customers blindly? If so, then offloading DNS
> >> is okay for you.  I want more control for such a critical service.
> >>
> >> I hear folks worry about the bandwidth DNS takes up.  It’s not a
> >> concern either way.  If your network can’t support the bandwidth of
> >> DNS queries then you have deeper issues.
> >>
> >> It’s hard.  No it’s not.  Tons of tutorials on Bind for every flavor
> >> of linux.  Just about any old machine laying around can run DNS.
> >>
> >> If anyone wants to know how easy, and how cheap it is to spin up DNS
> >> (both recursive and authoritative) hit me up.  I will gladly talk with
> >> you about some strategy.
> >>
> >> Justin Wilson
> >> j...@mtin.net <mailto:j...@mtin.net>
> >>
> >> www.mtin.net <http://www.mtin.net>
> >> www.midwest-ix.com <http://www.midwest-ix.com>
> >>
> >>> On Apr 3, 2018, at 6:34 AM, Paul Stewart  >>> <mailto:p...@paulstewart.org>> wrote:
> >>>
> >>> I know there is often debates on here about running any servers, some
> >>> servers, or doing everything in-house (mail, web, DNS etc).  Even if
> >>> you outsource everything I would still run recursive caching DNS ….
> >>> Performance and reliability the main reasons.  Some CDN’s and other
> >>> services determine the path to send you content based on where the
> >>> DNS look up occurs and in our case that’s a significant factor …
> >>> We operate our own anycasted DNS …actually two of them.  One set of
> >>> servers for recursive caching and another set for authoritative DNS.
> >>> Paul
> >>> *From:*Af mailto:af-boun...@afmug.com>> on
> >>> behalf of "Forrest Christian (List Account)"  >>> <mail

Re: [AFMUG] new DNS

[Matt Hoppes]

Naw... not a router ID.

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
 1  172.16.0.1 (172.16.0.1)  3.317 ms  0.878 ms  0.847 ms
 2  10.200.90.85 (10.200.90.85)  1.016 ms  1.028 ms  0.986 ms
 3  10.200.90.25 (10.200.90.25)  10.454 ms  17.965 ms  24.062 ms
 4  10.200.90.33 (10.200.90.33)  21.325 ms  19.223 ms  20.039 ms
 5  10.200.90.89 (10.200.90.89)  27.758 ms  19.306 ms  20.584 ms
 6  173.246.229.73 (173.246.229.73)  32.198 ms  14.440 ms  17.491 ms
 7  er0-nycmny.zitomedia.net (74.81.98.227)  39.302 ms  51.617 ms 
38.379 ms
 8  de-cix-new-york.as13335.net (206.130.10.31)  26.231 ms  32.837 ms 
36.809 ms
 9  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  36.106 ms  27.082 ms 
28.810 ms


matt-hoppess-macbook-2:~ matth$ traceroute 172.16.0.21
traceroute to 172.16.0.21 (172.16.0.21), 64 hops max, 52 byte packets
 1  172.16.0.21 (172.16.0.21)  3.248 ms  0.806 ms  0.650 ms

The entry just wasn't cached locally.

That being said, I'm impressed they seem to be incredibly connected -- 
more so than Google.


On 4/3/18 10:09 AM, Josh Reynolds wrote:
Traceroute that. Look at the route for it. You might have used it for an 
OSPF router ID.


On Tue, Apr 3, 2018, 9:04 AM Matt Hoppes 
<mailto:mattli...@rivervalleyinternet.net>> wrote:


So.

8.8.8.8
Query time: 40 msec

1.1.1.1
Query time: 2 msec

172.16.0.21
Query time: 30 msec


Wait... what?!?!  How is CLoudFlare faster than my own local caching
resolver?

On 4/3/18 10:03 AM, Adam Moffett wrote:
 > It's clearly not hard.  It's obviously not expensive. I'm already
doing
 > it and have been for years.  But it's more than $0.
 >
 > I've seen the geolocation issue in the past.  More recently I
tried to
 > demonstrate it to someone and it turned out that Google DNS and
our own
 > DNS gave us Netflix content from the same source.
 >
 > If I used someone else's DNS and that 3rd party went away, then there
 > are apparently 10 other "3rd parties" to choose from.  I
recognize the
 > point that it's a 3rd party and we don't want to rely on 3rd parties:
 > But can we honestly say that our DNS servers are more reliable than
 > Google or Cloudflare?
 >
 > I'm not shutting down the DNS servers today, I'm just trying to look
 > inward and analyze what we're doing and why.  Are we doing it
because it
 > actually makes sense or are we doing it because we've always done
it and
 > we can't imagine another way?
 >
 >
 >
 > -- Original Message --
 > From: "Justin Wilson" mailto:li...@mtin.net>
<mailto:li...@mtin.net <mailto:li...@mtin.net>>>
 > To: af@afmug.com <mailto:af@afmug.com> <mailto:af@afmug.com
<mailto:af@afmug.com>>
 > Sent: 4/3/2018 8:48:33 AM
 > Subject: Re: [AFMUG] new DNS
 >
 >> You have your own DNS for one huge reason. GeoLocation for when it
 >> comes to Content Networks such as Netflix.  One of the
mechanisms they
 >> employ is using DNS Geolocation to serve you the closest
content.  Not
 >> only do they do a GeLocate on your IP, but some also do a check to
 >> make sure your DNS servers are coming from the same place as your
 >> customers. This is especially true if you or one of your
upstreams is
 >> peered with Netflix or someone on an exchange. Otherwise, if you are
 >> using Google or other DNS you may be in Kansas, and you might be
 >> getting content from Netflix out of California, when you could be
 >> getting it literally next door.  Makes the customer experience much
 >> better. There are RFCs that address this, but if they are
implemented
 >> is a crapshoot.
 >>
 >> Secondly, relying on a 3rd party for such a critical service such as
 >> DNS can be troublesome.  Would you rely on someone else to
provide the
 >> wireless signal to your customers blindly? If so, then
offloading DNS
 >> is okay for you.  I want more control for such a critical service.
 >>
 >> I hear folks worry about the bandwidth DNS takes up.  It’s not a
 >> concern either way.  If your network can’t support the bandwidth of
 >> DNS queries then you have deeper issues.
 >>
 >> It’s hard.  No it’s not.  Tons of tutorials on Bind for every flavor
 >> of linux.  Just about any old machine laying around can run DNS.
 >>
 >> If anyone wants to know how easy, and how cheap it is to spin up DNS
 >> (both recursive and authoritative) hit me up.  I will gladly
talk with
 >> you about

Re: [AFMUG] new DNS

[Josh Reynolds]

Google is connected to what's important to Google. Cloudflares business
model, like any cdn, means it needs to be connected everywhere.

