OK, I understand. Thanks. I'm not going to change the current configuration right away, but I took this issue into account. Currently it's technically too complicated and time consuming to run 2 separate BIND servers on the same machine, and I only have one IP address. But if there will be an issue of abuse or performance, I will consider changing the current configuration.
Uri. On 3/11/07, Ariel Biener <[EMAIL PROTECTED]> wrote:
On Sunday 11 March 2007 12:13, Uri Even-Chen wrote: > Of course I want to learn, but I don't understand what's wrong with > the current configuration. And also, many technical people forget > that hardware costs money. 2 servers would cost me double; 3 servers > would cost me 3 times etc. I'm not Google, I don't have millions of > servers. If I can save money by putting everything on one single > server, and if it works - then what's wrong with it? I don't see any > problem with solving domain names recursively while being open to > queries from the entire world. And of course no one said that you need to buy more hardware, just run two BIND servers on the same machine, each bound to its own IP address... > Of course, if my service was abused and things were not working, > that's a different issue. But since it works, I don't see any reason > to change the current configuration. I don't agree with your opinion > that my current configuration is wrong. How would you even know if your service is abused ? Are you waiting for it to be abused ? What kind of technical (or management) decision is this ? But since you think it's my opinion, let me quote a few other opinions: http://www.zytrax.com/books/dns/ch4/ .... Note: Running any DNS server that does not require to support recursive queries for external users (an Open DNS) is a bad idea. While it may look like a friendly and neighbourly thing to do it carries with it a possible threat from DoS attacks and an increased risk of cache poisoning. The various configurations have been modified to reflect this. .... http://articles.techrepublic.com.com/5100-1035_11-5860968.html http://www.sprintlink.net/faq/dns.html http://net.berkeley.edu/DNS/recursion-detail.shtml .... It is possible to have both authoritative and caching functions running on the same DNS server, and this was typical in the early days of the DNS. More recently it has become a best practice to separate these functions, and IST did this a few years ago. More information on our DNS servers can be found here (http://net.berkeley.edu/DNS/campus.shtml) .... http://cr.yp.to/djbdns/separation.html .... The importance of separating DNS caches from DNS servers DNS caches should always have separate IP addresses from DNS servers. In other words, the IP addresses listed in /etc/resolv.conf should never match any IP addresses listed in NS records. This separation is widely recognized as the right way to run DNS. As stated in the ``DNS and BIND'' book, third edition, ``Securing Your Name Server,'' page 255: Some of your name servers answer nonrecursive queries from other name servers on the Internet, because your name servers appear in NS records delegating your zones to them. ... You should make sure that these servers don't receive any recursive queries (that is, you don't have any resolvers configured to use these servers, and no name servers use them as forwarders). .... Now, I can go on and quote tens of other resources on proper DNS configuration, however, I hope you get the picture. > If I wanted I could change the current configuration and use > Netvision's name servers to resolve domain names, and my own name > server only as an authoritative name server. It wouldn't cost me more > money. But would my server perform better? I'm not sure. Doron > Shikmoni told me not to use Netvision's servers, and I guess he is > right. Doron is right, and you should not point your nameservers to use the NV NSs, basically since every query will go over your link to them, which I assume is not LAN. --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP: http://www.tau.ac.il/~ariel/pgp.html
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
