You can enjoy the benefits of Ariel's configuration tips, without running two instances of Bind. Read on Bind's "views" feature (http://www.zytrax.com/books/dns/ch7/view.html).
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Uri Even-Chen > Sent: Monday, March 12, 2007 7:37 PM > To: Ariel Biener > Cc: linux-il > Subject: Re: Configuring BIND - DNS server > > OK, I understand. Thanks. I'm not going to change the current > configuration right away, but I took this issue into account. > Currently it's technically too complicated and time consuming to run 2 > separate BIND servers on the same machine, and I only have one IP > address. But if there will be an issue of abuse or performance, I > will consider changing the current configuration. > > Uri. > > On 3/11/07, Ariel Biener <[EMAIL PROTECTED]> wrote: > > On Sunday 11 March 2007 12:13, Uri Even-Chen wrote: > > > > > Of course I want to learn, but I don't understand what's wrong with > > > the current configuration. And also, many technical people forget > > > that hardware costs money. 2 servers would cost me double; 3 > servers > > > would cost me 3 times etc. I'm not Google, I don't have millions > of > > > servers. If I can save money by putting everything on one single > > > server, and if it works - then what's wrong with it? I don't see > any > > > problem with solving domain names recursively while being open to > > > queries from the entire world. > > > > And of course no one said that you need to buy more hardware, just > > run two BIND servers on the same machine, each bound to its own > > IP address... > > > > > Of course, if my service was abused and things were not working, > > > that's a different issue. But since it works, I don't see any > reason > > > to change the current configuration. I don't agree with your > opinion > > > that my current configuration is wrong. > > > > How would you even know if your service is abused ? Are you waiting > > for it to be abused ? What kind of technical (or management) > decision > > is this ? > > > > But since you think it's my opinion, let me quote a few other > opinions: > > > > > > http://www.zytrax.com/books/dns/ch4/ > > .... > > Note: Running any DNS server that does not require to support > recursive > > queries for external users (an Open DNS) is a bad idea. While it may > look > > like a friendly and neighbourly thing to do it carries with it a > possible threat > > from DoS attacks and an increased risk of cache poisoning. The > various > > configurations have been modified to reflect this. > > .... > > > > http://articles.techrepublic.com.com/5100-1035_11-5860968.html > > http://www.sprintlink.net/faq/dns.html > > > > http://net.berkeley.edu/DNS/recursion-detail.shtml > > .... > > It is possible to have both authoritative and caching functions > running > > on the same DNS server, and this was typical in the early days of the > > DNS. More recently it has become a best practice to separate these > > functions, and IST did this a few years ago. More information on our > > DNS servers can be found here > (http://net.berkeley.edu/DNS/campus.shtml) > > .... > > > > http://cr.yp.to/djbdns/separation.html > > .... > > The importance of separating DNS caches from DNS servers > > > > DNS caches should always have separate IP addresses from DNS servers. > > In other words, the IP addresses listed in /etc/resolv.conf should > never match > > any IP addresses listed in NS records. > > This separation is widely recognized as the right way to run DNS. As > stated in > > the ``DNS and BIND'' book, third edition, ``Securing Your Name > Server,'' page 255: > > > > Some of your name servers answer nonrecursive queries from other name > servers > > on the Internet, because your name servers appear in NS records > delegating your > > zones to them. ... You should make sure that these servers don't > receive any > > recursive queries (that is, you don't have any resolvers configured > to use these > > servers, and no name servers use them as forwarders). > > .... > > > > Now, I can go on and quote tens of other resources on proper DNS > configuration, > > however, I hope you get the picture. > > > > > If I wanted I could change the current configuration and use > > > Netvision's name servers to resolve domain names, and my own name > > > server only as an authoritative name server. It wouldn't cost me > more > > > money. But would my server perform better? I'm not sure. Doron > > > Shikmoni told me not to use Netvision's servers, and I guess he is > > > right. > > > > Doron is right, and you should not point your nameservers to use the > NV > > NSs, basically since every query will go over your link to them, > which I > > assume is not LAN. > > > > --Ariel > > -- > > Ariel Biener > > e-mail: [EMAIL PROTECTED] > > PGP: http://www.tau.ac.il/~ariel/pgp.html > > > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED]
