Re: [External] Re: How can I launch a private Internet DNS server?

[Tom J. Marcoen]

Thank you for your valuable feedback. It is much appreciated.

On Fri, 20 Nov 2020 at 19:37, Reindl Harald  wrote:

>
> Am 08.11.20 um 14:44 schrieb Timothe Litt:
>
>
> I'm amazed that this thread has persisted for so long on this list of
> knowledgeable people
>
>
> me too, i would understand that on the spamassassin list but not here and
> what i *really* don't understand is jumping into the thread with "I just
> wanted to comment that there is no requirement to run a secondary DNS
> server"
>
> even if it would not be a requirement (but it is) it's common sense not to
> contradict best practices everyone running critical services is following
>
> there are enough beginners which don't follow best practices anyways, no
> need to encourage them
>
> RFC1034 , one of the two
> foundational RFCs for the DNS:
>
> P.18 in section 4.1 (NAME SERVERS => Introduction):
>
> A given zone will be available from several name servers to insure its
> availability in spite of host or communication link failure.  By
> administrative fiat, we require every zone to be available on at least
> two servers, and many zones have more redundancy than that.
>
> In case the font is too small, the key phrase is:
>
> "we require every zone to be available on at least two servers"
>
> That's "REQUIRE" at least TWO SERVERS
>
> i heard of registries whcih require even 3 and when they say they require
> it means you have them or you can't register a domain, no RFC needed to
> begin with
>
> https://tools.ietf.org/html/rfc1537 documents common misconfigurations -
> that is, cases of non-conformance to the RFCs that the author encountered
> circa 1993.  It was superseded in 1993 by RFC 1912
> , where section 2.8 starts with "You
> are required to have at least two nameservers for every domain".  Neither
> document supersedes RFC1034; rather they attempt to help with interpreting
> it.
>
> https://www.iana.org/help/nameserver-requirements  consolidates
> information from several RFCs, since the DNS has evolved over time.  It is
> not an RFC, but a convenient summary.  It primarily documents the tests
> performed by IANA when it processes a delegation change to the root, .INT,
> and .ARPA zones.  These tests validate conformance to the RFCs.  As the
> introduction says, "These tests do not measure against best practices or
> comprehensively measure protocol conformance. They are a practical set of
> baseline requirements that catch common misconfiguration errors that impact
> stable operations of the DNS."
>
> Bottom line: two servers per zone are required by the DNS architecture.
> It's not folklore.  It's not optional.
>
> yes
>
> It is true that the DNS is robust enough to function with a number of
> misconfigurations (including just one server for a zone, since in practice
> this is almost indistinguishable from transient conditions.)
>
> Nonetheless, the goal of the DNS architecture (and most of its operators)
> is to have a stable and robust name service.  Misconfigurations, such as
> those documented in rfc1527, make the DNS unstable and fragile.  The
> architecture tends to contain the effects of many misconfigurations, but
> that doesn't make them wise.
>
> As I noted earlier: "DNS appears deceptively simple at first blush.
> Setting up a serviceable infrastructure requires an investment of thought
> and on-going maintenance.  You will not be happy if you skimp on that
> investment, since broken DNS is externally visible - and frequently
> catastrophic."
>
> I'll finish with a 1987 quote from Leslie Lamport on distributed systems,
> which the DNS most certainly is:
>
> "A distributed system is one in which the failure of a computer you didn't
> even know existed can render your own computer  unusable."
>
> Can the quibbling stop now?
>
>
> thank you
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Reindl Harald]

Am 08.11.20 um 14:44 schrieb Timothe Litt:


I'm amazed that this thread has persisted for so long on this list of 
knowledgeable people




me too, i would understand that on the spamassassin list but not here 
and what i *really* don't understand is jumping into the thread with "I 
just wanted to comment that there is no requirement to run a secondary 
DNS server"


even if it would not be a requirement (but it is) it's common sense not 
to contradict best practices everyone running critical services is following


there are enough beginners which don't follow best practices anyways, no 
need to encourage them


RFC1034 , one of the two 
foundational RFCs for the DNS:


P.18 in section 4.1 (NAME SERVERS => Introduction):

A given zone will be available from several name servers to insure its
availability in spite of host or communication link failure.  By
administrative fiat, we require every zone to be available on at least
two servers, and many zones have more redundancy than that.

