F23 System Wide Change: Default Local DNS Resolver

Ryan S. Brown ryansb at redhat.com
Mon Jun 1 19:25:18 UTC 2015 

On 06/01/2015 01:55 PM, Jason L Tibbitts III wrote:
>>>>>> "RSB" == Ryan S Brown <ryansb at redhat.com> writes:
> 
> RSB> I disagree; for server & cloud deployments it doesn't make sense to
> RSB> duplicate a DNS server on *every* host, and if you care about
> RSB> DNSSEC you likely already run a trusted resolver.
> 
> I disagree generally in the case of server deployments.
> 
> Having a local caching resolver is pretty much essential, even though we
> all know it's just a workaround for glibc.
> 
> Basically, if you have properly functioning DNS on multiple local
> servers but not having anything fancier like heartbeat-based IP handoff
> or a load balancing appliance or something, and the first resolver in
> resolv.conf goes offline, your hosts are screwed.  glibc's resolver code
> is simply horrible.  This is completely exclusive of DNSSEC issues.

I don't think it's essential for either the server or the cloud product.
Servers run in a much more reliable network than your average SOHO or
coffee shop setup, and their behavior with regard to DNS doesn't need a
local caching resolver. LAN DNS (probably with split horizon for
DC-internal services) is plenty fast and reliable, there isn't a need to
run a zillion instances of Unbound.

Also, I've run redundant LAN DNS servers in fairly large deployments,
and ns1 going down certainly hasn't "screwed" my hosts.

> Of course, most folks who have enough infrastructure to have their own
> DNS servers and such can easily figure out how to configure a local
> resolver if need be, so what's in the default setup really makes no
> difference.  And for the home user who might want to grab the server
> spin/product/whatever-we're-calling-it-this-week, well, I'd think they'd
> want the local resolver. 

I don't think so -- when I pull a fresh server image I expect there to
be very little running on it.

A local DNS resolver would certainly be a surprise to me. Again, this
comes back to the expectation that a server isn't hopping networks or
running somewhere un-trusted where there's a high risk of bad actors.

> What really concerns me is what happens with split DNS.  I assume I'll
> just need to configure the local resolvers to talk only to my resolvers,
> but this would really need to be documented.

-- 
Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.

More information about the devel mailing list