Re: Should DNS be on same server as webserver?
On Monday 13 July 2009 14:27:46 Karl Vogel wrote: >It's very easy to set up a caching nameserver without using all the >memory on your system. It's much easier to turn your HIGH-performance webserver into a slug, by running stuff you don't need on the same machine. Memory unused by the webserver can then be used by the OS to provide filesystem caching, which indirectly greatly benefits a webserver, much more then a local cache can speed things up. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
Karl Vogel wrote: On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote: K> You can fix the security problems by dumping Bind and using djbdns. On Tue, 14 Jul 2009 10:16:24 +0200, Ruben de Groot replied: R> What security problems? This one ? :) R> http://blogs.zdnet.com/security/?p=2812 When BIND offers (and makes good on) a $1,000 bug bounty, I'll be happy to consider its security model the equal of djbdns. It's nice to see that their marketing efforts work on somebody. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: Should DNS be on same server as webserver?
>> On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote: K> You can fix the security problems by dumping Bind and using djbdns. >> On Tue, 14 Jul 2009 10:16:24 +0200, Ruben de Groot replied: R> What security problems? This one ? :) R> http://blogs.zdnet.com/security/?p=2812 When BIND offers (and makes good on) a $1,000 bug bounty, I'll be happy to consider its security model the equal of djbdns. -- Karl Vogel I don't speak for the USAF or my company Give me ambiguity, or give me something else. --unknown ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
Steve Bertrand wrote: > > I like whatever works in regards to the situation I'm facing ;) And that's the best possible reason one could have! ;-) Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
Peter Boosten wrote: > Ruben de Groot wrote: >> On Tue, Jul 14, 2009 at 12:46:43AM -0400, Steve Bertrand typed: >>> John Almberg wrote: On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote: >You can fix the security problems by dumping Bind and using djbdns. >> What security problems? This one ? :) >> http://blogs.zdnet.com/security/?p=2812 >> > > It's the old 'my product is better' discussion: some people like > Mercedes, other people BMW, 'American Cars' are always better, and some > people like Volvo's. I like whatever works in regards to the situation I'm facing ;) We used BIND for years, but with hundreds of domains, I personally had to manage the zones, lest someone made a typo in a zone or a config file. I switched us over to DJBDNS a few years ago, simply for the ability to throw VegaDNS at it in order to provide a safe method to delegate domain management to other staff. Many of our servers are still BIND however. I prefer BIND myself. Some of the BIND servers slave for the djb servers, and others handle other tasks, particularly all of my zones with IPv6 records. > I'm a happy bind user for years now (and I use sendmail as well). I switched from sendmail to Qmail on our core MTAs for the same reasons stated above. At one point, I wrote CGI wrapper applications so staff could manage email accounts, but it just got too much. I standardized on Matt Simerson's Mail Toaster about 6 years ago, simply for the ease-of-management (ie I don't have to do it). To me, the product that is better is the one that removes me from having to use and manage it, and allows me to do other things ;) Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: Should DNS be on same server as webserver?
Ruben de Groot wrote: > On Tue, Jul 14, 2009 at 12:46:43AM -0400, Steve Bertrand typed: >> John Almberg wrote: >>> On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote: You can fix the security problems by dumping Bind and using djbdns. > > What security problems? This one ? :) > http://blogs.zdnet.com/security/?p=2812 > It's the old 'my product is better' discussion: some people like Mercedes, other people BMW, 'American Cars' are always better, and some people like Volvo's. To prove they're right, they try to find why the other products are not as good as theirs, and keep holding onto old bugs and prejudices. I'm a happy bind user for years now (and I use sendmail as well). Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
On Tue, Jul 14, 2009 at 12:46:43AM -0400, Steve Bertrand typed: > John Almberg wrote: > > On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote: > >> > >>You can fix the security problems by dumping Bind and using djbdns. What security problems? This one ? :) http://blogs.zdnet.com/security/?p=2812 > > I actually do use djbdns. Super easy to use, once you figure it out. > > ...to run a DNS cache with djbdns, it doesn't take much figuring out: (snipped rather long installation instructions) To enable DNS cache with bind: echo "named_enable=YES" >>/etc/rc.conf /etc/rc.d/named start Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
Steve Bertrand wrote: [...snip...] > There is a single file in /etc/dnscache/root/ip, named 127.0.0.1 > > If you want this cache to serve internal /24 network queries: > > % touch /etc/dnscache/root/ip/192.168.0 Need to add some clarification: Adding the new empty file permits queries from the IP range specified in the file name. It does NOT force the server to listen on an IP address that is NOT the loopback. To force the caching server to listen on a network-available IP address, replace 127.0.0.1 with your NICs IP address in the following file: /etc/dnscache/env/IP ...you'll then change /etc/resolv.conf to point to that IP address as your primary "nameserver". The names of the other files that are located within said "env" directory are pretty descriptive, and may be worth looking at as well. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: Should DNS be on same server as webserver?
