RE: In a bit of bind...
Hi, I have not been following this thread too closely, but I spotted the last poster talking about a database backend to DNS. There are some interesting thoughts on the matter in a Nominet Blog Post here : http://blog.nominet.org.uk/tech/2008/06/02/nameservers-and-very-large-zones/
RE: In a bit of bind...
Once upon a time, whilst working for a fairly well-known UK domain registration company, I put together a system built on an early version of the BIND-DLZ patchset against BIND 9.2.5 (If I recall correctly). It used MySQL as the backend database (because that's what the registration system used for CRM purposes) and worked very nicely, thankyou, for well in excess of a million zones and a query rate which I forget but was of the order of several thousand per second, maybe higher at times. We had a custom-written web management toolbox, part of which was exposed to customers through their control panel so they could manage their zones by themselves. The frontend nameservers - those actually answering queries - had a read only one-way replicated copy of the tables being managed by the CRM system, so all changes were near instantaneous. Copious caching options and indexing in MySQL gave the DB pretty good performance. The frontend servers themselves were load balanced and fault-tolerant and in theory at least a single machine could handle the overall system load. Unfortunately, after I moved on from that job the system broke in some spectacular way (I don't know why) and has since been significantly changed from the original spec, but I couldn't say how... DLZ worked for us - but the DB and management tools were built in house; I don't think there's an ideal off-the-shelf solution built around it (yet). Graeme
Re: In a bit of bind...
May seem a little simplistic, but how about Webmin. :) Runs on most linux-type systems over SSL/https and allows you to administer your DNS (and other services) without issues and provide the things you listed below. Oh, and it's free. And it's already done. Scott Ben Matthew wrote: Firstly... I apologise for the atrocious pun in the subject; just can't seem to help myself. Anyway my company currently uses BIND for our DNS requirements (9.6.0). I'm always pretty keen on updating, when advised to, in order to patch vulnerabilities and so forth as we have a fairly popular website and I'm sure there's lots of nasty little tykes out there ready to try and take us down. I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave). Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor. Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that: 1)Creates a zone file for mydomain.com and fills in defaults; overrides with options from the web-app if needed. 2)Updates the existing named.conf file 3)Opens a secure connection to the master, and uploads new config files 4)Runs a remote process to restart BIND 5)Opens a secure connection to slave, updates named.conf 6)Runs a remote process to restart BIND But I've had a play with myDNS (http://mydns.bboy.net) which is capable of serving DNS requests directly from a mySQL database. And it seems pretty good. All my web-app now needs to do is adjust some database records and everything else updates automatically. All very cool. However, my question is this... Has anyone yet experienced any major problems with myDNS - either security or reliability? Frankly, I'm a little scared of daring to shift away from a well-established system. Perhaps you've had the chance to poke about in the code... Is it based on the BIND codebase? Does it get security updates when exploits are revealed? Finally I've managed to successfully configure BIND 9 as a slave to a myDNS server and the AXFR transfers seem to be working fine. This strikes me as being quite a nice balance of ease of use and reliability in case myDNS fails on me. Ok I appreciate it doesn't get around security concerns but hey ho. Opinions much appreciated. Cheers, Ben -- Ben Matthew, Senior Network Engineer Absolute Radio, One Golden Square, London W1F 9DJ Tel: 020 7432 3457 Mobile: 07817464623 http://www.absoluteradio.co.uk Absolute Radio, winner of four Sony Radio Awards in 2009 DISCLAIMER This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies. Whilst we take reasonable precautions to ensure that our emails are free from viruses, we cannot be responsible for any viruses transmitted with this e-mail and recommend that you subject any incoming e-mail to your own virus checking procedures. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these facilities. TIML Radio Limited (trading as Absolute Radio) Registered office: One Golden Square, London. W1F 9DJ Registered in England No 02674136 VAT No 927 2572 11
Re: In a bit of bind...
