Re: [Skunkworks] Reliable Public D.N.S. Servers...
Hi Michuki, Noted! On 8 December 2014 at 16:44, Michuki Mwangi <michuki.mwangi@gmail.com> wrote:
Hi Wash,
We did setup Anycast DNS for the F-Root and J-Root servers. They are still in place.
The Anycast DNS Root Instances is different from open DNS recursive servers. Root-Servers are authoritative in their responses and the recursive servers are not. This presents unique challenges to the DNS operator from a security and scalability point of view. That is why there are not many Open recursive servers on the Internet today.
Hope that helps,
Michuki.
On Dec 8, 2014, at 2:49 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:
I suppose Michuki Mwangi did setup one anycast DNS node and it's somewhere at KIXP.
Mich - am I dreaming?
On 24 November 2014 at 11:05, Okechukwu via skunkworks < skunkworks@lists.my.co.ke> wrote: In all my working life, I have never come across a situation where I MUST use forwarders, in those situations, views always work for me.
./Ok3ch
On Mon, Nov 24, 2014 at 8:29 AM, Adam Nelson <adam@varud.com> wrote: You still need to communicate with other DNS servers - which ideally would be close.
This brings up a related issue. DNS resolution is one of the biggest problems with Kenyan Internet. The Google/OpenDNS nodes are off-continent and because the traffic is UDP, are highly susceptible to the packet loss problems discussed last week.
Having just one major anycast DNS node in East Africa would be a "big deal". Having that node be a primary DNS server for local ISP DHCP configurations would be an even bigger deal.
By major I mean one with enough queries that the cache hit ratio is up above 50%. This is more of a problem these days because everybody is using short TTLs for their records ... which means that the cache timeout is low and you need alot of traffic to not be constantly going to authoritative name servers which are far away.
-- Kili - Cloud for Africa: kili.io Musings: twitter.com/varud More Musings: varud.com About Adam: www.linkedin.com/in/adamcnelson
On Mon, Nov 24, 2014 at 10:15 AM, Okechukwu via skunkworks < skunkworks@lists.my.co.ke> wrote: Is there a real compelling reason why you cannot have your own DNS for your own recursive queries?
./Ok3ch
On Fri, Nov 21, 2014 at 1:52 PM, Michael Bullut via skunkworks < skunkworks@lists.my.co.ke> wrote: Greetings Listers,
Apart from OpenDNS and Google Public D.N.S., which other public D.N.S. servers can I configure my forwarders with?
Warm regards,
Michael Bullut.
---
Cell: +254 723 393 114. Skype Name: Michael Bullut. Twitter: @Kipsang Blog: http://www.kipsang.com/ E-mail: main@kipsang.com
---
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
Maybe we need to set up one open dns for KE. I would love to contribute to such if there is none :) Michuki - can you lead this pls:)? You are our father(s) in this industry. Kind Regards, Wilson./ On 8 December 2014 at 16:49, Odhiambo Washington via skunkworks < skunkworks@lists.my.co.ke> wrote:
Hi Michuki,
Noted!
On 8 December 2014 at 16:44, Michuki Mwangi <michuki.mwangi@gmail.com> wrote:
Hi Wash,
We did setup Anycast DNS for the F-Root and J-Root servers. They are still in place.
The Anycast DNS Root Instances is different from open DNS recursive servers. Root-Servers are authoritative in their responses and the recursive servers are not. This presents unique challenges to the DNS operator from a security and scalability point of view. That is why there are not many Open recursive servers on the Internet today.
Hope that helps,
Michuki.
On Dec 8, 2014, at 2:49 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:
I suppose Michuki Mwangi did setup one anycast DNS node and it's somewhere at KIXP.
Mich - am I dreaming?
On 24 November 2014 at 11:05, Okechukwu via skunkworks < skunkworks@lists.my.co.ke> wrote: In all my working life, I have never come across a situation where I MUST use forwarders, in those situations, views always work for me.
./Ok3ch
On Mon, Nov 24, 2014 at 8:29 AM, Adam Nelson <adam@varud.com> wrote: You still need to communicate with other DNS servers - which ideally would be close.
This brings up a related issue. DNS resolution is one of the biggest problems with Kenyan Internet. The Google/OpenDNS nodes are off-continent and because the traffic is UDP, are highly susceptible to the packet loss problems discussed last week.
Having just one major anycast DNS node in East Africa would be a "big deal". Having that node be a primary DNS server for local ISP DHCP configurations would be an even bigger deal.
