Stories
Slash Boxes
Comments

SoylentNews is people

Paul Vixie on the Benefits of Running DNS Services Locally

posted by martyb on Sunday October 28, @03:31PM   Printer-friendly
from the do-you-know-where-you're-going-to? dept.
Security

canopic jug writes:

Paul Vixie has written a two-page article about the benefits of running DNS locally. He goes into a brief summary of DNS' history, a description of the current situation, ennumerates four areas of loss resulting from outsourcing DNS resolution, and points the direction out of the trap of outsourcing.

Operating one's own local DNS resolution servers is one of the simplest and lowest-cost things an IT administrator can do to monitor and protect their applications, services, and users from potential risks. These risks — including surveillance capitalism, unmanageable external dependencies, attacks carried via DNS, and attacks that could be detected via DNS — have a much higher potential cost than the mitigation strategy outlined here. Additionally, the DNS resolution service is so central to every other IT-related activity that any and all IT administrators who take the time to investigate and master this technology will amplify their effectiveness and the value they bring to their enterprise.

Do the all-too-common Microsoft shops these days even have DNS these days? Decommoditizing protocols has been one of their tactics for decades against FOSS and everyone else in general.

Original Submission


«  Microsoft Overtakes Amazon as Second Most Valuable U.S. Company
Paul Vixie on the Benefits of Running DNS Services Locally | Log In/Create an Account | Top | 3 comments | Search Discussion
Display Options Threshold/Breakthrough Reply to Article Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 1, Informative) by Anonymous Coward on Sunday October 28, @03:51PM (1 child)

    by Anonymous Coward on Sunday October 28, @03:51PM (#754684)

    AD is DNS, but that is just small part it plays. It is also user authorizations, access lists (groups), site isolation (domains). To name a few. But being all things it also has issues with speed to resynchronize between servers. If time fails (NTP and "local" clock - happens with VMs) then systems security fails, to the point it is easier to build a new AD box, then try to fix the "broken" one.

    Personally, at home, I have been a local DNS for over 25yrs now. Helps black hole sites and keep network secure. My kids comment when they leave the house, they phone slow down because of all the ads they now get.

    • (Score: 3, Interesting) by zocalo on Sunday October 28, @04:04PM

      by zocalo (302) on Sunday October 28, @04:04PM (#754689)
      That was my first thought too - you can't run AD without DNS since it stores so much information in DNS, but you *can* run AD/DNS without allowing it to become a fully recursive DNS server with access to the Internet. Frankly, given the vast amount of information contained within an AD DNS server and the potential for leakage if you mess up the configuration at any number of points, I'd be extremely reluctant to do that kind of deployment so maybe that is what is meant?

      In any event, my default AD/DNS configuration is to use some *NIX DNS servers (or DNS appliances) in a DMZ to handle all Internet DNS resolution, then let your AD servers forward any requests for domains they are not authoratative for to those for resolution. That way, you are free to explictly deny any inbound traffic from the Internet to the the AD/DNS without fear of breaking anything, reducing your attack surface significantly.
      --
      UNIX? They're not even circumcised! Savages!

  • (Score: 0) by Anonymous Coward on Sunday October 28, @04:15PM

    by Anonymous Coward on Sunday October 28, @04:15PM (#754695)

    Paul's the kind of guy who will suck up to his friends to get free SCUBA lessons and then disappear to go diving with his rich buddies, from DECWRL, and abandon the very people who taught him SCUBA diving.

    Paul's good at brown-nosing and impressing older people, but now that he's old, it doesn't work so well.

(1)