On Tue, Apr 3, 2018, 9:14 AM Matt Hoppes 
wrote:

> Naw... not a router ID.
>
> traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
>   1  172.16.0.1 (172.16.0.1)  3.317 ms  0.878 ms  0.847 ms
>   2  10.200.90.85 (10.200.90.85)  1.016 ms  1.028 ms  0.986 ms
>   3  10.200.90.25 (10.200.90.25)  10.454 ms  17.965 ms  24.062 ms
>   4  10.200.90.33 (10.200.90.33)  21.325 ms  19.223 ms  20.039 ms
>   5  10.200.90.89 (10.200.90.89)  27.758 ms  19.306 ms  20.584 ms
>   6  173.246.229.73 (173.246.229.73)  32.198 ms  14.440 ms  17.491 ms
>   7  er0-nycmny.zitomedia.net (74.81.98.227)  39.302 ms  51.617 ms
> 38.379 ms
>   8  de-cix-new-york.as13335.net (206.130.10.31)  26.231 ms  32.837 ms
> 36.809 ms
>   9  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  36.106 ms  27.082 ms
> 28.810 ms
>
> matt-hoppess-macbook-2:~ matth$ traceroute 172.16.0.21
> traceroute to 172.16.0.21 (172.16.0.21), 64 hops max, 52 byte packets
>   1  172.16.0.21 (172.16.0.21)  3.248 ms  0.806 ms  0.650 ms
>
> The entry just wasn't cached locally.
>
> That being said, I'm impressed they seem to be incredibly connected --
> more so than Google.
>
> On 4/3/18 10:09 AM, Josh Reynolds wrote:
> > Traceroute that. Look at the route for it. You might have used it for an
> > OSPF router ID.
> >
> > On Tue, Apr 3, 2018, 9:04 AM Matt Hoppes
> >  > <mailto:mattli...@rivervalleyinternet.net>> wrote:
> >
> > So.
> >
> > 8.8.8.8
> > Query time: 40 msec
> >
> > 1.1.1.1
> > Query time: 2 msec
> >
> > 172.16.0.21
> > Query time: 30 msec
> >
> >
> > Wait... what?!?!  How is CLoudFlare faster than my own local caching
> > resolver?
> >
> > On 4/3/18 10:03 AM, Adam Moffett wrote:
> >  > It's clearly not hard.  It's obviously not expensive. I'm already
> > doing
> >  > it and have been for years.  But it's more than $0.
> >  >
> >  > I've seen the geolocation issue in the past.  More recently I
> > tried to
> >  > demonstrate it to someone and it turned out that Google DNS and
> > our own
> >  > DNS gave us Netflix content from the same source.
> >  >
> >  > If I used someone else's DNS and that 3rd party went away, then
> there
> >  > are apparently 10 other "3rd parties" to choose from.  I
> > recognize the
> >  > point that it's a 3rd party and we don't want to rely on 3rd
> parties:
> >  > But can we honestly say that our DNS servers are more reliable
> than
> >  > Google or Cloudflare?
> >  >
> >  > I'm not shutting down the DNS servers today, I'm just trying to
> look
> >  > inward and analyze what we're doing and why.  Are we doing it
> > because it
> >      > actually makes sense or are we doing it because we've always done
> > it and
> >  > we can't imagine another way?
> >  >
> >  >
> >  >
> >  > -- Original Message --
> >  > From: "Justin Wilson" mailto:li...@mtin.net>
> > <mailto:li...@mtin.net <mailto:li...@mtin.net>>>
> >  > To: af@afmug.com <mailto:af@afmug.com> <mailto:af@afmug.com
> > <mailto:af@afmug.com>>
> >  > Sent: 4/3/2018 8:48:33 AM
> >  > Subject: Re: [AFMUG] new DNS
> >  >
> >  >> You have your own DNS for one huge reason. GeoLocation for when
> it
> >  >> comes to Content Networks such as Netflix.  One of the
> > mechanisms they
> >  >> employ is using DNS Geolocation to serve you the closest
> > content.  Not
> >  >> only do they do a GeLocate on your IP, but some also do a check
> to
> >  >> make sure your DNS servers are coming from the same place as your
> >  >> customers. This is especially true if you or one of your
> > upstreams is
> >  >> peered with Netflix or someone on an exchange. Otherwise, if you
> are
> >  >> using Google or other DNS you may be in Kansas, and you might be
> >  >> getting content from Netflix out of California, when you could be
> >  >> getting it literally next door.  Makes the customer experience
> much
> >  >> better. There are

Re: [AFMUG] new DNS

[David Coudron]

Hi folks,

This has been a really timely discussion for us as we are wrestling with the 
same kinds of questions as Adam mentions.   With enough time (resources) and 
money, we would put a very robust DNS at each Direct Internet Access drain 
point.   However, we have been aggressively moving to reduce our footprint at 
DIAs so that we can have more of them and they require less intervention and 
maintenance.   Putting any kind of server there (Linux or otherwise) seems to 
complicate a pretty clean set up that is currently MikroTik and Powercode BMUs. 
  In fact, that is one of the biggest concerns we have if we were to move to 
Sonar is the need to start putting Linux devices in DIAs and towers (a topic 
for another day).   We do not provide authoritative DNS for customers and don’t 
need it for ourselves, so this is only a performance/cleanliness discussion.   
We see three main options:

  1.  Find an appliance based device/server that is easy as heck to maintain 
and doesn’t require site visits.  Something like the Mikrotik CCRs.  Put them 
at every DIA
  2.  Run a regionally centralized DNS server in a data center and have the 
closest DIAs point to their respective data center DNS server.This would 
reduce the number of servers and keep them in a data center environment
  3.  Rely on 3rd Party (google or otherwise).   We don’t believe our servers 
will be more reliable than the combination of multiple 3rd party options, so 
this is a performance decision.

