Recursive DNS and Caching

Most recursive resolvers are set up to cache lookups, so typically ‘DNS cache’ and ‘recursive resolver’ refer to the same server. Two different scenarios are typical for DNS caches:

1. In some situations, there is a strong argument for separating the roles of DNS cache and authoritative server, with dedicated servers for each.
   
   
   
   The main reason for this is to maximise security. DNS caches have some inherent security risk attached to them. Separating the cache from the authoritative records reduces the risk of poisoned DNS lookups stored in the cache finding a route to the authoritative records. Doing it this way is particularly relevant to service provider deployments, where public access by the subscriber base at the very least exposes the cache to greater risk.
   
   Where servers see high loads for both authoritative and cached lookups, it also makes sense to spread the load over more servers.
   
   
2. If you dont think the risk of cache poisoning is very high then you can combine the roles of DNS cache with authoritative server on a single slave server. This is usually the case on a corporate private network, where the DNS cache is internal facing and access to it limited to trusted – or at least controllable - IP addresses.
   

---

FIND OUT MORE ABOUT CLUSTERING SLAVES FOR HIGH AVAILABILITY