In case the font is too small, the key phrase is:

"we require every zone to be available on at least two servers"

That's "REQUIRE" at least TWO SERVERS

i heard of registries whcih require even 3 and when they say they 
require it means you have them or you can't register a domain, no RFC 
needed to begin with


https://tools.ietf.org/html/rfc1537 
 documents common 
misconfigurations - that is, cases of non-conformance to the RFCs that 
the author encountered circa 1993.  It was superseded in 1993 by RFC 
1912 , where section 2.8 starts 
with "You are required to have at least two nameservers for every 
domain".  Neither document supersedes RFC1034; rather they attempt to 
help with interpreting it.


https://www.iana.org/help/nameserver-requirements 
 consolidates 
information from several RFCs, since the DNS has evolved over time.  
It is not an RFC, but a convenient summary. It primarily documents the 
tests performed by IANA when it processes a delegation change to the 
root, .INT, and .ARPA zones.  These tests validate conformance to the 
RFCs.  As the introduction says, "These tests do not measure against 
best practices or comprehensively measure protocol conformance. They 
are a practical set of baseline requirements that catch common 
misconfiguration errors that impact stable operations of the DNS."


Bottom line: two servers per zone are required by the DNS 
architecture.  It's not folklore.  It's not optional.



yes

It is true that the DNS is robust enough to function with a number of 
misconfigurations (including just one server for a zone, since in 
practice this is almost indistinguishable from transient conditions.)


Nonetheless, the goal of the DNS architecture (and most of its 
operators) is to have a stable and robust name service. 
Misconfigurations, such as those documented in rfc1527, make the DNS 
unstable and fragile.  The architecture tends to contain the effects 
of many misconfigurations, but that doesn't make them wise.


As I noted earlier: "DNS appears deceptively simple at first blush.  
Setting up a serviceable infrastructure requires an investment of 
thought and on-going maintenance.  You will not be happy if you skimp 
on that investment, since broken DNS is externally visible - and 
frequently catastrophic."


I'll finish with a 1987 quote from Leslie Lamport on distributed 
systems, which the DNS most certainly is:


"A distributed system is one in which the failure of a computer you 
didn't even know existed can render your own computer unusable."


Can the quibbling stop now?



thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Timothe Litt]

On 07-Nov-20 14:06, Tom J. Marcoen wrote:
> Having at least two name servers is not a requirement by the RFC
> standards but which TLD allows for only one NS server to be given when
> hou register a domain?
>
> On Sat, 7 Nov 2020 at 16:53, Kevin A. McGrail  > wrote:
>
> On 11/7/2020 10:15 AM, Reindl Harald wrote:
>>
>> https://tools.ietf.org/html/rfc1537
>> Common DNS Data File Configuration Errors
>>
>> 6. Missing secondary servers
>>
>> > It is required that there be a least 2 nameservers
>> > for a domain.
>>
>> -
>>
>> that above is common knowledge virtually forever and the
>> difference of "must" and "should" in IETF wordings is also very
>> clear 
>
> While I agree this is common knowledge as a best practice, this
> rfc is a memo NOT a standard from my reading:
>
>   This memo provides information for the Internet community.  It does
>not specify an Internet standard.  Distribution of this memo is
>unlimited.
>
> Regards,
> KAM
>
>

I'm amazed that this thread has persisted for so long on this list of
knowledgeable people.

RFC1034 , one of the two
foundational RFCs for the DNS:

P.18 in section 4.1 (NAME SERVERS => Introduction):

A given zone will be available from several name servers to insure its
availability in spite of host or communication link failure.  By
administrative fiat, we require every zone to be available on at least
two servers, and many zones have more redundancy than that.

In case the font is too small, the key phrase is:

"we require every zone to be available on at least two servers"

That's "REQUIRE" at least TWO SERVERS.

https://tools.ietf.org/html/rfc1537 documents common misconfigurations -
that is, cases of non-conformance to the RFCs that the author
encountered circa 1993.  It was superseded in 1993 by RFC 1912
, where section 2.8 starts with
"You are required to have at least two nameservers for every domain". 
Neither document supersedes RFC1034; rather they attempt to help with
interpreting it.

https://www.iana.org/help/nameserver-requirements  consolidates
information from several RFCs, since the DNS has evolved over time.  It
is not an RFC, but a convenient summary.  It primarily documents the
tests performed by IANA when it processes a delegation change to the
root, .INT, and .ARPA zones.  These tests validate conformance to the
RFCs.  As the introduction says, "These tests do not measure against
best practices or comprehensively measure protocol conformance. They are
a practical set of baseline requirements that catch common
misconfiguration errors that impact stable operations of the DNS."

Bottom line: two servers per zone are required by the DNS architecture. 
It's not folklore.  It's not optional.