John Almberg wrote: > > On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote: > On Mon, 13 Jul 2009 13:03:24 -0400, Jon Radel said: >> >> J> Apache and Bind have both had their security issues over the years, >> and >> J> there's something to be said for running them on different servers to >> J> reduce both the "all eggs in one basket" factor and the ease of >> J> spreading an attack. (Yes, I'm assuming what you're actually >> J> running) >> >>You can fix the security problems by dumping Bind and using djbdns. >>It's very easy to set up a caching nameserver without using all the >>memory on your system. See http://www.lifewithdjbdns.com/ for more. > > > I actually do use djbdns. Super easy to use, once you figure it out. ...to run a DNS cache with djbdns, it doesn't take much figuring out: (As root. I just tested this as I wrote it). % pkg_add -r daemontools % pkg_add -r ucspi-tcp % echo 'svscan_enable="YES"' >> /etc/rc.conf % mkdir /var/service % /usr/local/etc/rc.d/svscan.sh start % adduser -q # add a 'dnscache' user. Put user in 'dnscache' group, and set the # users shell to nologin #rinse/repeat for a 'dnslog' user % pkg_add -r djbdns % rehash % dnscache-conf dnscache dnslog /etc/dnscache % ln -s /etc/dnscache /var/service # now edit your /etc/resolv.conf file, so that the first "nameserver" # entry in the list points to 127.0.0.1 __END__ By default, your new cache will only listen on the loopback address (127.0.0.1). There is a single file in /etc/dnscache/root/ip, named 127.0.0.1 If you want this cache to serve internal /24 network queries: % touch /etc/dnscache/root/ip/192.168.0 To restart the service after a change: % svc -t /etc/dnscache To down the cache: % svc -d /etc/dnscache To up the cache: % svc -u /etc/dnscache Note that this is only for the dnscache. Setting up an authoritative server is pretty much just as simple. Note also that I had to do some patching and hacking to make the tinydns web frontend (VegaDNS) allow for IPv6 records properly... that's out of the scope of this mail though (for the record, I use BIND for most things v6). An example of the empty files that allow cache access: amigo# ll /etc/dnscache/root/ip total 0 -rw-r--r-- 1 root wheel 0 Aug 19 2008 127.0.0.1 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.104 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.105 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.106 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.107 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.108 ... Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: Should DNS be on same server as webserver?
On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote: On Mon, 13 Jul 2009 13:03:24 -0400, Jon Radel said: J> Apache and Bind have both had their security issues over the years, and J> there's something to be said for running them on different servers to J> reduce both the "all eggs in one basket" factor and the ease of J> spreading an attack. (Yes, I'm assuming what you're actually J> running) You can fix the security problems by dumping Bind and using djbdns. It's very easy to set up a caching nameserver without using all the memory on your system. See http://www.lifewithdjbdns.com/ for more. I actually do use djbdns. Super easy to use, once you figure it out. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
>> On Mon, 13 Jul 2009 13:03:24 -0400, >> Jon Radel said: J> Apache and Bind have both had their security issues over the years, and J> there's something to be said for running them on different servers to J> reduce both the "all eggs in one basket" factor and the ease of J> spreading an attack. (Yes, I'm assuming what you're actually J> running) You can fix the security problems by dumping Bind and using djbdns. It's very easy to set up a caching nameserver without using all the memory on your system. See http://www.lifewithdjbdns.com/ for more. -- Karl Vogel I don't speak for the USAF or my company Smash forehead on keyboard to continue... --Ken Applin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
On Jul 13, 2009, at 3:05 PM, Mel Flynn wrote: On Monday 13 July 2009 08:36:42 John Almberg wrote: The other day, a FreeBSD 'expert' told me that it is important to have the DNS server for a domain on the same server as the domain's web server. Supposedly, this saves doing tons of DNS look ups over the network. Instead, they are done locally. Bogus. A high-performance webserver should not be doing DNS lookups, other then application driven ones, like verification of email domains upon registration. If having hostnames in the live logs is mandatory by some weird company policy or the webserver does not provide a configuration setting to turn this behavior off, then more performance is gained by having the nameserver on the network gateway as the likeliness of cache hits and especially negative cache hits is increased. As others have mentioned, network overhead is negligible. Human noticeable delays are caused by upstream DNS servers slowly or not at all responding when a client IP is being resolved. Secondly, a named cache size depends on available memory. A high performance webserver uses plenty of that, so you wouldn't be able to grow the named cache to "almost caching the entire net" size, which you would be able to on a dedicated machine. Thanks for all the comments on this topic. Glad I put 'expert' in quotes. I had a feeling... -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
