[CentOS] DNS Serving - Why my own?

Kemp, Larry Larry.Kemp at usmetrotel.com
Mon Oct 5 17:56:43 UTC 2009


"Another reason would be to avoid your ISP's redirection when a host 
doesn't resolve.  Comcast, for example, will send your request to their 
search page.  This can confuse some people, or can potentially end up 
leading you to a malicious page (I don't trust their search results). 
It's also annoying because pretty much everything will resolve whether 
it is valid or not."

Huge point Ryan. Just this weekend something happened yet again to Comcast's DNS or address mail.comcast.net. Their DNS was routing me to a server in Germany. I suspected an attack like the one they suffered in May of 2008 when Comcast's registrar info was accessed at ARIN and then the entire Internet was routing people to an HTML page when they entered http://www.comcast.net. Users might not think twice about entering their account info on a page that looks legitimate (but in reality is some site snagging logins of users). A non-caching DNS server internal on your LAN means that unless ARIN itself is hacked all your users go where they are supposed to (where "you" want them too, not where your ISP wants to send them). Way less chance of any kind of man in the middle attack or biased routing to the ISP's search like Ryan said.  

Larry Kemp
Network Engineer
U.S. Metropolitan Telecom, LLC
Bonita Springs, FL USA


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Ryan Pugatch
Sent: Monday, October 05, 2009 1:21 PM
To: CentOS mailing list
Subject: Re: [CentOS] DNS Serving - Why my own?

Kemp, Larry wrote:
> All great responses. 
> 
> Why would a small business want to run their own DNS? Independence and control.
> 
> If you want or require the ability to route people to internal (on your LAN/WAN) web-based applications to URL's like http://intranet or https://yourcompanyquickenbooks this is one way rather than having your employees try and remember things like https://10.1.1.1 or maintaining a bunch of lmosts (Win) and /etc/hosts (*nix) files on workstations and laptops. Or if you have trouble frequently with your ISP's DNS servers (Comcast or whoever) this is a simple way to go (caching). Make sure you secure it and have it nicely hidden in a DMZ or on your internal net through. One snag to keep in mind is that if you have your internal server acting authoritatively for yourcompany.com and externally it is a different SOA you could run into overlap issues. But in general the reason is that most companies have stuff in their internal DNS they certainly do not want known in the public and want to manipulate resolution internally for some things. But if your business can live without the 
be
>  nefits or protection that running your DNS server internally brings, then really no need to add another server to your admin duties unless you are really excited to manage a DNS server or tackle some complex and uber-secure Master/Slave architecture as a project. Hopes this helps.    
> 

Another reason would be to avoid your ISP's redirection when a host 
doesn't resolve.  Comcast, for example, will send your request to their 
search page.  This can confuse some people, or can potentially end up 
leading you to a malicious page (I don't trust their search results). 
It's also annoying because pretty much everything will resolve whether 
it is valid or not.



Ryan Pugatch
Systems Administrator, TripAdvisor
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos



More information about the CentOS mailing list