| 1 |
Alan McKinnon <alan.mckinnon <at> gmail.com> writes: |
| 2 |
|
| 3 |
|
| 4 |
> > I need to setup DNS primary/secondary systems on gentoo. So right now |
| 5 |
> > I'm looking for a suggested list of packages to install with Bind, |
| 6 |
> > iptables and DNSSEC-tools as these (2) gentoo dns servers will only |
| 7 |
> > run the minimum packages to operate securely? |
| 8 |
> auth or cache? |
| 9 |
|
| 10 |
These are the (2) net facing primary and slave dns servers, just for the |
| 11 |
few domain names I willauthenticate. They'll be behind a firewall |
| 12 |
(iptables/dmz) with no internal zone information. Strictly auth, public |
| 13 |
facing, with DNSsec. The plan is to go slow with manual configuration and |
| 14 |
and slow add features like a database, as I roll out new auth-DNS servers |
| 15 |
on newer, embedded hardware (very small very low power, but lots of ram |
| 16 |
(2G)). So over time the scope will evolve. It's a manual approach to a |
| 17 |
refresher for me. Eventually one of the auth-dns-slaves will be an arm |
| 18 |
cluster for performance testing on mesos. (That's a ways off). |
| 19 |
|
| 20 |
|
| 21 |
So also, the iptables rules for such a setup will need to be revisited, |
| 22 |
dusting off what I use to use. Again, the importance is trying different |
| 23 |
packages and sniffing the results and examining log files (manually and with |
| 24 |
scripts) on a log host. So only ports 53 (public/routable net visible |
| 25 |
and port 22 from a select sets of private ips is all these will need. |
| 26 |
|
| 27 |
|
| 28 |
> First of all, bind is a pain to use. Reason: it's actually a reference |
| 29 |
> implementation that as usual got forced into production use. It's slower |
| 30 |
> than it could be because it deals with every possible corner case per RFC. |
| 31 |
> As an auth server (few queries) it's OK |
| 32 |
|
| 33 |
Bind is an old acquaintance of mine:: been a few years, hence the post. |
| 34 |
I may test/migrate to something else, later. |
| 35 |
|
| 36 |
> As a cache (many queries), there are better servers out there. I prefer |
| 37 |
> unbound. |
| 38 |
|
| 39 |
A Caching DNS server for internal usages is another project for another |
| 40 |
time. It will be totally isolated; still, good to know. |
| 41 |
|
| 42 |
|
| 43 |
> > Also, what is the (nominal) minimum amount of RAM needed to keep all |
| 44 |
> > routes in ram in these name servers? |
| 45 |
> I don't understand. DNS servers don't keep routes in memory - routers do |
| 46 |
> that. Perhaps you mean cached DNS records? |
| 47 |
> DNS is light on RAM, there are only so many records typical users will |
| 48 |
> look up. DNS caches not too long ago ran for years problem free with a |
| 49 |
> puny few hundred MB. It's not something to be worried about. |
| 50 |
|
| 51 |
There should be a way to keep all the responses for the zones info they |
| 52 |
server in ram? I know it often happens without intervention, but surely |
| 53 |
there are published methods to insure this info is kept "in ram" like bcachefs? |
| 54 |
|
| 55 |
Also flushing and ram usage status monitoring, as these auth dns servers |
| 56 |
will eventually migrate to low power embedded machines where keeping |
| 57 |
things in ram is critical to performance. |
| 58 |
|
| 59 |
'eix -cC net-dns | grep auth' <shows:: knot and nsd |
| 60 |
|
| 61 |
Curiously, Are they better, more easily secured solutions? |
| 62 |
|
| 63 |
|
| 64 |
It's been a hwile for me.... so a vetting of the packages is the first step |
| 65 |
for this minimal, manual setup of the auth-dns servers for a few domain names:: |
| 66 |
|
| 67 |
|
| 68 |
Bind9, dnssec-tools, iptables:: any other packages relevant/germane |
| 69 |
on a amd-default profile [1] ? |
| 70 |
|
| 71 |
|
| 72 |
James |
Archives