John Almberg wrote: > > On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote: > >>>> On Mon, 13 Jul 2009 13:03:24 -0400, >>>> Jon Radel <j...@radel.com> said: >> >> J> Apache and Bind have both had their security issues over the years, >> and >> J> there's something to be said for running them on different servers to >> J> reduce both the "all eggs in one basket" factor and the ease of >> J> spreading an attack. (Yes, I'm assuming what you're actually >> J> running....) >> >> You can fix the security problems by dumping Bind and using djbdns. >> It's very easy to set up a caching nameserver without using all the >> memory on your system. See http://www.lifewithdjbdns.com/ for more. > > > I actually do use djbdns. Super easy to use, once you figure it out.
...to run a DNS cache with djbdns, it doesn't take much figuring out: (As root. I just tested this as I wrote it). % pkg_add -r daemontools % pkg_add -r ucspi-tcp % echo 'svscan_enable="YES"' >> /etc/rc.conf % mkdir /var/service % /usr/local/etc/rc.d/svscan.sh start % adduser -q # add a 'dnscache' user. Put user in 'dnscache' group, and set the # users shell to nologin #rinse/repeat for a 'dnslog' user % pkg_add -r djbdns % rehash % dnscache-conf dnscache dnslog /etc/dnscache % ln -s /etc/dnscache /var/service # now edit your /etc/resolv.conf file, so that the first "nameserver" # entry in the list points to 127.0.0.1 __END__ By default, your new cache will only listen on the loopback address (127.0.0.1). There is a single file in /etc/dnscache/root/ip, named 127.0.0.1 If you want this cache to serve internal /24 network queries: % touch /etc/dnscache/root/ip/192.168.0 To restart the service after a change: % svc -t /etc/dnscache To down the cache: % svc -d /etc/dnscache To up the cache: % svc -u /etc/dnscache Note that this is only for the dnscache. Setting up an authoritative server is pretty much just as simple. Note also that I had to do some patching and hacking to make the tinydns web frontend (VegaDNS) allow for IPv6 records properly... that's out of the scope of this mail though (for the record, I use BIND for most things v6). An example of the empty files that allow cache access: amigo# ll /etc/dnscache/root/ip total 0 -rw-r--r-- 1 root wheel 0 Aug 19 2008 127.0.0.1 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.104 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.105 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.106 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.107 -rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.108 ... Steve
Description: S/MIME Cryptographic Signature