[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS



On Mon, Jun 26, 2000 at 08:30:52AM +0300, ksemat at eahd.or.ug wrote:
> Yeah that is quite true but would it be for every single IP address or
> just for those that I want to delegate? Because I only want to delegate
> about three IPs. So can I have my file like this
>  at  IN SOA dar1.afsat.com ....
>  at  IN NS ...
>  at  IN NS .....
> 1 IN PTR ....
> 2 IN PTR ....
> etc
> 208 86400 IN NS eahd.or.ug.
> I hope this is possible but is it necessary? Can various clients run DNS
> without being authoritative for their reverse zone and have no problems at
> all? i.e can I have for example just a a ptr record on dar1 pointing
> 208.132.129.216.in-addr.arpa to eahd.or.ug and eahd will run a name server
> without any problems? Because if this is so then there is no need to go to
> all this trouble.

I am confused.

132.129.216.in-addr.arpa is delegated to sauron.kersur.net and
deathstar.kersur.net. Do you run those machines? If you do, you don't have
to ask questions about delegation - you already have it for all those IP
addresses. If you don't (i.e. they are at your upstream) then it's their
responsibility.

(1) They can put the record in directly

164  IN PTR wawa.eahd.or.ug.
208  IN PTR alpha.eahd.or.ug.

[In this case you need absolutely _nothing_ on your own name servers to
handle your reverse DNS, because it's all in this zone - the same as the way
people all over the Internet find it]

(2) They can put in CNAME records pointing to a zone which you _do_ control:

164  IN CNAME 164.in-addr.eahd.or.ug.
208  IN CNAME 208.in-addr.eahd.or.ug.

Then you put the corresponding PTR records in your own zone:

[eahd.or.ug zonefile]
164.in-addr   IN PTR  wawa.eahd.or.ug.
208.in-addr   IN PTR  alpha.eahd.or.ug.

(3) They can delegate individual IP addresses

164  IN NS eahd.or.ug.
     IN NS secondary.example.com.
208  IN NS eahd.or.ug.
     IN NS secondary.example.com.

Then you set up two zones:

eahd.or.ug.  primary  164.132.129.216.in-addr.arpa
 at   SOA  ( ... )
   NS   eahd.or.ug.
   NS   secondary.example.com.
   PTR  wawa.eahd.or.ug.

eahd.or.ug.  primary  208.132.129.216.in-addr.arpa
 at   SOA  ( ... )
   NS   eahd.or.ug.
   NS   secondary.example.com.
   PTR  alpha.eahd.or.ug.

Plus you have to set up secondary.example.com to be secondary for both those
zones. This is messy.

If you only have 2 IP addresses from your upstream, I recommend solution
(1). If you have a larger block, I recommend solution (2).

> Also I have taken your suggestion seriously and I am going to implement it
> but my question is that can a 330 MHZ 3Gigabyte pentium II processor
> handle the DNS load in the meantime?
> There would be about 90 zones on it and yet I want it to do recursive
> queries because some clients use it as a relay for their mail.

That is more than big enough!!

At the ISP where I work, which has more than 10,000 modems, their primary
authoritative (non-caching) DNS server is a P-II/400 with 128M of RAM. The
RAM footprint of a non-caching DNS server does not grow - this is a good
reason for keeping it separate. The secondary is a P166/64M.

The caching servers are P-II/350 with 512M of RAM.

I suggest that any reliable P75 or above would be absolutely fine as a
nameserver - with a small amount of RAM for your primary/secondary (with
only 90 zones - we have thousands here) and some more RAM in the caching
servers.

> Also I have only been on linux for less than a year and haven't really
> used BSD can you point me to places where I can a get a really good
> firewall I understand that BSD does not use ipchains which is what I know
> and I don't yet reallt know ipfilter and ipfwadm.

FreeBSD has its own 'ipfw' syntax. Its manual page is actually quite a good
reference: man ipfw. It has stateful rules, which can allow you to build a
more secure firewall that Linux. But if you are going to build a
packet-filtering firewall, make sure you have a _very_ clear understanding
of the issues involved, and all the option bits on TCP packets!!

The O'Reilly "Building Internet Firewalls" book is pretty good on this sort
of stuff.

You shouldn't need firewall rules on your nameservers. Just make sure you
turn off any daemons you don't need in /etc/rc.conf:
sendmail_flags="-q30m"       # don't be a listener on port 25
portmap_enable="NO"
inetd_enable="NO"            # if you don't need telnet (use ssh instead)

Cheers,

Brian.

-----
This is the afnog mailing list, managed by Majordomo 1.94.4

To send a message to this list, e-mail afnog at afnog.org
To send a requet to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is mantained by owner-afnog at afnog.org