On 01.06.2009, at 12:59, Ben Matthew wrote: Finally I've managed to successfully configure BIND 9 as a slave to a myDNS server and the AXFR transfers seem to be working fine. This strikes me as being quite a nice balance of ease of use and reliability in case myDNS fails on me. Ok I appreciate it doesn't get around security concerns but hey ho. As far as as security, why have myDNS world-reachable at all? You can have bind feed off of myDNS without having anyone on the outside ever talk to the myDNS backend. Chris
Re: In a bit of bind...
On Mon, Jun 1, 2009 at 12:59 PM, Ben Matthew ben.matt...@timlradio.co.ukwrote: Anyway my company currently uses BIND for our DNS requirements (9.6.0). I'm always pretty keen on updating, when advised to, in order to patch vulnerabilities and so forth as we have a fairly popular website and I'm sure there's lots of nasty little tykes out there ready to try and take us down. I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave). Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor. You don't necessarily need to move away from Bind but what you do need is a better backend. Certainly you should avoid Webmin and trying to automate changes to BIND zone files as this gets really messy and unmaintainable very quickly. You can use Bind9 DLZ and MySQL or LDAP. I didn't find this all that easy to package or manage though. Personally, for scalable authoritative DNS I think PowerDNS is far better especially with an LDAP backend as LDAP is trivial to replicate over large numbers of slaves. An interface to LDAP for DNS was also a trivial project for us. If you don't need so much scalability there are existing web interfaces for PowerDNS using the MySQL backend. https://webdns.bountysource.com/ https://www.poweradmin.org/trac/
RE: In a bit of bind...
Thanks very much for the various responses to my question; both on and off-list. I'm very much liking the idea of only letting the outside world see bind and then AXFR'ing the data from an easier-to-manage internal database backed solution. Whether that be myDNS, Microsoft or whatever. Bit of initial config work and then, in theory, an easy job to administer. Actually feel a bit dumb for not considering that in the first place. Cheers again, Ben -Original Message- From: Peter Hicks [mailto:peter.hi...@poggs.co.uk] Sent: 01 June 2009 12:42 To: Ben Matthew Cc: nanog@nanog.org Subject: Re: In a bit of bind... Ben, Ben Matthew wrote: I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave). For DNS, you may find it easier to outsource hosting to another provider who has geographically diverse DNS services. This doesn't necessarily mean loss of control. It also separates your nameserver hosting from your servers - suppose your network were to be under attack, or a configuration error dropped you offline. If DNS were somewhere else, you could log in, change A records, point somewhere else. Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor. Revision control systems - CVS, Subversion - are your friend here. What about wrapping up your DNS change procedure through perl or shell scripts which automatically roll back if bind doesn't reload, or some critical hosts suddenly disappear from the file. Also, ask yourself what the cost of operating the service without changes is, and what the cost of each change is. How often are you making changes? How often do you need to make a change in an absolute emergency? If changes are being done frequently, a technical or semi-technical member of staff will get to know the procedure. If changes are being made rarely, can the changes wait for you to apply them if you don't feel comfortable with others doing it? Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that... Herein lies a problem - you want to create a web front-end to a DNS server. You're going to have to do a lot of testing to make this play nicely, and you could introduce your own security holes or gotchas. What is the cost of creating something yourself? How about one of the following? * Outsource DNS hosting, use another provider's interface to manage * BIND9 slaves, Windows-based master (hidden) which already has a GUI and it isn't difficult to change zones * Stick to what you have and document it, wrapping the 'apply' process in some simple shell or perl Peter DISCLAIMER This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies. Whilst we take reasonable precautions to ensure that our emails are free from viruses, we cannot be responsible for any viruses transmitted with this e-mail and recommend that you subject any incoming e-mail to your own virus checking procedures. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these facilities. TIML Radio Limited (trading as Absolute Radio) Registered office: One Golden Square, London. W1F 9DJ Registered in England No 02674136 VAT No 927 2572 11
Re: In a bit of bind...