I think the best decision would be a very simple appliance to sit in our DIA’s, 
but we haven’t looked into it enough to see what exists.   By simple, we would 
be looking for something that we could do regular firmware updates only, and 
monitor with SNMP just like all our other network devices.

Regards,

David Coudron

From: Af  On Behalf Of Adam Moffett
Sent: Tuesday, April 3, 2018 9:04 AM
To: af@afmug.com
Subject: Re: [AFMUG] new DNS

It's clearly not hard.  It's obviously not expensive. I'm already doing it and 
have been for years.  But it's more than $0.

I've seen the geolocation issue in the past.  More recently I tried to 
demonstrate it to someone and it turned out that Google DNS and our own DNS 
gave us Netflix content from the same source.

If I used someone else's DNS and that 3rd party went away, then there are 
apparently 10 other "3rd parties" to choose from.  I recognize the point that 
it's a 3rd party and we don't want to rely on 3rd parties: But can we honestly 
say that our DNS servers are more reliable than Google or Cloudflare?

I'm not shutting down the DNS servers today, I'm just trying to look inward and 
analyze what we're doing and why.  Are we doing it because it actually makes 
sense or are we doing it because we've always done it and we can't imagine 
another way?



-- Original Message --
From: "Justin Wilson" mailto:li...@mtin.net>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: 4/3/2018 8:48:33 AM
Subject: Re: [AFMUG] new DNS

You have your own DNS for one huge reason. GeoLocation for when it comes to 
Content Networks such as Netflix.  One of the mechanisms they employ is using 
DNS Geolocation to serve you the closest content.  Not only do they do a 
GeLocate on your IP, but some also do a check to make sure your DNS servers are 
coming from the same place as your customers. This is especially true if you or 
one of your upstreams is peered with Netflix or someone on an exchange. 
Otherwise, if you are using Google or other DNS you may be in Kansas, and you 
might be getting content from Netflix out of California, when you could be 
getting it literally next door.  Makes the customer experience much better. 
There are RFCs that address this, but if they are implemented is a crapshoot.

Secondly, relying on a 3rd party for such a critical service such as DNS can be 
troublesome.  Would you rely on someone else to provide the wireless signal to 
your customers blindly? If so, then offloading DNS is okay for you.  I want 
more control for such a critical service.

I hear folks worry about the bandwidth DNS takes up.  It’s not a concern either 
way.  If your network can’t support the bandwidth of DNS queries then you have 
deeper issues.

It’s hard.  No it’s not.  Tons of tutorials on Bind for every flavor of linux.  
Just about any old machine laying around can run DNS.

If anyone wants to know how easy, and how cheap it is to spin up DNS (both 
recursive and authoritative) hit me up.  I will gladly talk with you about some 
strategy.

Justin Wilson
j...@mtin.net<mailto:j...@mtin.net>

www.mtin.net<http://www.mtin.net>
www.midwest-ix.com<http://www.midwest-ix.com>


On Apr 3, 2018, at 6:34 AM, Paul Stewart 
mailto:p...@paulstewart.org>> wrote:

I know there is often debates on here about running any servers, some servers, 
or doing everything in-house (mail, web, DNS etc).  Even if 

Re: [AFMUG] new DNS

[Forrest Christian (List Account)]

I have heard that mikrotik has an acceptable dns caching server built
in  maybe start there?  I don't know if does full recursive lookups
using the root tree.

For some reason everyone over estimates what is really needed for robust
caching dns.  You can safely use even a couple of raspberry pis for almost
all wisp sized networks.

The key architecture you need to ensure its that the dns server has
substantially similar connectivity to the net as the clients that use that
dns server.   The reason for this is that many web services use information
gleamed from the origin of the dns queries to determine the closest server.
  As a result,  you want the dns server to have the same paths to the net
as the clients as much as possible.

On Tue, Apr 3, 2018, 8:19 AM David Coudron 
wrote:

> Hi folks,
>
>
>
> This has been a really timely discussion for us as we are wrestling with
> the same kinds of questions as Adam mentions.   With enough time
> (resources) and money, we would put a very robust DNS at each Direct
> Internet Access drain point.   However, we have been aggressively moving to
> reduce our footprint at DIAs so that we can have more of them and they
> require less intervention and maintenance.   Putting any kind of server
> there (Linux or otherwise) seems to complicate a pretty clean set up that
> is currently MikroTik and Powercode BMUs.   In fact, that is one of the
> biggest concerns we have if we were to move to Sonar is the need to start
> putting Linux devices in DIAs and towers (a topic for another day).   We do
> not provide authoritative DNS for customers and don’t need it for
> ourselves, so this is only a performance/cleanliness discussion.   We see
> three main options:
>
>1. Find an appliance based device/server that is easy as heck to
>maintain and doesn’t require site visits.  Something like the Mikrotik
>CCRs.  Put them at every DIA
>2. Run a regionally centralized DNS server in a data center and have
>the closest DIAs point to their respective data center DNS server.This
>would reduce the number of servers and keep them in a data center
>environment
>3. Rely on 3rd Party (google or otherwise).   We don’t believe our
>servers will be more reliable than the combination of multiple 3rd
>party options, so this is a performance decision.
>
>
>
> I think the best decision would be a very simple appliance to sit in our
> DIA’s, but we haven’t looked into it enough to see what exists.   By
> simple, we would be looking for something that we could do regular firmware
> updates only, and monitor with SNMP just like all our other network devices.
>
>
>
> Regards,
>
>
>
> David Coudron
>
>
>
> *From:* Af  *On Behalf Of *Adam Moffett
> *Sent:* Tuesday, April 3, 2018 9:04 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] new DNS
>
>
>
> It's clearly not hard.  It's obviously not expensive. I'm already doing it
> and have been for years.  But it's more than $0.
>
>
>
> I've seen the geolocation issue in the past.  More recently I tried to
> demonstrate it to someone and it turned out that Google DNS and our own DNS
> gave us Netflix content from the same source.
>
>
>
> If I used someone else's DNS and that 3rd party went away, then there are
> apparently 10 other "3rd parties" to choose from.  I recognize the point
> that it's a 3rd party and we don't want to rely on 3rd parties: But can we
> honestly say that our DNS servers are more reliable than Google or
> Cloudflare?
>
>
>
> I'm not shutting down the DNS servers today, I'm just trying to look
> inward and analyze what we're doing and why.  Are we doing it because it
> actually makes sense or are we doing it because we've always done it and we
> can't imagine another way?
>
>
>
>
>
>
>
> -- Original Message --
>
> From: "Justin Wilson" 
>
> To: af@afmug.com
>
> Sent: 4/3/2018 8:48:33 AM
>
> Subject: Re: [AFMUG] new DNS
>
>
>
> You have your own DNS for one huge reason. GeoLocation for when it comes
> to Content Networks such as Netflix.  One of the mechanisms they employ is
> using DNS Geolocation to serve you the closest content.  Not only do they
> do a GeLocate on your IP, but some also do a check to make sure your DNS
> servers are coming from the same place as your customers. This is
> especially true if you or one of your upstreams is peered with Netflix or
> someone on an exchange. Otherwise, if you are using Google or other DNS you
> may be in Kansas, and you might be getting content from Netflix out of
> California, when you could be getting it literally next door.  Makes the
&g

Re: [AFMUG] new DNS

[Darin Steffl]

The new cloudflare dns is 3ms away from our core, opendns and Google are
12ms away.

And I believe that cloudflare can run way more reliable dns than we can.
They also use anycast so if their Minneapolis pop had trouble, we'll route
to the next closest pop like Chicago.

I would like to host our own DNS and was planning on adding two servers for
this in the spring but with cloudflare introducing this, we may just point
customers to them now.

I've seen cloudflare racks and they have a ton of gear and reliability
built in. They also host two of the root dns servers. Their cache rate will
be much higher than our own servers as well.

On Tue, Apr 3, 2018, 9:49 AM Forrest Christian (List Account) <
li...@packetflux.com> wrote:

> I have heard that mikrotik has an acceptable dns caching server built
> in  maybe start there?  I don't know if does full recursive lookups
> using the root tree.
>
> For some reason everyone over estimates what is really needed for robust
> caching dns.  You can safely use even a couple of raspberry pis for almost
> all wisp sized networks.
>
> The key architecture you need to ensure its that the dns server has
> substantially similar connectivity to the net as the clients that use that
> dns server.   The reason for this is that many web services use information
> gleamed from the origin of the dns queries to determine the closest server.
>   As a result,  you want the dns server to have the same paths to the net
> as the clients as much as possible.
>
> On Tue, Apr 3, 2018, 8:19 AM David Coudron 
> wrote:
>
>> Hi folks,
>>
>>
>>
>> This has been a really timely discussion for us as we are wrestling with
>> the same kinds of questions as Adam mentions.   With enough time
>> (resources) and money, we would put a very robust DNS at each Direct
>> Internet Access drain point.   However, we have been aggressively moving to
>> reduce our footprint at DIAs so that we can have more of them and they
>> require less intervention and maintenance.   Putting any kind of server
>> there (Linux or otherwise) seems to complicate a pretty clean set up that
>> is currently MikroTik and Powercode BMUs.   In fact, that is one of the
>> biggest concerns we have if we were to move to Sonar is the need to start
>> putting Linux devices in DIAs and towers (a topic for another day).   We do
>> not provide authoritative DNS for customers and don’t need it for
>> ourselves, so this is only a performance/cleanliness discussion.   We see
>> three main options:
>>
>>1. Find an appliance based device/server that is easy as heck to
>>maintain and doesn’t require site visits.  Something like the Mikrotik
>>CCRs.  Put them at every DIA
>>2. Run a regionally centralized DNS server in a data center and have
>>the closest DIAs point to their respective data center DNS server.This
>>would reduce the number of servers and keep them in a data center
>>environment
>>3. Rely on 3rd Party (google or otherwise).   We don’t believe our
>>servers will be more reliable than the combination of multiple 3rd
>>party options, so this is a performance decision.
>>
>>
>>
>> I think the best decision would be a very simple appliance to sit in our
>> DIA’s, but we haven’t looked into it enough to see what exists.   By
>> simple, we would be looking for something that we could do regular firmware
>> updates only, and monitor with SNMP just like all our other network devices.
>>
>>
>>
>> Regards,
>>
>>
>>
>> David Coudron
>>
>>
>>
>> *From:* Af  *On Behalf Of *Adam Moffett
>> *Sent:* Tuesday, April 3, 2018 9:04 AM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] new DNS
>>
>>
>>
>> It's clearly not hard.  It's obviously not expensive. I'm already doing
>> it and have been for years.  But it's more than $0.
>>
>>
>>
>> I've seen the geolocation issue in the past.  More recently I tried to
>> demonstrate it to someone and it turned out that Google DNS and our own DNS
>> gave us Netflix content from the same source.
>>
>>
>>
>> If I used someone else's DNS and that 3rd party went away, then there are
>> apparently 10 other "3rd parties" to choose from.  I recognize the point
>> that it's a 3rd party and we don't want to rely on 3rd parties: But can we
>> honestly say that our DNS servers are more reliable than Google or
>> Cloudflare?
>>
>>
>>
>> I'm not shutting down the DNS servers today, I'm just trying to look
>> inward a

Re: [AFMUG] new DNS

[Seth Mattinen]

On 4/3/18 8:09 AM, Darin Steffl wrote:
I've seen cloudflare racks and they have a ton of gear and reliability 
built in. They also host two of the root dns servers. Their cache rate 
will be much higher than our own servers as well.



Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[Robert]

Cloudflare has also screwed-the-pooch at least once in a major way that 
got national headlines...


On 4/3/18 8:09 AM, Darin Steffl wrote:
The new cloudflare dns is 3ms away from our core, opendns and Google are 
12ms away.


And I believe that cloudflare can run way more reliable dns than we can. 
They also use anycast so if their Minneapolis pop had trouble, we'll 
route to the next closest pop like Chicago.


I would like to host our own DNS and was planning on adding two servers 
for this in the spring but with cloudflare introducing this, we may just 
point customers to them now.


I've seen cloudflare racks and they have a ton of gear and reliability 
built in. They also host two of the root dns servers. Their cache rate 
will be much higher than our own servers as well.


On Tue, Apr 3, 2018, 9:49 AM Forrest Christian (List Account) 
mailto:li...@packetflux.com>> wrote:


I have heard that mikrotik has an acceptable dns caching server
built in  maybe start there?  I don't know if does full
recursive lookups using the root tree.

For some reason everyone over estimates what is really needed for
robust caching dns.  You can safely use even a couple of raspberry
pis for almost all wisp sized networks.

The key architecture you need to ensure its that the dns server has
substantially similar connectivity to the net as the clients that
use that dns server.   The reason for this is that many web services
use information gleamed from the origin of the dns queries to
determine the closest server.   As a result,  you want the dns
server to have the same paths to the net as the clients as much as
possible.

On Tue, Apr 3, 2018, 8:19 AM David Coudron
mailto:david.coud...@advantenon.com>>
wrote:

Hi folks,

__ __

This has been a really timely discussion for us as we are
wrestling with the same kinds of questions as Adam mentions.  
With enough time (resources) and money, we would put a very

robust DNS at each Direct Internet Access drain point. However,
we have been aggressively moving to reduce our footprint at DIAs
so that we can have more of them and they require less
intervention and maintenance.   Putting any kind of server there
(Linux or otherwise) seems to complicate a pretty clean set up
that is currently MikroTik and Powercode BMUs.   In fact, that
is one of the biggest concerns we have if we were to move to
Sonar is the need to start putting Linux devices in DIAs and
towers (a topic for another day).   We do not provide
authoritative DNS for customers and don’t need it for ourselves,
so this is only a performance/cleanliness discussion.   We see
three main options:

 1. Find an appliance based device/server that is easy as heck
to maintain and doesn’t require site visits.  Something like
the Mikrotik CCRs.  Put them at every DIA
 2. Run a regionally centralized DNS server in a data center and
have the closest DIAs point to their respective data center
DNS server.    This would reduce the number of servers and
keep them in a data center environment
 3. Rely on 3^rd Party (google or otherwise).   We don’t believe
our servers will be more reliable than the combination of
multiple 3^rd party options, so this is a performance
decision.

__ __

I think the best decision would be a very simple appliance to
sit in our DIA’s, but we haven’t looked into it enough to see
what exists.   By simple, we would be looking for something that
we could do regular firmware updates only, and monitor with SNMP
just like all our other network devices.

__ __

Regards,

__ __

David Coudron 

__ __

*From:* Af mailto:af-boun...@afmug.com>>
*On Behalf Of *Adam Moffett
*Sent:* Tuesday, April 3, 2018 9:04 AM
*To:* af@afmug.com 
*Subject:* Re: [AFMUG] new DNS

__ __

It's clearly not hard.  It's obviously not expensive. I'm
already doing it and have been for years.  But it's more than
$0.

__ __

I've seen the geolocation issue in the past.  More recently I
tried to demonstrate it to someone and it turned out that Google
DNS and our own DNS gave us Netflix content from the same
source. 

__ __

If I used someone else's DNS and that 3rd party went away, then
there are apparently 10 other "3rd parties" to choose from.  I
recognize the point that it's a 3rd party and we don't want to
rely on 3rd parties: But can we honestly say that our DNS
servers are more reliable than Google or Cloudflare?

  

Re: [AFMUG] new DNS

[Darin Steffl]

Cloudflare has posted that their goal is to be within 10ms of every ISP in
the world. So they're adding their to gear to regional datacenter's and
peering exchanges, not just major ones.

On Tue, Apr 3, 2018, 10:16 AM Seth Mattinen  wrote:

> On 4/3/18 8:09 AM, Darin Steffl wrote:
> > I've seen cloudflare racks and they have a ton of gear and reliability
> > built in. They also host two of the root dns servers. Their cache rate
> > will be much higher than our own servers as well.
>
>
> Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L
>

Re: [AFMUG] new DNS

[Matt Hoppes]

Well then. I’ll put a few more routers in my network. So they have to put 
equipment in my datacenter. :)

> On Apr 3, 2018, at 11:18, Darin Steffl  wrote:
> 
> Cloudflare has posted that their goal is to be within 10ms of every ISP in 
> the world. So they're adding their to gear to regional datacenter's and 
> peering exchanges, not just major ones. 
> 
>> On Tue, Apr 3, 2018, 10:16 AM Seth Mattinen  wrote:
>> On 4/3/18 8:09 AM, Darin Steffl wrote:
>> > I've seen cloudflare racks and they have a ton of gear and reliability
>> > built in. They also host two of the root dns servers. Their cache rate
>> > will be much higher than our own servers as well.
>> 
>> 
>> Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[Bill Prince]

We seem to be close to both 8.8.8.8 (3ms RTT), and 1.1.1.1 (2ms RTT).

