4

I'm one of the network operations leads for an ISP and one of our business customers is complaining his emails won't work due to our lack of a DNS server. We opted not to stand up DNS since many other companies with a much larger amount of resources operate their own, our DHCP option 6 actually uses google DNS. We are a small, new ISP that really does not have the resources to manage and deal with all the work that comes with DNS, so how would I help this guy? It seems my only option is to stand up a DNS server, and with an authoritative response for their DNS. Can anyone offer other options that would work for us, without having to stand up our own DNS server.

I'm sure some of you don't think DNS is that much work, but for only one admin, it can get overbearing especially when you do software dev on the side of all administration.

Alex Manley
  • 121
  • 11
  • 3
    You probably know this already, but make sure you've read [Google's FAQ on ISPs pointing to Google DNS](https://developers.google.com/speed/public-dns/faq#im_running_an_isp_can_i_redirect_all_my_users_to_google_public_dns). There is no SLA, and if Google DNS becomes unavailable most of your customers will experience an all services down event. Customers like to complain about ISP DNS servers being bad and how everyone should just use GoogleDNS or OpenDNS, but they will just as quickly blame you for not providing dedicated DNS infra and pointing them at Google DNS. – Andrew B Jun 23 '15 at 21:53
  • @AndrewB I am aware of this, however we've not had any problems.... yet... I do expect to stand up DNS eventually. It's just not that high of a priority. We're very small so I've limited time on everything I do. – Alex Manley Jun 23 '15 at 22:03
  • Fair enough. :) Just making sure you've put some thought into that in the long term. – Andrew B Jun 23 '15 at 22:06
  • If you are a *new* ISP I am surprised that you have been delegated large chunks of IP4 space at all (large enough to become responsible for reverse DNS in the first place)!? – Hagen von Eitzen Jun 24 '15 at 10:03
  • @HagenvonEitzen we don't have any large blocks 2x /22s. Plus DNS isn't dependent on size of the IP space. We could have set it up long ago, just there was no need for it. – Alex Manley Jun 24 '15 at 16:57
  • @AndrewB Is that link being kept up to date? It suggests you need to be using a white listed ISP in order to see any AAAA records. As far as I know Google entirely stopped that practice more than three years ago. – kasperd Jun 24 '15 at 17:35
  • @kasperd Google is as Google does...they'll change it when and if they feel like it. – Andrew B Jun 24 '15 at 17:41
  • 1
    @AlexManley Well 2x /22 is certainly "large enough" in this context - after all that's 8 class-C blocks (and more than *any* ISP could have obtained from RIPE since 2012, don't know about the other regions). As far as I remember (but I may be wrong), the IPv4 registrars (RIPE, APNIC, ...) would quite strongly suggest that you setup rDNS for these /24 blocks. Anyway you really should (cf. AndrewB's excellent answer) cause mail servers are the first (but not the last) that complain about the lack of rDNS ... – Hagen von Eitzen Jun 25 '15 at 18:28
  • 1
    @Hagen [Another comment below](http://serverfault.com/questions/701102/email-exchange-issues-due-to-lack-of-rdns/701115#comment867965_701134) has cleared this up a bit; the upstream provider is holding the rDNS right now, which explains why the applicable internet registry hasn't been knocking down the door. – Andrew B Jun 25 '15 at 18:50

3 Answers3

15

If you're an ISP, you really ought to have authoritative DNS servers that handle the reverse DNS for your networks. Not having them is somewhat akin to operator suicide; your biggest business customers are going to expect it, and if you don't have a contingency for this they're going to pack up their bags and move elsewhere.

This isn't to say that you're stuck micromanaging reverse DNS for all of your customers. You just need to have enough of an infrastructure built out that affords you some flexibility in meeting the needs of the business:

  • Get all of your reverse DNS pointed at servers you control ahead of time. It's strongly recommended to create generic PTR records for all of your IP space with matching forward (A/AAAA) records. At a bare minimum you need the reverse DNS pointing at servers you control, and the servers must be correctly configured so as to not return responses of REFUSED or SERVFAIL.
  • Encourage your large customers (/24 of IP space or more) to set up their own DNS servers and delegate authority for their IP space to their DNS servers. At that point they can manage all of their IP space without having to call you: everyone wins.
  • Delegating less than a /24 is a headache due to the fact that IPv4 reverse DNS was designed with classful networking in mind. While there are some strategies for making this work that are rooted in BCP20 (RFC 2317), this is probably more work than you're looking to do and the BCP is somewhat debated; this link has shown up in the top search engine results for RFC 2317 for years.
  • Be prepared to make exceptions for customers you want to keep.
  • Be prepared for your managers to tell you that you're going to make exceptions for certain customers.
  • Do not skimp on geo redundancy. You need DNS servers that are not located in the same datacenter or sharing an upstream network peer. Failing to take this into consideration will be a lesson in just how volatile internet routing can be. If you're too small to fulfill this need yourself, you should look into a hosted DNS solution with a bulletproof reputation.

