Caching resolver and options rotate

Kirk bind at
Sat May 17 15:46:31 UTC 2008

>> You may find it better, however, not to use forwarding at all - to  
>> use your DNS server as the final recursion server, instead of  
>> passing the buck upstream to your ISP. That way, you don't depend on  
>> the stability and security of their name servers for anything. (If  
>> you do decide to use forwarding, you should be absolutely sure that  
>> your ISP's name servers run a current version of BIND 9 rather than  
>> BIND 8, or a current version of MS DNS rather than MS DNS before  
>> about Win2K3 SP1, before you set up forwarding. Otherwise, bad  
>> things can come of forwarding, relating to DNS cache poisoning, and  
>> therefore pharming attacks.)
>>  The reason to make this caching server was to alleviate load from  
>> our upstream DNS, they told us we are alone stressing their current  
>> DNS servers, and to be respectful we were going to have an internal  
>> caching DNS that would use them upstream for queries we havent  
>> cached. Would still us their 4 NS's, but alleviate a lot of the  
>> queries going upstream, and bring response time lower for ourselves.
>> Wouldn't using root servers directly just add to the burdon of the  
>> root servers?
> No, for two reasons.
> Number one is, there are a lot more root servers out there than there  
> are resolvers at your ISP. I don't have the exact count, but due to  
> anycast, the number is up around 100. And that's just the load  
> balancers - there are several times that many actual authoritative  
> name servers behind those load balancers.
> Also, there's a significant difference in processing power required to  
> process a recursive query vs. an iterative query. You would be sending  
> occasional iterative queries to the root servers, whereas you have  
> been sending (apparently) a constant and heavy stream of recursive  
> queries to your ISP's resolvers.
> Your ISP doesn't forward queries upstream; they resolve them  
> recursively. The root servers do not handle the heavy lifting of DNS  
> resolution (the job of recursion); they answer simple iterative  
> requests from resolvers such as those provided by your ISP.
> By not forwarding to your ISP, you would be shifting the bulk of the  
> work to your own server(s). It sounds like your ISP would prefer this.

What ISP *wouldn't* want this?  ;)  Just joking guys.  Don't wanna turn this 
into a TFH.

But in all seriousness. To the OP, if your gonna run your own DNS caching 
server, might as well do the recursion yourself.  You then have removed a 
link in the recursion chain(so to speak).


More information about the bind-users mailing list