Might be inclined to do a blend.


bp


On 4/3/2018 8:21 AM, Matt Hoppes wrote:
Well then. I’ll put a few more routers in my network. So they have to 
put equipment in my datacenter. :)


On Apr 3, 2018, at 11:18, Darin Steffl > wrote:


Cloudflare has posted that their goal is to be within 10ms of every 
ISP in the world. So they're adding their to gear to regional 
datacenter's and peering exchanges, not just major ones.


On Tue, Apr 3, 2018, 10:16 AM Seth Mattinen > wrote:


On 4/3/18 8:09 AM, Darin Steffl wrote:
> I've seen cloudflare racks and they have a ton of gear and
reliability
> built in. They also host two of the root dns servers. Their
cache rate
> will be much higher than our own servers as well.


Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[Cassidy B. Larson]

Wondering if Google is going to up their game and announce 8.8.8.8 from their 
GGC cache clusters so it’s faster/closer than the 1.1.1.1 Cloudflare clusters.



> On Apr 3, 2018, at 9:25 AM, Bill Prince  wrote:
> 
> We seem to be close to both 8.8.8.8 (3ms RTT), and 1.1.1.1 (2ms RTT).
> Might be inclined to do a blend.
> 
> 
> bp
> 
> 
> On 4/3/2018 8:21 AM, Matt Hoppes wrote:
>> Well then. I’ll put a few more routers in my network. So they have to put 
>> equipment in my datacenter. :)
>> 
>> On Apr 3, 2018, at 11:18, Darin Steffl > > wrote:
>> 
>>> Cloudflare has posted that their goal is to be within 10ms of every ISP in 
>>> the world. So they're adding their to gear to regional datacenter's and 
>>> peering exchanges, not just major ones.
>>> 
>>> On Tue, Apr 3, 2018, 10:16 AM Seth Mattinen >> > wrote:
>>> On 4/3/18 8:09 AM, Darin Steffl wrote:
>>> > I've seen cloudflare racks and they have a ton of gear and reliability
>>> > built in. They also host two of the root dns servers. Their cache rate
>>> > will be much higher than our own servers as well.
>>> 
>>> 
>>> Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L
> 

Re: [AFMUG] new DNS

[Adam Moffett]

I imagine Google somehow monetizes the data they get from use of their 
DNS serviceso if losing DNS "market share" costs them something then 
maybe they will do something like you say.  Pure speculation though.



-- Original Message --
From: "Cassidy B. Larson" 
To: af@afmug.com
Sent: 4/3/2018 11:28:40 AM
Subject: Re: [AFMUG] new DNS

Wondering if Google is going to up their game and announce 8.8.8.8 from 
their GGC cache clusters so it’s faster/closer than the 1.1.1.1 
Cloudflare clusters.





On Apr 3, 2018, at 9:25 AM, Bill Prince  wrote:

We seem to be close to both 8.8.8.8 (3ms RTT), and 1.1.1.1 (2ms RTT).

Might be inclined to do a blend.



bp



On 4/3/2018 8:21 AM, Matt Hoppes wrote:
Well then. I’ll put a few more routers in my network. So they have to 
put equipment in my datacenter. :)


On Apr 3, 2018, at 11:18, Darin Steffl  
wrote:


Cloudflare has posted that their goal is to be within 10ms of every 
ISP in the world. So they're adding their to gear to regional 
datacenter's and peering exchanges, not just major ones.


On Tue, Apr 3, 2018, 10:16 AM Seth Mattinen  
wrote:

On 4/3/18 8:09 AM, Darin Steffl wrote:
> I've seen cloudflare racks and they have a ton of gear and 
reliability
> built in. They also host two of the root dns servers. Their cache 
rate

> will be much higher than our own servers as well.


Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[Chuck McCown]

What’s in it for them?

From: Bill Prince 
Sent: Tuesday, April 03, 2018 9:25 AM
To: af@afmug.com 
Subject: Re: [AFMUG] new DNS

We seem to be close to both 8.8.8.8 (3ms RTT), and 1.1.1.1 (2ms RTT). 


Might be inclined to do a blend.



bp


On 4/3/2018 8:21 AM, Matt Hoppes wrote:

  Well then. I’ll put a few more routers in my network. So they have to put 
equipment in my datacenter. :)

  On Apr 3, 2018, at 11:18, Darin Steffl  wrote:


Cloudflare has posted that their goal is to be within 10ms of every ISP in 
the world. So they're adding their to gear to regional datacenter's and peering 
exchanges, not just major ones. 

On Tue, Apr 3, 2018, 10:16 AM Seth Mattinen  wrote:

  On 4/3/18 8:09 AM, Darin Steffl wrote:
  > I've seen cloudflare racks and they have a ton of gear and reliability
  > built in. They also host two of the root dns servers. Their cache rate
  > will be much higher than our own servers as well.


  Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[Bill Prince]

For Google or Cloudflare?

bp


On 4/3/2018 8:31 AM, Chuck McCown wrote:

What’s in it for them?
*From:* Bill Prince
*Sent:* Tuesday, April 03, 2018 9:25 AM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] new DNS

We seem to be close to both 8.8.8.8 (3ms RTT), and 1.1.1.1 (2ms RTT).

Might be inclined to do a blend.

bp


On 4/3/2018 8:21 AM, Matt Hoppes wrote:
Well then. I’ll put a few more routers in my network. So they have to 
put equipment in my datacenter. :)


On Apr 3, 2018, at 11:18, Darin Steffl  wrote:

Cloudflare has posted that their goal is to be within 10ms of every 
ISP in the world. So they're adding their to gear to regional 
datacenter's and peering exchanges, not just major ones.

On Tue, Apr 3, 2018, 10:16 AM Seth Mattinen  wrote:

On 4/3/18 8:09 AM, Darin Steffl wrote:
> I've seen cloudflare racks and they have a ton of gear and
reliability
> built in. They also host two of the root dns servers. Their
cache rate
> will be much higher than our own servers as well.


Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[Seth Mattinen]

On 4/3/18 8:17 AM, Robert wrote:
Cloudflare has also screwed-the-pooch at least once in a major way that 
got national headlines...



There's a Quad9 9.9.9.9 node here, and of all of them, PCH's motivations 
are the least commercial in nature.

Re: [AFMUG] new DNS

[Adam Moffett]

Good question.  Google is all about collecting and monetizing data.

Cloudflare says they're intentionally not collecting data because they 
don't want to be responsible for it.  PR? Brand awareness?




-- Original Message --
From: "Chuck McCown" 
To: af@afmug.com
Sent: 4/3/2018 11:31:31 AM
Subject: Re: [AFMUG] new DNS


What’s in it for them?

From:Bill Prince
Sent: Tuesday, April 03, 2018 9:25 AM
To:af@afmug.com
Subject: Re: [AFMUG] new DNS

We seem to be close to both 8.8.8.8 (3ms RTT), and 1.1.1.1 (2ms RTT).

Might be inclined to do a blend.



bp



On 4/3/2018 8:21 AM, Matt Hoppes wrote:
Well then. I’ll put a few more routers in my network. So they have to 
put equipment in my datacenter. :)


On Apr 3, 2018, at 11:18, Darin Steffl  
wrote:


Cloudflare has posted that their goal is to be within 10ms of every 
ISP in the world. So they're adding their to gear to regional 
datacenter's and peering exchanges, not just major ones.


On Tue, Apr 3, 2018, 10:16 AM Seth Mattinen  
wrote:

On 4/3/18 8:09 AM, Darin Steffl wrote:
> I've seen cloudflare racks and they have a ton of gear and 
reliability
> built in. They also host two of the root dns servers. Their cache 
rate

> will be much higher than our own servers as well.


Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[CBB - Jay Fuller]

i saw 18 ms to cloudfair, 15 ms to google

  - Original Message - 
  From: Seth Mattinen 
  To: af@afmug.com 
  Sent: Tuesday, April 3, 2018 10:16 AM
  Subject: Re: [AFMUG] new DNS


  On 4/3/18 8:09 AM, Darin Steffl wrote:
  > I've seen cloudflare racks and they have a ton of gear and reliability 
  > built in. They also host two of the root dns servers. Their cache rate 
  > will be much higher than our own servers as well.


  Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[Mathew Howard]

I'm getting 26ms to 1.1.1.1 and 6ms to 8.8.8.8


On Tue, Apr 3, 2018 at 11:37 AM, CBB - Jay Fuller  wrote:

>
> i saw 18 ms to cloudfair, 15 ms to google
>
>
> - Original Message -
> *From:* Seth Mattinen 
> *To:* af@afmug.com
> *Sent:* Tuesday, April 3, 2018 10:16 AM
> *Subject:* Re: [AFMUG] new DNS
>
> On 4/3/18 8:09 AM, Darin Steffl wrote:
> > I've seen cloudflare racks and they have a ton of gear and reliability
> > built in. They also host two of the root dns servers. Their cache rate
> > will be much higher than our own servers as well.
>
>
> Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L
>
>

Re: [AFMUG] new DNS

[Travis Johnson]

It's more than just ping time. You have to do actual DNS queries and 
compare the results.


Travis


On 4/3/2018 10:44 AM, Mathew Howard wrote:

I'm getting 26ms to 1.1.1.1 and 6ms to 8.8.8.8


On Tue, Apr 3, 2018 at 11:37 AM, CBB - Jay Fuller 
mailto:par...@cyberbroadband.net>> wrote:


i saw 18 ms to cloudfair, 15 ms to google

- Original Message -
*From:* Seth Mattinen <mailto:se...@rollernet.us>
*To:* af@afmug.com <mailto:af@afmug.com>
*Sent:* Tuesday, April 3, 2018 10:16 AM
        *Subject:* Re: [AFMUG] new DNS

On 4/3/18 8:09 AM, Darin Steffl wrote:
> I've seen cloudflare racks and they have a ton of gear and
reliability
> built in. They also host two of the root dns servers. Their
cache rate
> will be much higher than our own servers as well.


Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L

Re: [AFMUG] new DNS

[Mathew Howard]

Yeah, I know, but if there's an extra ~25ms of latency over using a local
DNS server, it seems pretty unlikely it's going to get better overall
performance.

On Tue, Apr 3, 2018 at 12:21 PM, Travis Johnson  wrote:

> It's more than just ping time. You have to do actual DNS queries and
> compare the results.
>
> Travis
>
>
> On 4/3/2018 10:44 AM, Mathew Howard wrote:
>
> I'm getting 26ms to 1.1.1.1 and 6ms to 8.8.8.8
>
>
> On Tue, Apr 3, 2018 at 11:37 AM, CBB - Jay Fuller <
> par...@cyberbroadband.net> wrote:
>
>>
>> i saw 18 ms to cloudfair, 15 ms to google
>>
>>
>> - Original Message -
>> *From:* Seth Mattinen 
>> *To:* af@afmug.com
>> *Sent:* Tuesday, April 3, 2018 10:16 AM
>> *Subject:* Re: [AFMUG] new DNS
>>
>> On 4/3/18 8:09 AM, Darin Steffl wrote:
>> > I've seen cloudflare racks and they have a ton of gear and reliability
>> > built in. They also host two of the root dns servers. Their cache rate
>> > will be much higher than our own servers as well.
>>
>>
>> Oh well I host 6 root servers for redundancy: D, E, F, J, K, and L
>>
>>
>
>

Re: [AFMUG] new DNS

[Josh Luthman]

Little time to setup?  It's 30 minutes figuring out where the router is,
let alone them getting into it and making that change.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Apr 3, 2018 at 4:33 AM, Forrest Christian (List Account) <
li...@packetflux.com> wrote:

> Because it's good for your customers, and it should take very little time
> to set one up.
>
> The main reason for this is so that websites serve data from the closest
> server due to the way that DNS anycast works.
>
> And, the biggest one - to have control over a critical piece of
> infrastructure for your customers.  What happens if one of these public DNS
> services go down and you have hundreds of customers pointing at it?
>
> On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett  wrote:
>
>> Someone remind me again why I have my own recursive DNS.
>>
>>
>> -- Original Message --
>> From: "Josh Reynolds" 
>> To: af@afmug.com
>> Sent: 4/2/2018 3:22:57 PM
>> Subject: Re: [AFMUG] new DNS
>>
>> Yes, bunch of discussions over the past few days on NANOG and some of the
>> vendor mailing lists.
>>
>> On Mon, Apr 2, 2018, 2:21 PM Travis Johnson  wrote:
>>
>>> https://gizmodo.com/how-to-speed-up-your-internet-and-protec
>>> t-your-privacy-1824256587
>>>
>>> Faster and more private than Google or others. :)
>>>
>>> Travis
>>>
>>>
>
>
> --
> *Forrest Christian* *CEO**, PacketFlux Technologies, Inc.*
> Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602
> <https://maps.google.com/?q=3577+Countryside+Road,+Helena,+MT+59602&entry=gmail&source=g>
> forre...@imach.com | http://www.packetflux.com
> <http://www.linkedin.com/in/fwchristian>  <http://facebook.com/packetflux>
>   <http://twitter.com/@packetflux>
>
>

Re: [AFMUG] new DNS

[Mike Hammett]

There are more CDNs than Netflix and they all do it a little bit differently. 
One of them absolutely requires that your resolver and your clients be 
reachable without using the global Internet (on an IX, in-network cache, etc.). 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Adam Moffett"  
To: af@afmug.com 
Sent: Tuesday, April 3, 2018 9:03:46 AM 
Subject: Re: [AFMUG] new DNS 


It's clearly not hard. It's obviously not expensive. I'm already doing it and 
have been for years. But it's more than $0. 


I've seen the geolocation issue in the past. More recently I tried to 
demonstrate it to someone and it turned out that Google DNS and our own DNS 
gave us Netflix content from the same source. 


If I used someone else's DNS and that 3rd party went away, then there are 
apparently 10 other "3rd parties" to choose from. I recognize the point that 
it's a 3rd party and we don't want to rely on 3rd parties: But can we honestly 
say that our DNS servers are more reliable than Google or Cloudflare? 


I'm not shutting down the DNS servers today, I'm just trying to look inward and 
analyze what we're doing and why. Are we doing it because it actually makes 
sense or are we doing it because we've always done it and we can't imagine 
another way? 






-- Original Message -- 
From: "Justin Wilson" < li...@mtin.net > 
To: af@afmug.com 
Sent: 4/3/2018 8:48:33 AM 
Subject: Re: [AFMUG] new DNS 





You have your own DNS for one huge reason. GeoLocation for when it comes to 
Content Networks such as Netflix. One of the mechanisms they employ is using 
DNS Geolocation to serve you the closest content. Not only do they do a 
GeLocate on your IP, but some also do a check to make sure your DNS servers are 
coming from the same place as your customers. This is especially true if you or 
one of your upstreams is peered with Netflix or someone on an exchange. 
Otherwise, if you are using Google or other DNS you may be in Kansas, and you 
might be getting content from Netflix out of California, when you could be 
getting it literally next door. Makes the customer experience much better. 
There are RFCs that address this, but if they are implemented is a crapshoot. 


Secondly, relying on a 3rd party for such a critical service such as DNS can be 
troublesome. Would you rely on someone else to provide the wireless signal to 
your customers blindly? If so, then offloading DNS is okay for you. I want more 
control for such a critical service. 


I hear folks worry about the bandwidth DNS takes up. It’s not a concern either 
way. If your network can’t support the bandwidth of DNS queries then you have 
deeper issues. 


It’s hard. No it’s not. Tons of tutorials on Bind for every flavor of linux. 
Just about any old machine laying around can run DNS. 


If anyone wants to know how easy, and how cheap it is to spin up DNS (both 
recursive and authoritative) hit me up. I will gladly talk with you about some 
strategy. 


Justin Wilson 
j...@mtin.net 


www.mtin.net 
www.midwest-ix.com 




On Apr 3, 2018, at 6:34 AM, Paul Stewart < p...@paulstewart.org > wrote: 



I know there is often debates on here about running any servers, some servers, 
or doing everything in-house (mail, web, DNS etc). Even if you outsource 
everything I would still run recursive caching DNS …. Performance and 
reliability the main reasons. Some CDN’s and other services determine the path 
to send you content based on where the DNS look up occurs and in our case 
that’s a significant factor … 

We operate our own anycasted DNS …actually two of them. One set of servers for 
recursive caching and another set for authoritative DNS. 

Paul 



From: Af < af-boun...@afmug.com > on behalf of "Forrest Christian (List 
Account)" < li...@packetflux.com > 
Reply-To: < af@afmug.com > 
Date: Tuesday, April 3, 2018 at 4:33 AM 
To: af < af@afmug.com > 
Subject: Re: [AFMUG] new DNS 



Because it's good for your customers, and it should take very little time to 
set one up. 



The main reason for this is so that websites serve data from the closest server 
due to the way that DNS anycast works. 



And, the biggest one - to have control over a critical piece of infrastructure 
for your customers. What happens if one of these public DNS services go down 
and you have hundreds of customers pointing at it? 



On Mon, Apr 2, 2018 at 11:33 PM, Adam Moffett < dmmoff...@gmail.com > wrote: 




Someone remind me again why I have my own recursive DNS. 





------ Original Message -- 

From: "Josh Reynolds" < j...@kyneticwifi.com > 

To: af@afmug.com 

Sent: 4/2/2018 3:22:57 PM 

Subject: Re: [AFMUG] new DNS 






Yes, bunch of discussions over the past few days on NANOG and some of the 
ven