I've been using powerdns for quite a while and I've found it to be solid and stable. It'll use quite a few different backends includeing BIND zone files, but its claim to fame is that it uses mysql. a list of different backends can be found at: http://en.wikipedia.org/wiki/PowerDNS#Backends I saw bind and bind2, db2, geo, gmysql, gpgsql, goracle, gsqlite, ldap, odbc, opendbx, pipe and xdb. Pipe is interesting because you can write a backend in anything that talks to anything. There is documentation and examples on the website. The g stands for generic. I've been using poweradmin for management. register.com and tucows both use it. Cheers, Curtis Ben Matthew wrote: Thanks very much for the various responses to my question; both on and off-list. I'm very much liking the idea of only letting the outside world see bind and then AXFR'ing the data from an easier-to-manage internal database backed solution. Whether that be myDNS, Microsoft or whatever. Bit of initial config work and then, in theory, an easy job to administer. Actually feel a bit dumb for not considering that in the first place. Cheers again, Ben -Original Message- From: Peter Hicks [mailto:peter.hi...@poggs.co.uk] Sent: 01 June 2009 12:42 To: Ben Matthew Cc: nanog@nanog.org Subject: Re: In a bit of bind... Ben, Ben Matthew wrote: I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave). For DNS, you may find it easier to outsource hosting to another provider who has geographically diverse DNS services. This doesn't necessarily mean loss of control. It also separates your nameserver hosting from your servers - suppose your network were to be under attack, or a configuration error dropped you offline. If DNS were somewhere else, you could log in, change A records, point somewhere else. Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor. Revision control systems - CVS, Subversion - are your friend here. What about wrapping up your DNS change procedure through perl or shell scripts which automatically roll back if bind doesn't reload, or some critical hosts suddenly disappear from the file. Also, ask yourself what the cost of operating the service without changes is, and what the cost of each change is. How often are you making changes? How often do you need to make a change in an absolute emergency? If changes are being done frequently, a technical or semi-technical member of staff will get to know the procedure. If changes are being made rarely, can the changes wait for you to apply them if you don't feel comfortable with others doing it? Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that... Herein lies a problem - you want to create a web front-end to a DNS server. You're going to have to do a lot of testing to make this play nicely, and you could introduce your own security holes or gotchas. What is the cost of creating something yourself? How about one of the following? * Outsource DNS hosting, use another provider's interface to manage * BIND9 slaves, Windows-based master (hidden) which already has a GUI and it isn't difficult to change zones * Stick to what you have and document it, wrapping the 'apply' process in some simple shell or perl Peter DISCLAIMER This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies. Whilst we take reasonable precautions to ensure that our emails are free from viruses, we cannot be responsible for any viruses transmitted with this e-mail and recommend that you subject any incoming e-mail to your own virus checking procedures. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these facilities. TIML Radio Limited (trading as Absolute Radio) Registered office: One Golden Square, London. W1F 9DJ Registered in England No 02674136 VAT No 927 2572 11
Re: In a bit of bind...
On Jun 1, 2009, at 2:37 PM, Curtis Maurand wrote: I've been using powerdns for quite a while and I've found it to be solid and stable. It'll use quite a few different backends includeing BIND zone files, but its claim to fame is that it uses mysql. a list of different backends can be found at: http://en.wikipedia.org/wiki/PowerDNS#Backends I saw bind and bind2, db2, geo, gmysql, gpgsql, goracle, gsqlite, ldap, odbc, opendbx, pipe and xdb. Pipe is interesting because you can write a backend in anything that talks to anything. There is documentation and examples on the website. The g stands for generic. I've been using poweradmin for management. We've been using it as well in what I would consider a very small setup: 150 domains, most with almost no traffic to speak of, but 3 or 4 with decent traffic (the high traffic ones serving over 50k end-user CPE for VoIP traffic with very short TTLs ). The MySQL back-end really is a claim to fame - it makes administration really easy to integrate into whatever you want. We have also been using poweradmin for basic management for things not under programmatic MySQL management. It's basic and a bit kludgy, but definitely adequate, and easy enough to hack into your own idea of what it should be. Daryl
