DNS for ISPs

Slow or unstable DNS turns into "internet is not working" complaints even with a perfect link. An undersized resolver with no warm cache and no redundancy — the subscriber feels it before you see it in monitoring.

What DNS is in an ISP context

Every ISP needs two distinct DNS roles: the recursive resolver (which subscribers use to resolve names) and the authoritative server (which answers for the ISP's own zone). A slow resolver degrades the subscriber experience even with plenty of bandwidth. A misconfigured authoritative server makes the ISP's own services unreachable.

What RASYS does

  • Recursive resolver with Unbound — cache tuning, prefetch, DNSSEC validating, per-IP rate-limit to prevent abuse.
  • Active/active resolver cluster — two or more nodes with anycast or ECMP to ensure availability.
  • Authoritative DNS with BIND or NSD — ISP zones (reverse DNS for IP blocks, internal domain) with DNSSEC signing.
  • Anycast DNS via BGP — same IP announced from multiple PoPs; client resolves at the nearest one.
  • RPZ (Response Policy Zone) — court-ordered domain blocking (ANATEL, court orders) without impacting the general resolver.
  • Latency and cache hit rate monitoring — alert when the resolver starts to degrade before it becomes a complaint.
  • Resolver migration — ISP DNS changeover with gradual rollout per VLAN/IP pool.
  • Hardening — minimal response (no version.bind), response rate-limit, recursion disabled on authoritative.

Technologies we work with

Unbound, BIND9, NSD, PowerDNS. Anycast via Mikrotik RouterOS, Huawei NE, Juniper MX, Cisco. RPZ compatible with Unbound and BIND.

When it makes sense to talk to us

Resolvers with high or unstable latency at peak hours; received a court order to block a domain and unsure how to implement it; want DNSSEC validation active; opening a new PoP and need a local resolver; reverse DNS for the IP block not resolving correctly.

Talk to us — initial conversation, no commitment. See also: BGP.

FREQUENTLY ASKED QUESTIONS

Unbound or BIND for the recursive resolver?

Unbound for a pure resolver — simpler to tune, efficient cache, native DNSSEC. BIND when the same server needs to be both authoritative and recursive (a situation we avoid in production, but that exists in smaller networks). For an ISP with 10k+ subscribers, Unbound on a dedicated pair is the standard.

Does enabling DNSSEC validation break any websites?

Rarely, but it happens: zones with expired signatures or misconfigured records fail validation. We enable it with SERVFAIL failure monitoring, a per-domain exception list when needed, and an alert to the NOC before any subscriber-visible impact.

Is anycast DNS via BGP worth it for a regional ISP?

Worth it when you have 2+ PoPs with your own BGP. The same resolver IP announced from each PoP ensures the subscriber resolves at the nearest PoP and failover is automatic. If you have only one PoP, ECMP between two servers in the same rack is enough.

How do you implement court-ordered blocking without affecting the general resolver?

RPZ (Response Policy Zone) — a local zone that overrides the response for specific domains with NXDOMAIN or the IP of a notice page. The list is maintained separately, can be updated without restarting the resolver, and does not affect any other resolution.