It is true that the DNS is robust enough to function with a number of
misconfigurations (including just one server for a zone, since in
practice this is almost indistinguishable from transient conditions.)

Nonetheless, the goal of the DNS architecture (and most of its
operators) is to have a stable and robust name service. 
Misconfigurations, such as those documented in rfc1527, make the DNS
unstable and fragile.  The architecture tends to contain the effects of
many misconfigurations, but that doesn't make them wise.

As I noted earlier: "DNS appears deceptively simple at first blush. 
Setting up a serviceable infrastructure requires an investment of
thought and on-going maintenance.  You will not be happy if you skimp on
that investment, since broken DNS is externally visible - and frequently
catastrophic."

I'll finish with a 1987 quote from Leslie Lamport on distributed
systems, which the DNS most certainly is:

"A distributed system is one in which the failure of a computer you
didn't even know existed can render your own computer  unusable."

Can the quibbling stop now?

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Reindl Harald]

first: there *is* a requirement of a secondary nameserver
https://www.iana.org/help/nameserver-requirements

Am 07.11.20 um 14:21 schrieb alcol alcol:
you can't run a sec. srv. from your own. You need some action from 
ADMIN-C or TECH-C


yeah, someone needs to tell the registry the nameservers that's it, 
nobody expect something work out of the blue



otherwise it will not work at all x RFC SOA refresh 24H


no idea what that means, but it makes no sense


In all case a sec. srv. on the same net


no *not* on the same net

thelounge.net.  86400   IN  NS  ns1.thelounge.net.
thelounge.net.  86400   IN  NS  ns2.thelounge.net.

ns1 = 85.124.176.242
ns2 = 91.118.73.16

in fact ns2 is the master, ns1 is the salve for historical reasons, both 
hosting some hundret domains, both operated at my own for 12 years now


in fact both are even on the same *redundant* cluster
and the whole backends and automation is homegrown



*From:* bind-users  on behalf of Kevin 
A. McGrail 

I just wanted to comment that there is no "requirement" to run a
secondary DNS server.  It's certainly best practice and should be
considered.  However, the goal of having two DNS servers is to promote
redundancy if DNS fails but other services you need have not

this is *not* true at all

https://www.iana.org/help/nameserver-requirements

Requirements for Name Servers

These tests are performed for the set of NS records and any associated 
IP addresses for those name servers. For each individual hostname, tests 
are performed against each IP address and protocol pair.

Minimum number of name servers

There must be at least two NS records listed in a delegation, and the 
hosts must not resolve to the same IP address.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Reindl Harald]

Am 05.11.20 um 20:04 schrieb Michael De Roover:

On Thu, 2020-11-05 at 11:27 -0600, Chuck Aurora wrote:

On 2020-11-05 07:36, Bob Harold wrote:

You appear to have confused 'secondary' authoritative servers with
a
second 'resolver'.
Authoritative servers - listed in the NS records - are used by
other
DNS servers, not by end users, and they will get used equally with
the
slaves, if your parent zone has the right NS records also.  Those
are
good to outsource the secondaries.


It should perhaps be pointed out here that the DNS protocol has no
means to distinguish among different types of NS host.  (Yes, there
is
the SOA MNAME, but that is not used by resolvers.)  One NS is as good
as any other NS.


These (SOA and behavior for resolvers) probably describe where I got
confused, thanks for the explanations!


for many years our SOA was the slave :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Reindl Harald]

Am 07.11.20 um 15:36 schrieb Kevin A. McGrail:

On 11/7/2020 9:04 AM, Reindl Harald wrote:

first: there *is* a requirement of a secondary nameserver
https://www.iana.org/help/nameserver-requirements


Does that requirement apply to the use-case? Based on the first
sentence, "These are the technicals tests we perform for delegation
changes in the zones we manage (root zone, .INT, .ARPA).", I would guess
it's not applicable.


"Technical requirements for authoritative name servers" includes that 
usecase too no mattaer wthat "technical tests are applied"


-

https://tools.ietf.org/html/rfc1537
Common DNS Data File Configuration Errors

6. Missing secondary servers

> It is required that there be a least 2 nameservers
> for a domain.

-

that above is common knowledge virtually forever and the difference of 
"must" and "should" in IETF wordings is also very clear

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Tom J. Marcoen]

Having at least two name servers is not a requirement by the RFC standards
but which TLD allows for only one NS server to be given when hou register a
domain?

