Gentoo Archives: gentoo-user

From: Alan McKinnon <alan.mckinnon@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Secure DNS servers
Date: Tue, 17 Jun 2014 20:41:06
Message-Id: 53A0A7A2.3080208@gmail.com
In Reply to: Re: [gentoo-user] Re: Secure DNS servers by Eray Aslan
1 On 17/06/2014 16:48, Eray Aslan wrote:
2 > On Mon, Jun 16, 2014 at 07:57:31PM +0000, James wrote:
3 >> Any guidance of those?
4 >
5 > When I have a choice, I go with nsd for authoritive and with unbound for
6 > recursive dns servers. Bind is also a popular alternative.
7 >
8 >> Anyone and Everyone is encouraged to "chime in" on dns server
9 >
10 > Try to seperate your authorative and recursive dns servers.
11 >
12 > Learn to use dig.
13 >
14 > On Mon, Jun 16, 2014 at 02:49:39PM -0400, Michael Orlitzky wrote:
15 >> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED
16 >> \
17 >> -j ACCEPT
18 >
19 > Careful with conntrack. It is OK for a home/hobby server. For a high
20 > volume dns server, you don't want to reach conntrack limits before you
21 > reach the limits of your dns software - which are usually much higher.
22 > A stateful firewall for a dns server is not always a good choice - do
23 > not make it easier to DoS.
24 >
25
26
27 You could probably get away with it on an auth server as they tend to be
28 lighter loaded than a caching server.
29
30 But on a cache server - no ways at all.
31 I watched big busy dns cache servers try to deal with FreeBSD stateful
32 firewalls once, it was not a pretty sight :-)
33
34 --
35 Alan McKinnon
36 alan.mckinnon@×××××.com