The author of Best practices for DNS forwarding [petri.com] recommends using the ISP's DNS servers as forwarders instead of doing the recursive lookups yourself, the main reason being performance. This makes sense as you're only doing one query, getting the response probably right away, given a big enough cache at the ISP and a popular enough website.
A downside of using your ISP's DNS servers might be their stability. It used to be the case that ISP's often had not-very stably DNS servers. However, this can be solved by simply forwarding to name servers such as 1.1.1.1, 8.8.8.8, or 9.9.9.9.
What are the benefits of doing the lookups yourself?
Edit: Using public name servers like Quad9 also adds in security as it filters out known malicious domains.
Answer
To answer my own question...
John is correct in stating that "if a DNS service meets your needs, certainly forward to it." A few reasons why it may not meet your needs:
- The DNS provider might block certain websites (e.g. torrent sites) by returning an IP address they - or the government - owns, hosting a website stating the website is banned for illegal activities.
- The DNS provider might return A records for non-existent domain names for advertising purposes (comment from Torin Carey).
A reason for running your own resolvers:
- If your company is dual-homed to two different ISPs, it might not be possible to use the DNS servers from ISP1 when traffic leaves your network via ISP2. In this case you should either use public DNS servers (e.g. 8.8.8.8) or run your own resolvers.
- If the latency from the ISP's or a public DNS server is too high, you should run your own resolvers.
If both options (own resolvers or public ones) both are valid options for your company, you can chose which to want, depending on personal or architectural preferences. Of course, running your own resolvers means more systems to manage, you need to have system administrators with DNS knowledge in your team, etc.
No comments:
Post a Comment