On Sat, 7 Nov 2020 at 16:53, Kevin A. McGrail  wrote:

> On 11/7/2020 10:15 AM, Reindl Harald wrote:
>
>
> https://tools.ietf.org/html/rfc1537
> Common DNS Data File Configuration Errors
>
> 6. Missing secondary servers
>
> > It is required that there be a least 2 nameservers
> > for a domain.
>
> -
>
> that above is common knowledge virtually forever and the difference of
> "must" and "should" in IETF wordings is also very clear
>
> While I agree this is common knowledge as a best practice, this rfc is a
> memo NOT a standard from my reading:
>
>   This memo provides information for the Internet community.  It does
>not specify an Internet standard.  Distribution of this memo is
>unlimited.
>
> Regards,
> KAM
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Kevin A. McGrail]

On 11/7/2020 10:15 AM, Reindl Harald wrote:
>
> https://tools.ietf.org/html/rfc1537
> Common DNS Data File Configuration Errors
>
> 6. Missing secondary servers
>
> > It is required that there be a least 2 nameservers
> > for a domain.
>
> -
>
> that above is common knowledge virtually forever and the difference of
> "must" and "should" in IETF wordings is also very clear 

While I agree this is common knowledge as a best practice, this rfc is a
memo NOT a standard from my reading:

  This memo provides information for the Internet community.  It does
   not specify an Internet standard.  Distribution of this memo is
   unlimited.

Regards,
KAM

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Kevin A. McGrail]

On 11/7/2020 9:04 AM, Reindl Harald wrote:
> first: there *is* a requirement of a secondary nameserver
> https://www.iana.org/help/nameserver-requirements

Does that requirement apply to the use-case? Based on the first
sentence, "These are the technicals tests we perform for delegation
changes in the zones we manage (root zone, .INT, .ARPA).", I would guess
it's not applicable.

Regards,
KAM

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[alcol alcol]

you can't run a sec. srv. from your own. You need some action from ADMIN-C or 
TECH-C
otherwise it will not work at all x RFC SOA refresh 24H

In all case a sec. srv. on the same net


From: bind-users  on behalf of Kevin A. 
McGrail 
Sent: Saturday, November 7, 2020 2:03 PM
To: bind-users@lists.isc.org 
Subject: Re: How can I launch a private Internet DNS server?


> Do a web search for "secondary dns provider" and "backup dns provider"
>
I just wanted to comment that there is no "requirement" to run a
secondary DNS server.  It's certainly best practice and should be
considered.  However, the goal of having two DNS servers is to promote
redundancy if DNS fails but other services you need have not.  They may
or may not be the case here and merits consideration of the question,
"what will redundant DNS gain this organization?"

$0.02,

KAM


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Kevin A. McGrail]

> Do a web search for "secondary dns provider" and "backup dns provider"
>
I just wanted to comment that there is no "requirement" to run a
secondary DNS server.  It's certainly best practice and should be
considered.  However, the goal of having two DNS servers is to promote
redundancy if DNS fails but other services you need have not.  They may
or may not be the case here and merits consideration of the question,
"what will redundant DNS gain this organization?"

$0.02,

KAM


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Timothe Litt]

On 06-Nov-20 08:50, Reindl Harald wrote:
>
>
> Am 06.11.20 um 13:25 schrieb Tom J. Marcoen:
>> First of all, sorry that I cannot reply within the thread, I was not
>> yet a member of the mailing list when those emails were sent.
>>
>>> On Thu 15/Oct/2020 18:57:16 +0200 Jason Long via bind-users wrote:

 Excuse me, I just have one server for DNS and that tutorial is
 about secondary
 DNS server too.
>>>
>>> Just skip the chapter about the secondary.  You're better off buying
>>> secondary
>>> DNS services externally.  A good secondary offloads your server
>>> noticeably, and
>>> keeps the domain alive in case of temporary failures.
>>>
>>> Best
>>> Ale
>>
>> Is it not a requirement to have at least two authoritative name
>> servers? I believe all TLDs require at least two name servers but I
>> must be mistaking as no one pointed this out yet.
>
> yes, and "You're better off buying secondary DNS services externally"
> don't say anything else
>
> the point is that the two nameservers are required to be located on
> two different ip-ranges anyways to minimize the risk that both going
> down at the same time
>
Do a web search for "secondary dns provider" and "backup dns provider". 
There are a number of them, some paid, some free.   Not all are equal -
last time I looked, support for DNSSEC was uncommon,, especially among
the free ones.  IPv6 support has been lagging, but improving.  Also, if
you use UPDATE, make sure the service that you use supports NOTIFY. 
Some limit or charge according to the number of queries, zones and/or
names - but that doesn't necessarily correlate with price. 

Also look for minimum TTL restrictions - especially with free services. 

