Gentoo Archives: gentoo-user

From: Eray Aslan <eras@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Secure DNS servers
Date: Tue, 17 Jun 2014 14:49:01
Message-Id: 20140617144848.GB1884@angelfall
In Reply to: [gentoo-user] Re: Secure DNS servers by James
1 On Mon, Jun 16, 2014 at 07:57:31PM +0000, James wrote:
2 > Any guidance of those?
3
4 When I have a choice, I go with nsd for authoritive and with unbound for
5 recursive dns servers. Bind is also a popular alternative.
6
7 > Anyone and Everyone is encouraged to "chime in" on dns server
8
9 Try to seperate your authorative and recursive dns servers.
10
11 Learn to use dig.
12
13 On Mon, Jun 16, 2014 at 02:49:39PM -0400, Michael Orlitzky wrote:
14 > iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED
15 > \
16 > -j ACCEPT
17
18 Careful with conntrack. It is OK for a home/hobby server. For a high
19 volume dns server, you don't want to reach conntrack limits before you
20 reach the limits of your dns software - which are usually much higher.
21 A stateful firewall for a dns server is not always a good choice - do
22 not make it easier to DoS.
23
24 --
25 Eray Aslan <eras@g.o>

Replies

Subject Author
Re: [gentoo-user] Re: Secure DNS servers Alan McKinnon <alan.mckinnon@×××××.com>