1 |
On 12/10/2015 19:43, James wrote: |
2 |
> Alan McKinnon <alan.mckinnon <at> gmail.com> writes: |
3 |
> |
4 |
> |
5 |
>>> I need to setup DNS primary/secondary systems on gentoo. So right now |
6 |
>>> I'm looking for a suggested list of packages to install with Bind, |
7 |
>>> iptables and DNSSEC-tools as these (2) gentoo dns servers will only |
8 |
>>> run the minimum packages to operate securely? |
9 |
>> auth or cache? |
10 |
> |
11 |
> These are the (2) net facing primary and slave dns servers, just for the |
12 |
> few domain names I willauthenticate. They'll be behind a firewall |
13 |
> (iptables/dmz) with no internal zone information. Strictly auth, public |
14 |
> facing, with DNSsec. The plan is to go slow with manual configuration and |
15 |
> and slow add features like a database, as I roll out new auth-DNS servers |
16 |
> on newer, embedded hardware (very small very low power, but lots of ram |
17 |
> (2G)). So over time the scope will evolve. It's a manual approach to a |
18 |
> refresher for me. Eventually one of the auth-dns-slaves will be an arm |
19 |
> cluster for performance testing on mesos. (That's a ways off). |
20 |
> |
21 |
> |
22 |
> So also, the iptables rules for such a setup will need to be revisited, |
23 |
> dusting off what I use to use. Again, the importance is trying different |
24 |
> packages and sniffing the results and examining log files (manually and with |
25 |
> scripts) on a log host. So only ports 53 (public/routable net visible |
26 |
> and port 22 from a select sets of private ips is all these will need. |
27 |
|
28 |
Then you need your chosen name server (bind), your chosen fw ruleset |
29 |
generators (iptables, maybe some other front end) and maybe fail2ban or |
30 |
one of it's friends if you find some port gets hammered. |
31 |
|
32 |
Block all ports except 53 and 22, send all logs to a remote syslogger |
33 |
and trawl through them to your heart's content. All very usual and normal. |
34 |
|
35 |
|
36 |
>> First of all, bind is a pain to use. Reason: it's actually a reference |
37 |
>> implementation that as usual got forced into production use. It's slower |
38 |
>> than it could be because it deals with every possible corner case per RFC. |
39 |
>> As an auth server (few queries) it's OK |
40 |
> |
41 |
> Bind is an old acquaintance of mine:: been a few years, hence the post. |
42 |
> I may test/migrate to something else, later. |
43 |
|
44 |
OK. For a few domains there's no benefit to using something other than |
45 |
what you already know. |
46 |
|
47 |
> |
48 |
>> As a cache (many queries), there are better servers out there. I prefer |
49 |
>> unbound. |
50 |
> |
51 |
> A Caching DNS server for internal usages is another project for another |
52 |
> time. It will be totally isolated; still, good to know. |
53 |
> |
54 |
> |
55 |
>>> Also, what is the (nominal) minimum amount of RAM needed to keep all |
56 |
>>> routes in ram in these name servers? |
57 |
>> I don't understand. DNS servers don't keep routes in memory - routers do |
58 |
>> that. Perhaps you mean cached DNS records? |
59 |
>> DNS is light on RAM, there are only so many records typical users will |
60 |
>> look up. DNS caches not too long ago ran for years problem free with a |
61 |
>> puny few hundred MB. It's not something to be worried about. |
62 |
> |
63 |
> There should be a way to keep all the responses for the zones info they |
64 |
> server in ram? I know it often happens without intervention, but surely |
65 |
> there are published methods to insure this info is kept "in ram" like bcachefs? |
66 |
> |
67 |
> Also flushing and ram usage status monitoring, as these auth dns servers |
68 |
> will eventually migrate to low power embedded machines where keeping |
69 |
> things in ram is critical to performance. |
70 |
|
71 |
I can't help but feel you are worried about a problem that doesn't |
72 |
exist. It takes lots and lots and lots of zones to get above 1M disk |
73 |
space. How much ram do you think you need? |
74 |
|
75 |
DNS caches are resource intensive (the upper limit on what they cache is |
76 |
the internet) |
77 |
DNS auth servers are not (their upper limit is how many bytes in the |
78 |
zones) and they tend to idle most of the time. Well unless you do silly |
79 |
things like set all TTLs to 1 (or god forbid, 0) and your auth server |
80 |
becomes a cache |
81 |
|
82 |
> |
83 |
> 'eix -cC net-dns | grep auth' <shows:: knot and nsd |
84 |
> |
85 |
> Curiously, Are they better, more easily secured solutions? |
86 |
> |
87 |
> |
88 |
> It's been a hwile for me.... so a vetting of the packages is the first step |
89 |
> for this minimal, manual setup of the auth-dns servers for a few domain names:: |
90 |
> |
91 |
> |
92 |
> Bind9, dnssec-tools, iptables:: any other packages relevant/germane |
93 |
> on a amd-default profile [1] ? |
94 |
|
95 |
Yes, that's about it. |
96 |
Add in all the other usual server stuff you like to use - monitoring, |
97 |
logging, notifications, mail, whatever |
98 |
|
99 |
|
100 |
-- |
101 |
Alan McKinnon |
102 |
alan.mckinnon@×××××.com |