I use a free service that does support IPv6, DNSSEC & NOTIFY - and runs
on BIND.

Often the external services provide better geographic diversity than a
small operation can - and have better internet connections. 

If you have the resources, you can also setup an agreement with a
similarly-situated organization for mutual secondary service - you slave
their zones & they slave yours.  This can work well - often at no cost -
especially if the resource demands are roughly equal.

Other caveats: external services typically won't use hostnames in your
domain - or if you want that, will charge you for it.  And if you depend
on views, external services will only work for external views - you'll
need to provide your own secondary servers for internal-only views. 

Finally, if performance matters and you have a dispersed user base, look
for a provider that has a solid infrastructure - ANYCAST is one good
clue.  You'll almost always have to subscribe to a paid service in these
cases, especially with high query rates.

RFC2182 (https://tools.ietf.org/html/rfc2182) is fairly readable and
describes many of the considerations involved in selecting secondary DNS
servers. 

DNS appears deceptively simple at first blush.  Setting up a serviceable
infrastructure requires an investment of thought and on-going
maintenance.  You will not be happy if you skimp on that investment,
since broken DNS is externally visible - and frequently catastrophic.

Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Reindl Harald]

Am 06.11.20 um 13:25 schrieb Tom J. Marcoen:

First of all, sorry that I cannot reply within the thread, I was not
yet a member of the mailing list when those emails were sent.


On Thu 15/Oct/2020 18:57:16 +0200 Jason Long via bind-users wrote:


Excuse me, I just have one server for DNS and that tutorial is about secondary
DNS server too.


Just skip the chapter about the secondary.  You're better off buying secondary
DNS services externally.  A good secondary offloads your server noticeably, and
keeps the domain alive in case of temporary failures.

Best
Ale


Is it not a requirement to have at least two authoritative name
servers? I believe all TLDs require at least two name servers but I
must be mistaking as no one pointed this out yet.


yes, and "You're better off buying secondary DNS services externally" 
don't say anything else


the point is that the two nameservers are required to be located on two 
different ip-ranges anyways to minimize the risk that both going down at 
the same time

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Tom J. Marcoen]

First of all, sorry that I cannot reply within the thread, I was not
yet a member of the mailing list when those emails were sent.

> On Thu 15/Oct/2020 18:57:16 +0200 Jason Long via bind-users wrote:
> >
> > Excuse me, I just have one server for DNS and that tutorial is about 
> > secondary
> > DNS server too.
>
> Just skip the chapter about the secondary.  You're better off buying secondary
> DNS services externally.  A good secondary offloads your server noticeably, 
> and
> keeps the domain alive in case of temporary failures.
>
> Best
> Ale

Is it not a requirement to have at least two authoritative name
servers? I believe all TLDs require at least two name servers but I
must be mistaking as no one pointed this out yet.

Regards,
Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Michael De Roover]

On Thu, 2020-11-05 at 11:27 -0600, Chuck Aurora wrote:
> On 2020-11-05 07:36, Bob Harold wrote:
> > You appear to have confused 'secondary' authoritative servers with
> > a
> > second 'resolver'.
> > Authoritative servers - listed in the NS records - are used by
> > other
> > DNS servers, not by end users, and they will get used equally with
> > the
> > slaves, if your parent zone has the right NS records also.  Those
> > are
> > good to outsource the secondaries.
> 
> It should perhaps be pointed out here that the DNS protocol has no
> means to distinguish among different types of NS host.  (Yes, there
> is
> the SOA MNAME, but that is not used by resolvers.)  One NS is as good
> as any other NS.

These (SOA and behavior for resolvers) probably describe where I got
confused, thanks for the explanations!
-- 
Michael De Roover 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Chuck Aurora]

On 2020-11-05 07:36, Bob Harold wrote:

On Thu, Nov 5, 2020 at 7:00 AM Michael De Roover 
wrote:

On Thu, 2020-11-05 at 11:31 +0100, Alessandro Vesely wrote:

A good secondary offloads your server noticeably, and
keeps the domain alive in case of temporary failures.


AFAIK, authoritative slave servers are only used when the master is
confirmed to be down. Lookups take significantly longer in such
cases since for every request, the master will be asked first.


This is not true, as Bob points out, and as I add to below.


You appear to have confused 'secondary' authoritative servers with a
second 'resolver'.
Authoritative servers - listed in the NS records - are used by other
DNS servers, not by end users, and they will get used equally with the
slaves, if your parent zone has the right NS records also.  Those are
good to outsource the secondaries.


