| 1 |
On 12/10/2015 19:43, James wrote: |
| 2 |
> Alan McKinnon <alan.mckinnon <at> gmail.com> writes: |
| 3 |
> |
| 4 |
> |
| 5 |
>>> I need to setup DNS primary/secondary systems on gentoo. So right now |
| 6 |
>>> I'm looking for a suggested list of packages to install with Bind, |
| 7 |
>>> iptables and DNSSEC-tools as these (2) gentoo dns servers will only |
| 8 |
>>> run the minimum packages to operate securely? |
| 9 |
>> auth or cache? |
| 10 |
> |
| 11 |
> These are the (2) net facing primary and slave dns servers, just for the |
| 12 |
> few domain names I willauthenticate. They'll be behind a firewall |
| 13 |
> (iptables/dmz) with no internal zone information. Strictly auth, public |
| 14 |
> facing, with DNSsec. The plan is to go slow with manual configuration and |
| 15 |
> and slow add features like a database, as I roll out new auth-DNS servers |
| 16 |
> on newer, embedded hardware (very small very low power, but lots of ram |
| 17 |
> (2G)). So over time the scope will evolve. It's a manual approach to a |
| 18 |
> refresher for me. Eventually one of the auth-dns-slaves will be an arm |
| 19 |
> cluster for performance testing on mesos. (That's a ways off). |
| 20 |
> |
| 21 |
> |
| 22 |
> So also, the iptables rules for such a setup will need to be revisited, |
| 23 |
> dusting off what I use to use. Again, the importance is trying different |
| 24 |
> packages and sniffing the results and examining log files (manually and with |
| 25 |
> scripts) on a log host. So only ports 53 (public/routable net visible |
| 26 |
> and port 22 from a select sets of private ips is all these will need. |
| 27 |
|
| 28 |
Then you need your chosen name server (bind), your chosen fw ruleset |
| 29 |
generators (iptables, maybe some other front end) and maybe fail2ban or |
| 30 |
one of it's friends if you find some port gets hammered. |
| 31 |
|
| 32 |
Block all ports except 53 and 22, send all logs to a remote syslogger |
| 33 |
and trawl through them to your heart's content. All very usual and normal. |
| 34 |
|
| 35 |
|
| 36 |
>> First of all, bind is a pain to use. Reason: it's actually a reference |
| 37 |
>> implementation that as usual got forced into production use. It's slower |
| 38 |
>> than it could be because it deals with every possible corner case per RFC. |
| 39 |
>> As an auth server (few queries) it's OK |
| 40 |
> |
| 41 |
> Bind is an old acquaintance of mine:: been a few years, hence the post. |
| 42 |
> I may test/migrate to something else, later. |
| 43 |
|
| 44 |
OK. For a few domains there's no benefit to using something other than |
| 45 |
what you already know. |
| 46 |
|
| 47 |
> |
| 48 |
>> As a cache (many queries), there are better servers out there. I prefer |
| 49 |
>> unbound. |
| 50 |
> |
| 51 |
> A Caching DNS server for internal usages is another project for another |
| 52 |
> time. It will be totally isolated; still, good to know. |
| 53 |
> |
| 54 |
> |
| 55 |
>>> Also, what is the (nominal) minimum amount of RAM needed to keep all |
| 56 |
>>> routes in ram in these name servers? |
| 57 |
>> I don't understand. DNS servers don't keep routes in memory - routers do |
| 58 |
>> that. Perhaps you mean cached DNS records? |
| 59 |
>> DNS is light on RAM, there are only so many records typical users will |
| 60 |
>> look up. DNS caches not too long ago ran for years problem free with a |
| 61 |
>> puny few hundred MB. It's not something to be worried about. |
| 62 |
> |
| 63 |
> There should be a way to keep all the responses for the zones info they |
| 64 |
> server in ram? I know it often happens without intervention, but surely |
| 65 |
> there are published methods to insure this info is kept "in ram" like bcachefs? |
| 66 |
> |
| 67 |
> Also flushing and ram usage status monitoring, as these auth dns servers |
| 68 |
> will eventually migrate to low power embedded machines where keeping |
| 69 |
> things in ram is critical to performance. |
| 70 |
|
| 71 |
I can't help but feel you are worried about a problem that doesn't |
| 72 |
exist. It takes lots and lots and lots of zones to get above 1M disk |
| 73 |
space. How much ram do you think you need? |
| 74 |
|
| 75 |
DNS caches are resource intensive (the upper limit on what they cache is |
| 76 |
the internet) |
| 77 |
DNS auth servers are not (their upper limit is how many bytes in the |
| 78 |
zones) and they tend to idle most of the time. Well unless you do silly |
| 79 |
things like set all TTLs to 1 (or god forbid, 0) and your auth server |
| 80 |
becomes a cache |
| 81 |
|
| 82 |
> |
| 83 |
> 'eix -cC net-dns | grep auth' <shows:: knot and nsd |
| 84 |
> |
| 85 |
> Curiously, Are they better, more easily secured solutions? |
| 86 |
> |
| 87 |
> |
| 88 |
> It's been a hwile for me.... so a vetting of the packages is the first step |
| 89 |
> for this minimal, manual setup of the auth-dns servers for a few domain names:: |
| 90 |
> |
| 91 |
> |
| 92 |
> Bind9, dnssec-tools, iptables:: any other packages relevant/germane |
| 93 |
> on a amd-default profile [1] ? |
| 94 |
|
| 95 |
Yes, that's about it. |
| 96 |
Add in all the other usual server stuff you like to use - monitoring, |
| 97 |
logging, notifications, mail, whatever |
| 98 |
|
| 99 |
|
| 100 |
-- |
| 101 |
Alan McKinnon |
| 102 |
alan.mckinnon@×××××.com |
Archives