At 12:35 PM 8/29/02, you wrote: >Recently I have been reading about DNS, Sendmail, >Apache. I have noticed that some members have >[EMAIL PROTECTED] and I got curious about how to >do this. I got the impression that you need to run >the bind/named services to do these things. anyway, >there are lots of great howto's for these. But even >after reading them I have some questions. > >First of all, I was lead to believe in my reading >that DNS is a service which should have a dedicated >machine to it because of the risk of intrusion. >There's a good howto about 'jail' for DNS services
Bind has some security problems. Generally you can run bind on a low end machine so you just get an old pentium to use as a DNS server. >Second, should you run a 'master' service you HAVE >TO also run a 'slave service' which should >preferably be on a continent other than the one you >are living on or at the very least, not on the same >network. Different Continents? Only the big boys have the cast to colocate DNS servers on different continents. Even then saying that DNS should be on different continents is a very dated advice. The connections and packet switching such now that the latency is not extremely high between continents any more. Ideally you probably want your secondary DNS on a separate internet pipe in case yours goes down but that is not necessary. If you were to run tinydns, you could actually cheat and run both dns servers on the same machine but just different IP addresses. You can also pay someone else to host DNS services for you. Most hosting packages from ISP come with hosting for 1 Domain Name. You can purchase Primarily or Secondary Domain Name Hosting Services for about $10 / month / domain name. >Third, a poorly done DNS not only leaves your >network vulnerable but can actually pollute the >naming service thoughout the Internet... Yes it probably can. If you send out wrong information about domains that you control that information will be propagated through out the Internet and will be considered correct until the information expires (based on the Time to Live Value (TTL) which is in seconds). Another problem I have come across is if you transfer your domain from one server to another. Make sure the first server knows that it no longer is authoritative (controls the info) for the Domain. Otherwise any machines that use the old DNS server as their dns server will be fed the old information because that old server thinks it has correct information. >Should a modest home user (such as myself) go to the >risk of these activities despite the desire to host >own site, have funky email? Lots do. I host my primary and secondary dns on my DSL connection. Not ideal but it does work for what I need. >Could my ISP's named service be the 'slave' or >backup service for mine? Yes, that would definitely be possible. You would need to discuss with your ISP the details and costs (if any) involved. >My plan is to use the configuration on my SMC router >to NAT port 80 requests to my behind the firewall >hosts for Apache and (tho I don't know which port it >is...) sendmail. > >Is anybody doing this also? Generally, you would probably want to put your webserver right on the web with a routing firewall in front or running a firewall itself. You can use portforwarding with your SMC but that will limit everything to 1 IP which will prevent you from hosting both your primary and secondary DNS servers (each needs it's own IP). A linux based firewall would be able to handle multiple routable IPs but I doubt the SMC has that feature. -- Mark Lane Hard Data Ltd. mailto:[EMAIL PROTECTED] Telephone: 01-780-456-9771 FAX: 01-780-456-9772 11060 - 166 Avenue Edmonton, AB, Canada T5X 1Y3 http://www.harddata.com/ --> Ask me about our Affordable Alpha Systems! <--
BEGIN:VCARD VERSION:2.1 N:Lane;Mark FN:Mark Lane ORG:Hard Data Ltd. TITLE:Sales TEL;WORK;BUSINESS:780-456-9771 TEL;WORK;VOICE:780-456-9771 TEL;WORK;FAX:780-456-9772 ADR;WORK:;;11060 - 166 Avenue;Edmonton;AB;T5X1Y3;Canada LABEL;WORK;ENCODING=QUOTED-PRINTABLE:11060-166 Avenue=0D=0AEdmonton, AB T5X1Y3=0D=0ACanada URL;WORK:http://www.harddata.com EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20010222T231737Z END:VCARD