It should perhaps be pointed out here that the DNS protocol has no
means to distinguish among different types of NS host.  (Yes, there is
the SOA MNAME, but that is not used by resolvers.)  One NS is as good
as any other NS.

For that matter, there is no requirement that any zone should have
different kinds of NS hosts.  Some might still be using out-of-band
means to distribute zone files among multiple master/primary servers.
Others might have all NS as secondary/slave servers, which get their
notifies and transfer the zone from an unlisted (not listed among the
zone's NS records) primary server.

BIND named as resolver is going to try all NS and stick with whichever
gives the fastest responses.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Reindl Harald]

Am 05.11.20 um 12:59 schrieb Michael De Roover:

On Thu, 2020-11-05 at 11:31 +0100, Alessandro Vesely wrote:

A good secondary offloads your server
noticeably, and
keeps the domain alive in case of temporary failures.


AFAIK, authoritative slave servers are only used when the master is
confirmed to be down


impossible because nobody can know from the outside which is slave and 
which is master


in doubt none of the public reachable is master at all, both slaves and 
pull from a internal master not public reachable

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Bob Harold]

On Thu, Nov 5, 2020 at 7:00 AM Michael De Roover  wrote:

> On Thu, 2020-11-05 at 11:31 +0100, Alessandro Vesely wrote:
> > A good secondary offloads your server
> > noticeably, and
> > keeps the domain alive in case of temporary failures.
>
> AFAIK, authoritative slave servers are only used when the master is
> confirmed to be down. Lookups take significantly longer in such cases
> since for every request, the master will be asked first. This can take
> between 2-4s. There are no performance benefits to running multiple
> name servers as master-slave, though it's fairly easy and offers good
> redundancy (a slow lookup is still better than no lookup). A commercial
> service will have to support zone transfer from your master, and said
> master has to have that commercial service authorized to pull your
> zone(s). I haven't personally heard of such services, and would
> probably just run another BIND box somewhere else (different hosting
> provider or something like that).
> --
> Michael De Roover 
>

You appear to have confused 'secondary' authoritative servers with a second
'resolver'.
Authoritative servers - listed in the NS records - are used by other DNS
servers, not by end users, and they will get used equally with the slaves,
if your parent zone has the right NS records also.  Those are good to
outsource the secondaries.
But a second resolver - the addresses listed in /etc/resolv.conf or the
"DNS servers" seen in windows client settings, will only be used by the
client if the first server does not respond.  For that, you can use a
public resolver like Google 8.8.8.8 as the second choice for your users.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Alessandro Vesely]

On Thu 05/Nov/2020 12:59:37 +0100 Michael De Roover wrote:

On Thu, 2020-11-05 at 11:31 +0100, Alessandro Vesely wrote:

A good secondary offloads your server
noticeably, and 
keeps the domain alive in case of temporary failures.


AFAIK, authoritative slave servers are only used when the master is
confirmed to be down. Lookups take significantly longer in such cases
since for every request, the master will be asked first. This can take
between 2-4s. There are no performance benefits to running multiple
name servers as master-slave, though it's fairly easy and offers good
redundancy (a slow lookup is still better than no lookup).



IME, slave servers[*] are queried all the time, and since they have a better 
connection than I do, they reply faster.




A commercial
service will have to support zone transfer from your master, and said
master has to have that commercial service authorized to pull your
zone(s).



Yes



I haven't personally heard of such services, and would
probably just run another BIND box somewhere else (different hosting
provider or something like that).



It costs much more.


Best
Ale
--

[*]  Oops, *secondary* servers --they said not to use /slave/ since gone with 
the wind was censored, lest the DNS gets censored as well... Oh gosh!



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Michael De Roover]

On Thu, 2020-11-05 at 11:31 +0100, Alessandro Vesely wrote:
> A good secondary offloads your server
> noticeably, and 
> keeps the domain alive in case of temporary failures.

AFAIK, authoritative slave servers are only used when the master is
confirmed to be down. Lookups take significantly longer in such cases
since for every request, the master will be asked first. This can take
between 2-4s. There are no performance benefits to running multiple
name servers as master-slave, though it's fairly easy and offers good
redundancy (a slow lookup is still better than no lookup). A commercial
service will have to support zone transfer from your master, and said
master has to have that commercial service authorized to pull your
zone(s). I haven't personally heard of such services, and would
probably just run another BIND box somewhere else (different hosting
provider or something like that).
-- 
Michael De Roover 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Alessandro Vesely]

On Thu 15/Oct/2020 18:57:16 +0200 Jason Long via bind-users wrote:


Excuse me, I just have one server for DNS and that tutorial is about secondary 
DNS server too.



