default local DNS caching name server

Reindl Harald h.reindl at
Sat Apr 12 14:03:14 UTC 2014

Am 12.04.2014 15:31, schrieb Chuck Anderson:
> On Sat, Apr 12, 2014 at 02:09:19PM +0800, P J P wrote:
>>> On Saturday, 12 April 2014 11:11 AM, William Brown wrote:
>>> Say I have freshly installed my fedora system at home. I then boot it up
>>> and start to use it. My laptop is caching DNS results all the while from
>>> the "unreliable" ISP.
>>> I then go to work and suddenly things don't work.
>>> Having a DNS cache doesn't fix your unreliable ISP: You need to lodge a
>>> complaint with your ISP.
>>   What, no! that was the case for having local cache and not forwarding queries to the ISP's name servers at all. Because those are not reliable.
> I disagree.  You can still do DNSSEC validation with a local caching
> resolver and configure that local resolver to forward all queries to
> the ISP.  That should be tried first, and only bypassed and become a
> full interative recursive querier bypassing the ISP resolvers if that
> fails.  We need to respect the DNS caching infrastructure by default.

nonsense - there are so much ISP nameservers broken out there
responding with wildcards and so on that you can not trust them
and you will realize that if not before after you started to run
a production mailserver which relies on NXDOMAIN responses for
proper operations

there are also a lot of broken DNS servers in general not respecting
the TTL - not so long ago we moved one of our servers into our
datacenter, changed the TTL to 5 minutes two days before and
*7 months* later the DNS of my private ISP answered randomly with
the old and the new address

other DNS servers out there answered after 7 months still with the old
the most broken one just answered with *both* suggesting round robin to
the client - problem: the old IP did no longer exist at all

how i tested that?
by google for public answering nameservers, ask all which i found
with a script and finally asked the tech contact of the broken ones
why they not start to hire someone with the skills for DNS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the devel mailing list