| 1 |
On Mon, Jun 16, 2014 at 07:57:31PM +0000, James wrote: |
| 2 |
> Any guidance of those? |
| 3 |
|
| 4 |
When I have a choice, I go with nsd for authoritive and with unbound for |
| 5 |
recursive dns servers. Bind is also a popular alternative. |
| 6 |
|
| 7 |
> Anyone and Everyone is encouraged to "chime in" on dns server |
| 8 |
|
| 9 |
Try to seperate your authorative and recursive dns servers. |
| 10 |
|
| 11 |
Learn to use dig. |
| 12 |
|
| 13 |
On Mon, Jun 16, 2014 at 02:49:39PM -0400, Michael Orlitzky wrote: |
| 14 |
> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED |
| 15 |
> \ |
| 16 |
> -j ACCEPT |
| 17 |
|
| 18 |
Careful with conntrack. It is OK for a home/hobby server. For a high |
| 19 |
volume dns server, you don't want to reach conntrack limits before you |
| 20 |
reach the limits of your dns software - which are usually much higher. |
| 21 |
A stateful firewall for a dns server is not always a good choice - do |
| 22 |
not make it easier to DoS. |
| 23 |
|
| 24 |
-- |
| 25 |
Eray Aslan <eras@g.o> |
Archives