Paul Vixie has written a two-page article about the benefits of running DNS locally. He goes into a brief summary of DNS' history, a description of the current situation, ennumerates four areas of loss resulting from outsourcing DNS resolution, and points the direction out of the trap of outsourcing.
Operating one's own local DNS resolution servers is one of the simplest and lowest-cost things an IT administrator can do to monitor and protect their applications, services, and users from potential risks. These risks — including surveillance capitalism, unmanageable external dependencies, attacks carried via DNS, and attacks that could be detected via DNS — have a much higher potential cost than the mitigation strategy outlined here. Additionally, the DNS resolution service is so central to every other IT-related activity that any and all IT administrators who take the time to investigate and master this technology will amplify their effectiveness and the value they bring to their enterprise.
Do the all-too-common Microsoft shops these days even have DNS these days? Decommoditizing protocols has been one of their tactics for decades against FOSS and everyone else in general.
(Score: 1, Informative) by Anonymous Coward on Sunday October 28, @03:51PM (1 child)
AD is DNS, but that is just small part it plays. It is also user authorizations, access lists (groups), site isolation (domains). To name a few. But being all things it also has issues with speed to resynchronize between servers. If time fails (NTP and "local" clock - happens with VMs) then systems security fails, to the point it is easier to build a new AD box, then try to fix the "broken" one.
Personally, at home, I have been a local DNS for over 25yrs now. Helps black hole sites and keep network secure. My kids comment when they leave the house, they phone slow down because of all the ads they now get.
(Score: 3, Interesting) by zocalo on Sunday October 28, @04:04PM
In any event, my default AD/DNS configuration is to use some *NIX DNS servers (or DNS appliances) in a DMZ to handle all Internet DNS resolution, then let your AD servers forward any requests for domains they are not authoratative for to those for resolution. That way, you are free to explictly deny any inbound traffic from the Internet to the the AD/DNS without fear of breaking anything, reducing your attack surface significantly.
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Sunday October 28, @04:15PM
