Versions Compared

Old Version 7

changes.mady.by.user Adiel Akplogan

Saved on

compared with

New Version 8

changes.mady.by.user Steven Kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1. Scope/Audience

  1. When considering a recursive DNS resolver:
    1. Is the resolver service public or private ?
    2. Is the resolver service open or closed ?
  2. Clarification:
    1. Public: can be reached over the open internet (public IP address, not restricted)
    2. Private: cannot be reached over the open internet (private IP address, or ACL restrictions, or a combination)
    3. Open: reachable by, and responds to queries from any client
    4. Closed: requires authentication of some sort to be used
      1. IP address, TSIG, TLS cert (DoT)

2. In practice, the following services are found on the internet:

  1. Private - Found in corporate / restricted networks, not publicly accessible.
  2. Shared Private Resolvers - ISPs or similar hosting service providers
  3. Closed & Public Resolvers (not covered)
  4. Open & Public Resolvers (not covered)
  5. Closed & Public Resolvers (not covered)
    • Commercial DNS filtering / scrubbing service (DNSfilter, OpenDNS, …). Access is determined either by the source IP address or by some other mechanism (TSIG key, TLS certificate). These service providers are typically NOT Internet Service Providers, and the clients sending the queries are located on remote networks.
  6. Open & Public Resolvers (not covered)
    • In this group we have “fully open” public DNS resolvers such as CloudFlare’s 1.1.1.1, Google 8.8.8.8, Quad9’s 9.9.9.9, etc. All users on the Internet are free to use the service, whether they are stub resolvers (clients) or recursive servers using the open resolver as a forwarding service.

3. In the context of KINDNS

  • We make recommendations for categories “Private resolvers” and “Shared private resolvers”

Recursive Server for Enterprise Network, ISPs (Close & Private  Resolvers)

...