By major I mean one with enough queries that the cache hit ratio is up above 50%. This is more of a problem these days because everybody is using short TTLs for their records ... which means that the cache timeout is low and you need alot of traffic to not be constantly going to authoritative name servers which are far away.
-- Kili - Cloud for Africa: kili.io Musings: twitter.com/varud More Musings: varud.com About Adam: www.linkedin.com/in/adamcnelson
On Mon, Nov 24, 2014 at 10:15 AM, Okechukwu via skunkworks < skunkworks@lists.my.co.ke> wrote: Is there a real compelling reason why you cannot have your own DNS for your own recursive queries?
./Ok3ch
On Fri, Nov 21, 2014 at 1:52 PM, Michael Bullut via skunkworks < skunkworks@lists.my.co.ke> wrote: Greetings Listers,
Apart from OpenDNS and Google Public D.N.S., which other public D.N.S. servers can I configure my forwarders with?
Warm regards,
Michael Bullut.
---
Cell: +254 723 393 114. Skype Name: Michael Bullut. Twitter: @Kipsang Blog: http://www.kipsang.com/ E-mail: main@kipsang.com
---
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
It ain't easy. You'd want to have a dedicated team to run the Open Relay. Why? - You'll have reflection attacks <http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/> being launched using your network - You'll be a prime target for DNS cache poisoning attacks - You'll have to handle security very seriously. Compromising your servers would be very rewarding for naughty people. Imagine this: Full control of DNS for a 10's of thousands of machine... How many of them visit paypal, local banks? SSH mitm? On Tue, Dec 9, 2014 at 1:07 PM, Thuo Wilson via skunkworks < skunkworks@lists.my.co.ke> wrote:
Maybe we need to set up one open dns for KE. I would love to contribute to such if there is none :)
Michuki - can you lead this pls:)? You are our father(s) in this industry.
Kind Regards, Wilson./
On 8 December 2014 at 16:49, Odhiambo Washington via skunkworks < skunkworks@lists.my.co.ke> wrote:
Hi Michuki,
Noted!
On 8 December 2014 at 16:44, Michuki Mwangi <michuki.mwangi@gmail.com> wrote:
Hi Wash,
We did setup Anycast DNS for the F-Root and J-Root servers. They are still in place.
The Anycast DNS Root Instances is different from open DNS recursive servers. Root-Servers are authoritative in their responses and the recursive servers are not. This presents unique challenges to the DNS operator from a security and scalability point of view. That is why there are not many Open recursive servers on the Internet today.
Hope that helps,
Michuki.
On Dec 8, 2014, at 2:49 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:
I suppose Michuki Mwangi did setup one anycast DNS node and it's somewhere at KIXP.
Mich - am I dreaming?
On 24 November 2014 at 11:05, Okechukwu via skunkworks < skunkworks@lists.my.co.ke> wrote: In all my working life, I have never come across a situation where I MUST use forwarders, in those situations, views always work for me.
./Ok3ch
On Mon, Nov 24, 2014 at 8:29 AM, Adam Nelson <adam@varud.com> wrote: You still need to communicate with other DNS servers - which ideally would be close.
This brings up a related issue. DNS resolution is one of the biggest problems with Kenyan Internet. The Google/OpenDNS nodes are off-continent and because the traffic is UDP, are highly susceptible to the packet loss problems discussed last week.
Having just one major anycast DNS node in East Africa would be a "big deal". Having that node be a primary DNS server for local ISP DHCP configurations would be an even bigger deal.
By major I mean one with enough queries that the cache hit ratio is up above 50%. This is more of a problem these days because everybody is using short TTLs for their records ... which means that the cache timeout is low and you need alot of traffic to not be constantly going to authoritative name servers which are far away.
-- Kili - Cloud for Africa: kili.io Musings: twitter.com/varud More Musings: varud.com About Adam: www.linkedin.com/in/adamcnelson
On Mon, Nov 24, 2014 at 10:15 AM, Okechukwu via skunkworks < skunkworks@lists.my.co.ke> wrote: Is there a real compelling reason why you cannot have your own DNS for your own recursive queries?
./Ok3ch
On Fri, Nov 21, 2014 at 1:52 PM, Michael Bullut via skunkworks < skunkworks@lists.my.co.ke> wrote: Greetings Listers,
Apart from OpenDNS and Google Public D.N.S., which other public D.N.S. servers can I configure my forwarders with?
Warm regards,
Michael Bullut.
---
Cell: +254 723 393 114. Skype Name: Michael Bullut. Twitter: @Kipsang Blog: http://www.kipsang.com/ E-mail: main@kipsang.com
---
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (3)
-
Laban Mwangi -
Odhiambo Washington -
Thuo Wilson