1 |
On Mon, Jun 16, 2014 at 07:57:31PM +0000, James wrote: |
2 |
> Any guidance of those? |
3 |
|
4 |
When I have a choice, I go with nsd for authoritive and with unbound for |
5 |
recursive dns servers. Bind is also a popular alternative. |
6 |
|
7 |
> Anyone and Everyone is encouraged to "chime in" on dns server |
8 |
|
9 |
Try to seperate your authorative and recursive dns servers. |
10 |
|
11 |
Learn to use dig. |
12 |
|
13 |
On Mon, Jun 16, 2014 at 02:49:39PM -0400, Michael Orlitzky wrote: |
14 |
> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED |
15 |
> \ |
16 |
> -j ACCEPT |
17 |
|
18 |
Careful with conntrack. It is OK for a home/hobby server. For a high |
19 |
volume dns server, you don't want to reach conntrack limits before you |
20 |
reach the limits of your dns software - which are usually much higher. |
21 |
A stateful firewall for a dns server is not always a good choice - do |
22 |
not make it easier to DoS. |
23 |
|
24 |
-- |
25 |
Eray Aslan <eras@g.o> |