On 2013-10-24 Thu 10:35 AM |, Predrag Punosevac wrote:
> We have one domain name, small web server and a mail server.
>
In that situation, I'd:
1) run a master DNS server on the public web/mail server
2) find a domain name registrar that:
1. will slave the zone from your master
2. has 2-4 servers, mainly in the general geographic region of the
web/mail users
3. runs an acceptable OS/daemon
You'd have control over the zone's contents (incl subdomains, client
caching, refresh, retry & expire periods). Not have to use any stupid
web forms that limit how you use your zone. Have fun using more of
OpenBSD's capabilities.
Do you have others that you could partner with to provide each other's
reciprocal slave DNS service? People on this list - running the most
secure OS?
If for some (bizarre) reason you don't want your DNS server to be
public, then run the above as a hidden master:
1) don't list it in the zone's whois records
2) restrict DNS requests to the slaves only (via the daemon's access
controls & pf too.)
There's no difference whatsoever for the external provider, and same
benefits as above, but no public queries.
Running a public web or mail server is much more complicated and risky,
so there's not much point in hiding it.
Become a hostmaster - you know you can.
Do it,
--
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
