On 17/06/2014 16:48, Eray Aslan wrote: > On Mon, Jun 16, 2014 at 07:57:31PM +0000, James wrote: >> Any guidance of those? > > When I have a choice, I go with nsd for authoritive and with unbound for > recursive dns servers. Bind is also a popular alternative. > >> Anyone and Everyone is encouraged to "chime in" on dns server > > Try to seperate your authorative and recursive dns servers. > > Learn to use dig. > > On Mon, Jun 16, 2014 at 02:49:39PM -0400, Michael Orlitzky wrote: >> iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED >> \ >> -j ACCEPT > > Careful with conntrack. It is OK for a home/hobby server. For a high > volume dns server, you don't want to reach conntrack limits before you > reach the limits of your dns software - which are usually much higher. > A stateful firewall for a dns server is not always a good choice - do > not make it easier to DoS. >
You could probably get away with it on an auth server as they tend to be lighter loaded than a caching server. But on a cache server - no ways at all. I watched big busy dns cache servers try to deal with FreeBSD stateful firewalls once, it was not a pretty sight :-) -- Alan McKinnon alan.mckin...@gmail.com
