UT Bridged install - Local DNS vs ISP DNS

[ChosenOne]

Hi Guys,

Still getting my hands wrapped around this new install but quick question.

Are there better performance or security gained by using local DNS server as opposed to the ISP DNS? As mentioned this is a bridged install and currently setup to use external ISP DNS (seems faster than local DNS) and all module functionality works so are there real benefits from using one versus the other?

Thanks!

[sky-knight]

The DNS service in UT can cache DNS lookups to the web. It can help increase performance and reduce load from your wan link.

[ChosenOne]

The DNS service in UT can cache DNS lookups to the web. It can help increase performance and reduce load from your wan link.

So there really isnt any benefits to using either setup then? But for Best Practice deployment should I use internal DNS or External DNS for bridged mode?

[Zanthexter]

There are really three questions here:

1) Internal vs External DNS
2) Root Hints vs forwarding to the ISP DNS or OpenDNS
3) Should your router/gateway also provide DNS

Answers to Question 1:

If you are running Active Directory, you pretty much "must" use your AD servers DNS and DHCP. To not do so will nearly always result in much pain. Seriously. Really really seriously. MUCH pain.

Internal DNS is faster because it can cache duplicate requests from multiple systems. Pretty much any router will usually do this.

Internal DNS allows you to resolve internal hostnames to private IPs. So your desktop can find your printer and NAS without having to do static ips, hosts files, or hoping that broadcast requests will work.

If you have mobile devices a somewhat more feature rich DNS such as Untangles is a good idea. You can configure your internal DNS to resolve multiple public hostnames with multiple appropriate private IPs while external DNS resolves multiple public hostnames to a single public IP. Real world example: untangle.company.com and remote.company.com and switchvox.company.com and ftp.company.com all have the same public IP, and are forwarded to seperate internal servers based on ports. Internally, they are forwarded directly to the seperate internal servers based on their internal IPs and avoid any potential firewall/router/etc issues.

Another consideration is privacy. Your DNS server knows every site accessed from your network. Pretty good way to profile your usage.

So, pretty much, always run internal DNS on a network.

Answers to Question 2:

Root hints are the preferred and fastest way to work, if you have a good internal DNS server. This would be the proper way to configure a Microsoft DNS server for example. Root hints are faster, and preserve your privacy, give you the most control, and are the most up to date. (No worries about your query being lost, directed to an out of date IP, or redirected to a "preferred alternate")

Avoid using your ISPs DNS. They are often slow, less reliable, and tracking what web sites you access for marketing purposes. There have also been instances where ISPs "failed to resolve" services they didn't happen to like for one reason or another or redirected a request to a service they preferred. The speed is a big issue. Slow DNS can really kill a complex web page with DNS lookups taking longer than the file transfer times. I will sometimes put the ISPs servers as the last one to forward to, just for redundancy if OpenDNS's systems aren't reachable.

OpenDNS is a respected and fast free public DNS service, and when I do use a forwarder, I use them. Much faster than Comcast or AT&T in my personal experience in my area. You also get some nice free bonus features, like phishing site blocking, good content filtering, logging and reporting. They make money off of displaying search results for bad DNS requests. While I don't believe they're selling the list of web sites you visited last month there's no telling what could change in the future. (I'm rather surprised Google doesn't offer some sort of public DNS service for that very reason.)

Answers to Question 3

I am a bit paranoid and a bit of a control freak. I don't want malware or adventurous users accessing just any old DNS server. (I also disable lmhosts/hosts access and enforce DNS settings via group policy) I run my DNS off my Active Directory server, and have Untangle block all outgoing DNS requests from any system on my network other than that server. (I do the same for SMTP as well after an infection got us on some Spam blacklists.) I can easily disable the rule for the occasional troubleshooting session.