Bind Software diversity

Jonathan de Boyne Pollard J.deBoynePollard at tesco.net
Mon Aug 11 16:51:00 UTC 2003 

JdeBP> The opinion of "the BIND community" when asked, in essence,
JdeBP> "Rather than run the very latest version of BIND throughout,
JdeBP> should I run different, non-BIND, DNS server softwares?" is, 
JdeBP> I suspect, going to be the obvious one.

SW> What, that like economists, there are at least as many views 
SW> as members, and possibly more views than that.

Partly that, indeed; and partly that - also like economists (albeit 
that we should be wary of stretching your simile too far) - there is a 
mainstream opinion that is, in general, conservative and, to an 
extent, dogmatic.  

SW> Where the NS addresses are fixed some ISPs like to leave 
SW> resolving servers accessible to the world for when clients 
SW> plug their laptops into other peoples networks, so they 
SW> don't have to change DNS settings. With DHCP supplying DNS 
SW> in most places this is largely irrelevant.

Actually, the proxy DNS server IP addresses supplied by DHCP should, 
best, be largely irrelevant, too.  I've seen people say that in such 
situations ISPs should employ VPNs, so that whilst the proxy DNS 
service is only reachable by the ISP's customers, those customers can 
reach it over the VPN from other networks.  That's certainly one way 
of tackling the issue.  However, a different, but equally good (and
in some ways better), way of tackling it would be for such a laptop 
itself to be running its _own_ resolving proxy DNS server, so that it 
performed any query resolution that it needed itself.  Thus the 
machine would have no need of whatever proxy DNS server information 
was supplied to it via DHCP, and all such information would be 
irrelevant.

However, either way (communicating with the "home" ISP via a VPN or 
running one's own resolving proxy DNS server on the machine itself) 
there's _no_ need _at all_ for the ISP to run a promiscuous proxy 
DNS server in order to satisfy roaming users.  Doing so is a bad idea
and bodge that is used in place of satisfying the needs of the users 
in a proper manner.  Proxy DNS service is like proxy HTTP service and 
SMTP Submission service in many ways.  The reasons that good ISPs 
don't provide promiscuous services for the latter two, despite the 
equal applicability of the "But roaming users need it!" argument to 
them, are also reasons for not providing promiscuous service for 
the former.  

I suspect that roaming users in fact readily accept that for all 
three services, ISPs expect them to

	(a) change their machine's settings for those services as 
	    they roam from ISP to ISP; 
	(b) employ some form of either IP tunnelling or 
	    authentication to access the "home" ISP's private 
	    services when connected to another ISP; 
	or 
	(c) be first-class Internet citizens and run their 
	    own services themselves.  
 
SW> Also the lack of off network authoritative server might be 
SW> worth reviewing, guess it depends how many off network 
SW> services are referred in the DNS. 

There are arguments against the need for making one's content DNS 
service immune to single-point failure if all of one's other services 
are provided over a single link and would be hit by the failure 
anyway.  However, when this subject was discussed in depth on the 
"djbdns" mailing list in 2001-01 after the events that hit Microsoft 
that month, Andy Dustman propounded a good argument, in favour of even 
those organizations that have everything on a single IP address having 
off-site content DNS service, that, two and a half years later, I have 
yet to have seen properly countered.

<URL:http://marc.theaimsgroup.com./?l=djbdns&m=98038553100698>

More information about the bind-users mailing list