Page History
1. Scope/Audience
- When considering a recursive DNS resolver:
- Is the resolver service public or private ?
- Is the resolver service open or closed ?
- Clarification:
- Public: can be reached over the open internet (public IP address, not restricted)
- Private: cannot be reached over the open internet (private IP address, or ACL restrictions, or a combination)
- Open: reachable by, and responds to queries from any client
- Closed: requires authentication of some sort to be used
- IP address, TSIG, TLS cert (DoT)
2. In practice, the following services are found on the internet:
Private Resolvers - Found in corporate / restricted networks, not publicly accessible.
Shared Private Resolvers - ISPs or similar hosting service providers
Public Resolver Operators - Commercial DNS filtering / scrubbing service.
Recursive Server for Enterprise Network, Cable Service, VPN
...
- Service
- Must
- Limit Access
- Enable DNSSEC Validation
- May
- Enable Encrypted Look-Up (DNS-over-TLS)
- Enable DOH
- System
- Must
- Limit Access
- Limit Services to Need
- Should
- Document implementation
- Maintain Version Control
- Monitoring Service performance, Intrusions, Errors, etc
- Network
- Must
- Limit Access
- Limit Services to Need
- Should
- Documentation
- Version Control
- Monitoring for Intrusions, Errors, etc
...