On Monday 13 July 2009 08:36:42 John Almberg wrote: > The other day, a FreeBSD 'expert' told me that it is important to > have the DNS server for a domain on the same server as the domain's > web server. Supposedly, this saves doing tons of DNS look ups over > the network. Instead, they are done locally. Bogus. A high-performance webserver should not be doing DNS lookups, other then application driven ones, like verification of email domains upon registration. If having hostnames in the live logs is mandatory by some weird company policy or the webserver does not provide a configuration setting to turn this behavior off, then more performance is gained by having the nameserver on the network gateway as the likeliness of cache hits and especially negative cache hits is increased. As others have mentioned, network overhead is negligible. Human noticeable delays are caused by upstream DNS servers slowly or not at all responding when a client IP is being resolved. Secondly, a named cache size depends on available memory. A high performance webserver uses plenty of that, so you wouldn't be able to grow the named cache to "almost caching the entire net" size, which you would be able to on a dedicated machine. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
On Mon, Jul 13, 2009 at 12:36:42PM -0400, John Almberg wrote: > The other day, a FreeBSD 'expert' told me that it is important to > have the DNS server for a domain on the same server as the domain's > web server. Supposedly, this saves doing tons of DNS look ups over > the network. Instead, they are done locally. > > This makes sense to me, but I wonder if the performance difference is > really that significant? sounds like someone who does not understand the network. In fact, it is possibly even better for them to be on different machines. This would be for security reasons. Anyway, any DNS lookup results are normally cached on the local machine for some period of time (set by the nameserver). jerry > > -- John > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
On Jul 13, 2009, at 12:36 PM, John Almberg wrote: The other day, a FreeBSD 'expert' told me that it is important to have the DNS server for a domain on the same server as the domain's web server. Supposedly, this saves doing tons of DNS look ups over the network. Instead, they are done locally. This makes sense to me, but I wonder if the performance difference is really that significant? -- John If you head down this road you might want to only make it a caching DNS server, not your primary or secondary for sure. Unless you are limited on available hardware. Regards, Mikel King CEO, Olivent Technologies Senior Editor, Daemon News Columnist, BSD Magazine 6 Alpine Court, Medford, NY 11763 o: 631.627.3055 skype:mikel.king http://mikelking.com http://twitter.com/mikelking ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Should DNS be on same server as webserver?
John Almberg wrote: The other day, a FreeBSD 'expert' told me that it is important to have the DNS server for a domain on the same server as the domain's web server. Supposedly, this saves doing tons of DNS look ups over the network. Instead, they are done locally. This makes sense to me, but I wonder if the performance difference is really that significant? In my experience, you're straying well into "it all depends" and "you'll have to benchmark your situation and see" territory. I once walked into a situation where a web server was setup to do a reverse lookup on all log entries, and the DNS servers were on the far end of an overloaded 56 kbps line. That was miserable, stupid slow and quickly cured by setting up a resolving name server on the web server. On the other hand, in situations where my name servers have been on the same high-quality gigE switch as the web servers, I've never noticed an issue, but then I don't run any really high-volume servers. On the third hand (too many years in front of CRTs), Apache and Bind have both had their security issues over the years, and there's something to be said for running them on different servers to reduce both the "all eggs in one basket" factor and the ease of spreading an attack. (Yes, I'm assuming what you're actually running) If you want performance and security, you might consider running your authoritative dns servers for your domain on a different server, while on your web server you run a light-weight caching dns server reachable only on the loopback interface. -- --Jon Radel j...@radel.com smime.p7s Description: S/MIME Cryptographic Signature
Re: Should DNS be on same server as webserver?
In response to John Almberg : > The other day, a FreeBSD 'expert' told me that it is important to > have the DNS server for a domain on the same server as the domain's > web server. Supposedly, this saves doing tons of DNS look ups over > the network. Instead, they are done locally. > > This makes sense to me, but I wonder if the performance difference is > really that significant? Don't know exactly how he phrased that statement, but it's truthfulness is highly dependent on the situation. It's possible (even recommended) to configure Apache not to do DNS lookups, which makes the statement rather moot. However, as a general rule, it's a good idea to have a fast DNS cache available to systems that will be doing a lot of lookups. In a typical configuration, a web server will do a lot of lookups. It doesn't _have_ to be on the same server, in fact, if you have multiple busy web servers, it's probably a better idea to dedicate a machine to doing DNS caching. Of course, if your hosting provider already provides a set of fast caches for you to use, it's not really necessary for you to set up your own. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Should DNS be on same server as webserver?
The other day, a FreeBSD 'expert' told me that it is important to have the DNS server for a domain on the same server as the domain's web server. Supposedly, this saves doing tons of DNS look ups over the network. Instead, they are done locally. This makes sense to me, but I wonder if the performance difference is really that significant? -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"