Versions Compared

Old Version 1

changes.mady.by.user Steven Kim

Saved on

compared with

New Version Current

changes.mady.by.user Steven Kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1. Scope/Audience

  1. When considering a recursive DNS resolver:
    1. Is the resolver service public or private ?
    2. Is the resolver service open or closed ?
  2. Clarification:
    1. Public: can be reached over the open internet (public IP address, not restricted)
    2. Private: cannot be reached over the open internet (private IP address, or ACL restrictions, or a combination)
    3. Open: reachable by, and responds to queries from any client
    4. Closed: requires authentication of some sort to be used
      1. IP address, TSIG, TLS cert (DoT)

2. In practice, the following services are found on the internet:

  1. Private Resolvers - Found in corporate / restricted networks, not publicly accessible.

  2. Shared Private Resolvers - ISPs or similar hosting service providers

  3. Public Resolver Operators - Commercial DNS filtering / scrubbing service.

Recursive Server for Enterprise Network, Cable Service, VPN

...

  1. Service
    1. Must 
      1. Limit Access
      2. Enable DNSSEC Validation
    2. May
      1. Enable Encrypted Look-Up (DNS-over-TLS)
      2. Enable DOH
  2. System
    1. Must
      1. Limit Access
      2. Limit Services to Need 
    2. Should
      1. Document implementation
      2. Maintain Version Control
      3. Monitoring Service performance, Intrusions, Errors, etc
  3. Network
    1. Must
      1. Limit Access
      2. Limit Services to Need 
    2. Should
      1. Documentation
      2. Version Control
      3. Monitoring for Intrusions, Errors, etc

...