|
Home > Archive > 70-217 > November 2002 > name resolution in DNS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
name resolution in DNS
|
|
| sandy_kapoor 2002-11-01, 11:15 pm |
| the global layer is formed by highest-level nodes, that is root nodes and directory nodes logidcally close to the root. will the performace improve if they support the recursive name resolution they can use the caching to respond the requests from clients more quickly? And also the network
traffic would be reduced? | |
| Lucidity 2002-11-02, 10:15 am |
| Causing higher level DNS server to perform recursive querries is a bad idea. Firstly, the higher the DNS server is in the heirarchy, means that it will be fielding more requests for service. When you are requiring this server to perform recursive inquiries, it must still be available to handle incomming inquiries from resolver clients as well as perform lookups. Eventually you will reach a point of diminishing returns in that the server will be spending so much time looking up host names that it cannot respond to requests. On top of this, remember that DNS cached entries are stored in RAM, not on a hard disk. That means that EVERY querry will have it's results stored in ram, or at least until they time out. For a server that is seeing a lot of utilization, you couldn't possibly have enough ram for it to hold all the necessary files as well as the DNS cache for every request, and still expect the server to function. | |
| sandy_kapoor 2002-11-02, 9:44 pm |
| thanks
but i think there is also security concern what u think | |
| Lucidity 2002-11-03, 12:34 pm |
| No, I wouldn't say it would be a security issue.
The DNS server performing the lookup will only hold individual records....records that had to be specifically requested by the initiating host. It wouldn't hold entire zone information.
Secondarily, it is only holding information that has ALREADY been made publicly available. Now, you can implement a firewall to protect the passing of port 53 traffic to only approved IP addresses. However, this has to be configured on the firewall that protects the DNS server that is AUTHORITATIVE for the zone itself. It could be set up to allow requests for DNS resource records by IP hosts within an approved range. The better alternative, is to not place sensitive DNS resource records where they can be accessed by external users. The resouce records serviced by a DNS server that is authoritative for a zone, if that DNS server is accessible to external clients, should ONLY include those records that point to other externally accessible hosts. |
|
|
|
|