Just skip the chapter about the secondary.  You're better off buying secondary 
DNS services externally.  A good secondary offloads your server noticeably, and 
keeps the domain alive in case of temporary failures.



Best
Ale



On Thu, Oct 15, 2020 at 8:15 PM, Michael De Roover
 wrote:

There are various tutorials online for making
authoritative DNS servers, such as this one:
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Alessandro Vesely]

On Thu 15/Oct/2020 20:59:32 +0200 Stephane Bortzmeyer wrote:

On Thu, Oct 15, 2020 at 11:16:05AM -0700,
  Fred Morris  wrote
  a message of 50 lines which said:


2) If you want to run your own DNS nameservers, you will need to buy a
   book, read the (BIND) Administrator's Reference Manual, and/or some
   RFCs


Very bad advice. RFCs are not for the faint of heart and the RFC on
DNS (RFC 1034 and 1035) are among the most difficult. And they were
never kept up-to-date so there are a lot of obsolete things in it.



Yet, some RFCs seem to make for a good introductory course.  For example:
https://tools.ietf.org/html/rfc8499


Best
Ale
--
















___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Reindl Harald]

Am 16.10.20 um 11:34 schrieb Michael De Roover:

Interesting article, thanks for sharing this! I'm slightly confused
about some things in it though. Does this mean that any traffic will be
put on the connection tracker and be treated as stateful unless we use
CT --notrack, or can the kernel make a heuristic based on what's in the
iptables rule (i.e. if it only covers a port or a network range, it
must be stateless)


conntrack is *always* part of the game unless you set "notrck" in the 
raw-table which is the only stateless one


raw -> mangle -> filter

at the point conntrack steps in the filter-table with your normal rules 
is not part of the game at all


https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Paul Kosinski via bind-users]

With regard to using chroot, hasn't named/BIND long had the "-u" (user)
and "-t" (directory) options to accomplish the same thing more easily?


On Fri, 16 Oct 2020 12:47:35 -0500
Chuck Aurora  wrote:

> /me catching up on earlier parts of this thread,
> 
> On 2020-10-15 11:42, alcol alcol wrote:
> > A DNS server can exist if you follow NIC instractions.
> >  Mainly have you a leased line ever on? primary DNS can't be down or
> > NIC could down your domain.
> >  Then you have to install and configure it. Better a fedora core , and  
> 
> I'm not sure what all that means (language barrier, perhaps), but I
> have some gripes with what I do understand.
> 
> First, re: Fedora, no one distro/OS can truly claim to be best.  The
> best advice to a beginner is to choose one and to learn it very well.
> Fedora can be a good choice, as can other GNU/Linux distros, as also
> can be various *BSD flavors.  The point is: it depends what the user
> is comfortable to manage.
> 
> > CHROOT, DNS is one of the services more targeted to enter inside a
> > system.  
> 
> False.  A chroot is a fine idea if you know how to set it up and to
> maintain it, but it is certainly not a requirement for a beginner.  A
> beginner in BIND (as in anything else) will do best by starting simple
> and building on what is learned.
> 
> Also, while DNS is indeed a target of abuse, I honestly cannot recall
> a single exploit of BIND 9 that would lead to system penetration.  It
> is true that BIND's named has had more than its share of security
> issues and bugs, but TTBOMK all of these have been crashes, causing
> only denial of service.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Chuck Aurora]

/me catching up on earlier parts of this thread,

On 2020-10-15 11:42, alcol alcol wrote:

A DNS server can exist if you follow NIC instractions.
 Mainly have you a leased line ever on? primary DNS can't be down or
NIC could down your domain.
 Then you have to install and configure it. Better a fedora core , and


I'm not sure what all that means (language barrier, perhaps), but I
have some gripes with what I do understand.

First, re: Fedora, no one distro/OS can truly claim to be best.  The
best advice to a beginner is to choose one and to learn it very well.
Fedora can be a good choice, as can other GNU/Linux distros, as also
can be various *BSD flavors.  The point is: it depends what the user
is comfortable to manage.


CHROOT, DNS is one of the services more targeted to enter inside a
system.


False.  A chroot is a fine idea if you know how to set it up and to
maintain it, but it is certainly not a requirement for a beginner.  A
beginner in BIND (as in anything else) will do best by starting simple
and building on what is learned.

Also, while DNS is indeed a target of abuse, I honestly cannot recall
a single exploit of BIND 9 that would lead to system penetration.  It
is true that BIND's named has had more than its share of security
issues and bugs, but TTBOMK all of these have been crashes, causing
only denial of service.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Chuck Aurora]

On 2020-10-16 06:05, Sami Ait Ali Oulahcen via bind-users wrote:

I've been looking for a way to implement this on nft or through
firewalld, but couldn't find anything comprehensive.

