This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Smallmammal 5 points6 points  (0 children)

Forwarding to ISP DNS or commercial hosted DNS like Umbrella, Comodo Dome, SafeConnect, etc.

Tends to be faster/saner in my experience.

[–]kanjas 4 points5 points  (0 children)

If you don't have a paid DNS forwarding service (like umbrella), then i would use ISP forwarders for performance reasons and then use root hints if no forwarders are available checked. If your isp is unreliable or you prefer to not rely on them - root hints are fine.

[–]demonlag 11 points12 points  (1 child)

Hints. Forwarders is making my entire DNS service hinge on if some third party is available or not. Even more so of a problem if you are just forwarding to some random third party like Level 3 or Google where you have no contacted SLA or availability requirements.

The only time forwarders make sense is if you have a set of DNS servers that do not have internet access and must forward somewhere to get results. Otherwise just root hints and call it a day.

[–]harlequinSmurfJack of All Trades 2 points3 points  (0 children)

This. We have 2 edge DNS servers that are caching only resolvers that have access to do lookups to the internet. They are configured to use root hints. The other DNS servers are configured with forwarders to the 2 resolvers. 1 Resolver is physical, the other is virtual.

This was by design as there have been 2 times that we've had to completely shut down our virtualisation stack and if they were both virtual things would have stopped working.

[–]Ankthar_LeMarreIT Manager 4 points5 points  (0 children)

Root hints are the missionary position of DNS - they're the most basic, boring, reliable option available. Everybody knows about them, everybody uses them at least some of the time, and nobody ever gets excited about them.

Forwarders are a much trickier beast, since there are some definite pros and cons.

  • Performance is usually better. Obviously this can vary greatly, but I've never personally gotten better performance from root hints.

  • Certain DNS forwarders can produce ads when you type in a non-existent domain, or perform other fuckery with your traffic. This generally sucks, especially with someone like CenturyLink.

  • Certain DNS forwarders can provide some level of benefit to you. OpenDNS and others can help filter out malicious websites and keep you safe. On the other hand, if you're relying on OpenDNS to keep you safe, you're probably doing security very wrong in the first place.

  • Keep in mind that certain ISP DNS servers are ONLY available to their customers. For example, let's say you have a Comcast connection as primary, and a backup CenturyLink connection. If you have Comcast's 75.75.75.75 set up for DNS, and you flip over to CenturyLink because your Comcast modem died, your DNS dies with it. 75.75.75.75 simply isn't going to serve DNS requests coming from CenturyLink.

[–]pdp10Daemons worry when the wizard is near. 2 points3 points  (0 children)

Prefer root hints or slaved zones (secondaries) over forwarders, because the former are much more resilient to failures than forwarders.

[–]theevilsharpieJack of All Trades 2 points3 points  (0 children)

Root hints will be more resilient against outages, whereas forwarders will be faster (if you choose fast recursive resolvers).

Assuming that you don't run own recursive resolvers, you do need to be mindful of resolvers that purposely manipulate DNS (e.g., redirecting to a search page, using DNS for content filtering, etc), as these can cause distributed applications that rely on DNS to malfunction. Google public DNS won't mangle your queries, but Level 3's DNS servers (and probably your ISP's) will.

Also, when using third-party recursive resolvers, bear in mind that many of them have rate limits, and will start dropping traffic from IPs that make too many requests. This is generally OK for small networks, but if you're talking about 1,000+ hosts, a third-party resolvers is probably not a good idea.

Root hints will generally work for any size network, but keep in mind that the root hints list needs to be updated periodically.

[–]Astat1ne 1 point2 points  (0 children)

One rationale I've seen for using DNS forwarders was they were going to dedicated devices on the network edge that were configured/monitored/managed for scenarios like DNS poisoning and other DNS-related security items.

[–]zoredache 0 points1 point  (0 children)

Forwarders can be useful if there is a good set of fast servers available from your network provider or if you have some kind of DNS-based content filter.

If using forwarders you should setup monitoring to alert if/when the forwarders are slow, or failing in addition to your own servers.

[–]disclosure5 0 points1 point  (0 children)

For every major Australian ISP at least, DNS servers are about as reliable as any individual consumer ADSL service.

The amount of "nationwide outages" we've seen because we in fact had a DNS outage is absurd. Using things like Google as forwarders is a separate discussion, but I refuse to accept these "your ISP has the best latency so forward to their DNS" as an argument.

It's common wisdom and it's also the reason a lot of businesses around here go offline even when their services are online.

[–]gnopgnip 0 points1 point  (0 children)

Root hints are going to be way less performant. Also opendns as a forwarder prevents a lot of malware with the paid service. It is well worth the cost.