[afnog] Decreasing Access Time to Root Servers DNS by Running One on Loopback
Nishal Goburdhan
nishal at controlfreak.co.za
Fri Nov 27 07:13:50 UTC 2015
On 26 Nov 2015, at 0:38, Mathias HOUNGBO wrote:
> FYI
>
> Some DNS recursive resolvers have longer-than-desired round-trip
> times to the closest DNS root server. Some DNS recursive resolver
> operators want to prevent snooping of requests sent to DNS root
> servers by third parties. Such resolvers can greatly decrease the
> round-trip time and prevent observation of requests by running a copy
> of the full root zone on a loopback address (such as 127.0.0.1).
> This document shows how to start and maintain such a copy of the root
> zone that does not pose a threat to other users of the DNS, at the
> cost of adding some operational fragility for the operator.
…just don’t forget the note lower down in the rfc that says:
“ It is important to note that the design being described here is not
considered a "best practice". In fact, many people feel that it is
an excessively risky practice because it introduces a new operational
piece to local DNS operations where there was not one before. “
—n.
More information about the afnog
mailing list