ISP DNS Hosting

[Barry Margolin]

In article <c5ek7d$24gt$1 at sf1.isc.org>, dns at spiraltull.net (Garrett) 
wrote:

> I am now working for a company who does not do their own DNS hosting.

That's quite common.  Operating DNS servers is a chore that's usually 
unrelated to the business you're in, and it's easier to outsource it.  
If your public DNS data doesn't change very often, there's often little 
need to manage it directly.

> For whatever reasons, they feel it is better to host their DNS servers
> at their ISP rather than in our own DMZ. They believe that their DNS
> servers would be more reliable if they are hosted off-site. I have
> reservations about that. It seems unnecessary, less manageable, and to
> have greater security risks as well as longer resolution time, at
> least for hosts in our DMZ that would use those servers. I would like
> to get the opinions of this group about the pro/cons of this.

Resolution time shouldn't be a problem.  If you operate your own caching 
server, names in your domains will almost always be in the cache.  You 
can also operate a stealth slave server so that you're not dependent on 
the ISP's servers for local lookups.

> Isn't it more difficult to react to security issues? 
> How can you know that your ISP is keeping up with patches, or is
> managing your namespace securely? What about zones or IP addresses
> that you would prefer to keep private, aren't they more vulnerable?

Outsourcing always has its tradeoffs.  Is it worth spending the overhead 
costs to do it yourself just in case of a rare issue like this?

As for the private stuff, I would suggest putting that on an internal 
DNS server, not the one in your DMZ.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***