Caching resolver and options rotate
Kirk
bind at kirkb.net
Sat May 17 15:46:31 UTC 2008
>> You may find it better, however, not to use forwarding at all - to
>> use your DNS server as the final recursion server, instead of
>> passing the buck upstream to your ISP. That way, you don't depend on
>> the stability and security of their name servers for anything. (If
>> you do decide to use forwarding, you should be absolutely sure that
>> your ISP's name servers run a current version of BIND 9 rather than
>> BIND 8, or a current version of MS DNS rather than MS DNS before
>> about Win2K3 SP1, before you set up forwarding. Otherwise, bad
>> things can come of forwarding, relating to DNS cache poisoning, and
>> therefore pharming attacks.)
>>
>> The reason to make this caching server was to alleviate load from
>> our upstream DNS, they told us we are alone stressing their current
>> DNS servers, and to be respectful we were going to have an internal
>> caching DNS that would use them upstream for queries we havent
>> cached. Would still us their 4 NS's, but alleviate a lot of the
>> queries going upstream, and bring response time lower for ourselves.
>>
>> Wouldn't using root servers directly just add to the burdon of the
>> root servers?
> No, for two reasons.
>
> Number one is, there are a lot more root servers out there than there
> are resolvers at your ISP. I don't have the exact count, but due to
> anycast, the number is up around 100. And that's just the load
> balancers - there are several times that many actual authoritative
> name servers behind those load balancers.
>
> Also, there's a significant difference in processing power required to
> process a recursive query vs. an iterative query. You would be sending
> occasional iterative queries to the root servers, whereas you have
> been sending (apparently) a constant and heavy stream of recursive
> queries to your ISP's resolvers.
>
> Your ISP doesn't forward queries upstream; they resolve them
> recursively. The root servers do not handle the heavy lifting of DNS
> resolution (the job of recursion); they answer simple iterative
> requests from resolvers such as those provided by your ISP.
>
> By not forwarding to your ISP, you would be shifting the bulk of the
> work to your own server(s). It sounds like your ISP would prefer this.
>
What ISP *wouldn't* want this? ;) Just joking guys. Don't wanna turn this
into a TFH.
But in all seriousness. To the OP, if your gonna run your own DNS caching
server, might as well do the recursion yourself. You then have removed a
link in the recursion chain(so to speak).
Kirk
More information about the bind-users
mailing list