1 |
Alan McKinnon <alan.mckinnon <at> gmail.com> writes: |
2 |
|
3 |
|
4 |
> > I need to setup DNS primary/secondary systems on gentoo. So right now |
5 |
> > I'm looking for a suggested list of packages to install with Bind, |
6 |
> > iptables and DNSSEC-tools as these (2) gentoo dns servers will only |
7 |
> > run the minimum packages to operate securely? |
8 |
> auth or cache? |
9 |
|
10 |
These are the (2) net facing primary and slave dns servers, just for the |
11 |
few domain names I willauthenticate. They'll be behind a firewall |
12 |
(iptables/dmz) with no internal zone information. Strictly auth, public |
13 |
facing, with DNSsec. The plan is to go slow with manual configuration and |
14 |
and slow add features like a database, as I roll out new auth-DNS servers |
15 |
on newer, embedded hardware (very small very low power, but lots of ram |
16 |
(2G)). So over time the scope will evolve. It's a manual approach to a |
17 |
refresher for me. Eventually one of the auth-dns-slaves will be an arm |
18 |
cluster for performance testing on mesos. (That's a ways off). |
19 |
|
20 |
|
21 |
So also, the iptables rules for such a setup will need to be revisited, |
22 |
dusting off what I use to use. Again, the importance is trying different |
23 |
packages and sniffing the results and examining log files (manually and with |
24 |
scripts) on a log host. So only ports 53 (public/routable net visible |
25 |
and port 22 from a select sets of private ips is all these will need. |
26 |
|
27 |
|
28 |
> First of all, bind is a pain to use. Reason: it's actually a reference |
29 |
> implementation that as usual got forced into production use. It's slower |
30 |
> than it could be because it deals with every possible corner case per RFC. |
31 |
> As an auth server (few queries) it's OK |
32 |
|
33 |
Bind is an old acquaintance of mine:: been a few years, hence the post. |
34 |
I may test/migrate to something else, later. |
35 |
|
36 |
> As a cache (many queries), there are better servers out there. I prefer |
37 |
> unbound. |
38 |
|
39 |
A Caching DNS server for internal usages is another project for another |
40 |
time. It will be totally isolated; still, good to know. |
41 |
|
42 |
|
43 |
> > Also, what is the (nominal) minimum amount of RAM needed to keep all |
44 |
> > routes in ram in these name servers? |
45 |
> I don't understand. DNS servers don't keep routes in memory - routers do |
46 |
> that. Perhaps you mean cached DNS records? |
47 |
> DNS is light on RAM, there are only so many records typical users will |
48 |
> look up. DNS caches not too long ago ran for years problem free with a |
49 |
> puny few hundred MB. It's not something to be worried about. |
50 |
|
51 |
There should be a way to keep all the responses for the zones info they |
52 |
server in ram? I know it often happens without intervention, but surely |
53 |
there are published methods to insure this info is kept "in ram" like bcachefs? |
54 |
|
55 |
Also flushing and ram usage status monitoring, as these auth dns servers |
56 |
will eventually migrate to low power embedded machines where keeping |
57 |
things in ram is critical to performance. |
58 |
|
59 |
'eix -cC net-dns | grep auth' <shows:: knot and nsd |
60 |
|
61 |
Curiously, Are they better, more easily secured solutions? |
62 |
|
63 |
|
64 |
It's been a hwile for me.... so a vetting of the packages is the first step |
65 |
for this minimal, manual setup of the auth-dns servers for a few domain names:: |
66 |
|
67 |
|
68 |
Bind9, dnssec-tools, iptables:: any other packages relevant/germane |
69 |
on a amd-default profile [1] ? |
70 |
|
71 |
|
72 |
James |