ISP DNS Hosting

Simon Waters Simon at wretched.demon.co.uk
Mon Apr 12 20:44:31 UTC 2004


Garrett wrote:
> I am now working for a company who does not do their own DNS hosting.
> For whatever reasons, they feel it is better to host their DNS servers
> at their ISP rather than in our own DMZ. They believe that their DNS
> servers would be more reliable if they are hosted off-site. I have
> reservations about that. It seems unnecessary, less manageable, and to
> have greater security risks as well as longer resolution time, at
> least for hosts in our DMZ that would use those servers. I would like
> to get the opinions of this group about the pro/cons of this.
I did a survey of DNS configurations of all companies in my local area
with a turn over of over 1,000,000 GBP per annum, all of those that
hosted it themselves had errors in their DNS configuration. Two of the
big UK ISPs were practically perfect in their DNS hosting
configurations, servers were recent versions of BIND, with no recursion,
one off-network server, correct delegation from parent zones, etc.

Not saying it isn't easy to do DNS right, it is fairly easy, but most
medium to large companies don't have (or can't maintain!) the in-house
skills to do it.

Firstly you can't host all the servers in your DMZ and get the kind of
redundancy a good ISP will provide (at least one server on a different
network (ASN), preferably different continent).

> Isn't it more difficult to react to security issues?

There are few security issues that changing the DNS helps with assuming
you did it right in the first place, the main one being DDoS, when
you'll probably want to speak to your ISP anyway.

> How can you know that your ISP is keeping up with patches, or is
> managing your namespace securely? 

The best you can do is poke around their name servers and see if they
are configured as you would desire (dig is your friend). But I think it
comes down to how do you select an ISP? If your ISP can't manage and
secure their own DNS properly the chances of them being any good at
anything else have to be pretty poor.

> What about zones or IP addresses
> that you would prefer to keep private, aren't they more vulnerable?

I wouldn't host private IP addresses on a public server.

I do know some organisations that reveal internal name information (as
they are using public IP addresses for internal systems and can't be
bothered to seperate the private namespace) on the public Internet. I
don't think it is the best thing to do, but the world doesn't instantly
crash in if you take other aspects of security seriously, especially if
the naming convention doesn't reveal sensitive information (if you have
machines named afer greek gods, or elements of the periodic table, or
characters from the Simpsons, that is much less revealing than say
fw1.internal.example.com).


-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAev+vGFXfHI9FVgYRAs4aAJ4oUWFQSejRhCgLS5ZxcCLdwYWyrwCfTL7A
4ty6HkvDdgZL9zUFq2qV6QI=
=ANsw
-----END PGP SIGNATURE-----




More information about the bind-users mailing list