The entire world should send <A HREF="http://66.241.235.123/crc/webdev/internetHistory/people/index.cfm?action=paulMockapetris">Paul Mockapetris</a> a present this week. The Domain Name System (DNS) is 20 years old. The entire world should send Paul Mockapetris a present this week. The Domain Name System (DNS) is 20 years old.In Internet time, Mockapetris’s brainchild is as old as the sun and the moon, and shares the spotlight with IPv4 as the most broadly-implemented standards in Internet history. Unlike IPv4, however, we haven’t seen a bunch of band-aids on DNS. There are a few, such as the lack of true authentication, the staggering amount of invalid DNS queries seen by the root servers, and the various exploits in BIND over the years (that can’t be put on the DNS architecture, though). Overall the domain name system is a model of scalability. Of course, there are more than a few folks that simply haven’t gotten it yet. Microsoft, for instance, has finally seen the light vis a vis the horrific shortcomings of WINS and migrated all service definitions and network browsing code to use DNS. Of course, they had to pull their “embrace and extend” BS and create rafts of subdomains and default entries containing illegal characters (_msdcs.jpj.net anyone?). On the other side are the folks that insist that DNS needn’t be handled internally on the small network. This places the onus on the ISP, and impinges on the ability to differentiate between internal and external hosts. I was recently called in to determine a cause for multiple problems on a 60-user network with a single T1 to the Internet. A simpler network is hard to find, but the problems faced by this network were severe. Most of the identified issues — sluggish performance, inaccessibility of certain sites, failure of some audit logging — were directly related to the fact that there was no internal DNS server, and all queries were pushed to the ISP’s nameservers. Granted that this will work for some purposes, such as browing to www.theonion.com, but name resolution for local servers must be handled by another name service, such as NIS, NISPLUS or WINS. Of course, if there’s no DNS, the likelihood of NIS or NISPLUS existing is slim. WINS will work for Windows network protocols, but not for other queries. Once I’d implemented a local DNS server with valid forward and reverse records for all servers and DHCP scope addresses, the network got perceptibly faster, all resources that should have been accessible were suddenly available, and 70 systems weren’t wasting bandwidth on the single T1 by querying servers in another state for DNS. I’ve commented on DNS structure before, there’s no need to go into it any further here. Suffice it to say that DNS for a small to medium-sized network is a very light service, and should absolutely be implemented internally. For external DNS, the use of stealth masters is probably the best plan for most small to mid-size networks. This method uses the ISP’s DNS servers as slaves, with the master at the client site. The master doesn’t exist as far as the root servers know, they simply point to the ISP’s servers. The stealth master can be used to update the slave zone that resides on the ISP servers at any time, which provides the ability of the client administrator to manage DNS without going through the ISP’s DNS update latency dance. Also, no DNS queries come down the pipe to the client, the ISP bears that burden.The anniversary brings to mind the heady days of the mid-nineties, when I ran a ~5,000 user ISP’s DNS services on two Pentium-133, 64MB of RAM Gateway systems running BSDi. Ah, the good old days.