If you follow the advice above you'll at least be in a much better place than you were before, and have the flexibility to roll with the punches as needed.

Community
  • 1
Andrew B
  • 32,588
  • 12
  • 93
  • 131
  • Thanks so much for the in depth response, I will have to look over it a little more with my colleagues here to determine what our best course of action is. Thanks again! – Alex Manley Jun 23 '15 at 21:26
  • 6
    @Alex Remember to upvote if you find an answer useful; more than just being nice, it bumps the Q&A back to the front page and increases odds that others will contribute to (or critique) the discussion. – Andrew B Jun 23 '15 at 21:28
5

I'm one of the network operations leads for an ISP and one of our business customers is complaining his emails won't work due to our lack of a DNS server

Some clarification of the problem would be helpful. Saying that your customer is having problems because of your lack of DNS doesn't really tell us much about the nature of the problem, although we can all guess that it's probably related to reverse DNS.

We are a small, new ISP that really does not have the resources to manage and deal with all the work that comes with DNS

I'm sorry. You chose to enter a business that requires certain "investments" from you (technical and financial). If you're not capable of or willing to take responsibility for those "investments" then you ought not to be in that business.

It seems my only option is to stand up a DNS server, and with an authoritative response for their DNS.

Again, clarification is needed. I'm failing to see why you would need to host his forward lookup DNS zone, but the reverse lookup zone is another matter altogether.

Kevin Brown-Silva
  • 273
  • 3
  • 6
joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • I apologize for not being more clear, It's not that I don't have the know how and resources to accomplish this task, it's the fact that only one of our customers is experiencing an issue. We don't do their forward lookups, their web host does. It's a little far fetched to me to stand up DNS for one 5 person company. No need to assume I don't have the technical and financial resources to set this up, I'm just wondering if there is a work around for a one off customer like this. If you cant answer the question, don't post. If you want clarification use comments, not answers. RDNS is in my title. – Alex Manley Jun 24 '15 at 16:53
  • 1
    @Alex To be fair, he's correct on the point of rDNS; managing it comes with being an ISP. If you're getting IP space from ARIN/RIPE/APNIC/etc., ownership of the reverse DNS comes with the territory. If you allocate that IP space to your customers, the onus falls to you make it so that the customer can manage the reverse DNS if you aren't willing to. – Andrew B Jun 24 '15 at 17:45
  • 1
    @AlexManley - I get it but details are best served in the body of your question, not presumed from the title. That being said, the more detailed you are in your question the better we can provide informed answers. My point about the "investments" is that if you've taken on the business of being an ISP then you ought to take on the full responsibilities of that, which means managing the rDNS zones for the ip addresses you're allocating to your customers. – joeqwerty Jun 24 '15 at 17:46
  • Joe has a point. If my business ISP shrugged when I asked about DNS I would assume they were either joking or simply didn't actually want my business. It's a lot like starting a taxi company with cabs, drivers... And no means of working out fares. – Rob Moir Jun 24 '15 at 19:31
  • To be clear we never shrugged off the idea of standing DNS up, we just wanted a cheaper option if it existed. Our IP space is not allocated by ARIN but rather our upstream provider, who does DNS for us. We've contacted them to be authoritative for our IP space for now. Just waiting for a response. In the mean time I'll be setting one up to use for future use and use @andrewB recommendations during configuration above. – Alex Manley Jun 25 '15 at 17:10
1

Perhaps you could contract the DNS out to a third party if you are not comfortable doing it yourself. Then you would get an SLA, which you wouldn't get through Google or OpenDNS

teambob
  • 111
  • 3
  • 1
    The problem being described is an issue with authoritative DNS. The Google DNS topic in the comments is unrelated to the actual problem. – Andrew B Jun 24 '15 at 15:50