So if it does get updated, please let us know :)


It won't be by me, for more than one reason (I am no longer at ISC,
and I am not [yet] a nft user, and I'm NEVER going to be a user of
firewalld.)

I can, however, suggest that there is nothing stopping you from
staying with iptables through the "legacy" tools which install.
The iptables framework is not planned for deprecation AFAIK.  The
Netfilter project likes to see users moving to the new framework,
but they well understand that millions of production sites are
hesitant to make changes on something which works well.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Chuck Aurora]

On 2020-10-16 04:34, Michael De Roover wrote:

Interesting article, thanks for sharing this! I'm slightly confused


YW!


about some things in it though. Does this mean that any traffic will be
put on the connection tracker and be treated as stateful unless we use
CT --notrack, or can the kernel make a heuristic based on what's in the
iptables rule (i.e. if it only covers a port or a network range, it
must be stateless)?


Everything is kept in the kernel's conntrack table unless connection
tracking is disabled for any given packet.  Conntrack table lifetimes
vary per L4 protocol and can be tweaked by kernel sysctl(8) settings.
I'm not sure what the defaults are nor precisely where they are
documented, but they are probably in the kernel source tree's
"Documentation/" subdirectory.


What constitutes a busy server? For a recursor it'd be easy to achieve
high throughput, but does an authoritative name server for a single
website need it?


This was an ISC customer site, a major ISP.  They provisioned a new
RHEL server for DNS and it was failing miserably with all the dmesg
about "Conntrack table full; dropping packet".  It has been a lot of
years since then, so I am not sure if it was an authoritative or
recursive server, but the possibility of conntrack table overflow
exists for either.

Of course only a big site  (or a foolish one with 53/udp open to the
world) is likely to have a recursive server busy enough for this.

If you're just a small operator, you're mostly unlikely to be bitten
in this way.  But then you never know when you could be "slashdotted",
so it's better to be safe than to be surprised by a DoS.


On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote:

Absolutely right; I wrote this Linux-centric article about it:

https://kb.isc.org/docs/aa-01183

It has not been updated to cover nftables.

Note also that this is a good reason NOT to use the NAT that
other posters have encouraged.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Sami Ait Ali Oulahcen via bind-users]

I've been looking for a way to implement this on nft or through 
firewalld, but couldn't find anything comprehensive.


So if it does get updated, please let us know :)

On 10/16/20 10:34 AM, Michael De Roover wrote:

Interesting article, thanks for sharing this! I'm slightly confused
about some things in it though. Does this mean that any traffic will be
put on the connection tracker and be treated as stateful unless we use
CT --notrack, or can the kernel make a heuristic based on what's in the
iptables rule (i.e. if it only covers a port or a network range, it
must be stateless)?

What constitutes a busy server? For a recursor it'd be easy to achieve
high throughput, but does an authoritative name server for a single
website need it?

On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote:

Absolutely right; I wrote this Linux-centric article about it:

https://kb.isc.org/docs/aa-01183

It has not been updated to cover nftables.

Note also that this is a good reason NOT to use the NAT that
other posters have encouraged.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Michael De Roover]

Interesting article, thanks for sharing this! I'm slightly confused
about some things in it though. Does this mean that any traffic will be
put on the connection tracker and be treated as stateful unless we use
CT --notrack, or can the kernel make a heuristic based on what's in the
iptables rule (i.e. if it only covers a port or a network range, it
must be stateless)?

What constitutes a busy server? For a recursor it'd be easy to achieve
high throughput, but does an authoritative name server for a single
website need it?

On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote:
> Absolutely right; I wrote this Linux-centric article about it:
> 
> https://kb.isc.org/docs/aa-01183
> 
> It has not been updated to cover nftables.
> 
> Note also that this is a good reason NOT to use the NAT that
> other posters have encouraged.
-- 
Michael De Roover 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Chuck Aurora]

On 2020-10-15 14:38, sth...@nethelp.no wrote:

I would run a firewall even for BIND alone on a box in case the box
gets compromised through BIND. Allowing remote access and DNS, then
dropping everything else as the general firewall policy should be
pretty straightforward. But with the IP on this particular BIND box
being public, it's really like any other server on the internet. Port
forwarding or NAT in that case would be unnecessary.


Do you mean a simple stateless ACL, or a stateful firewall? If you
really mean a stateful firewall: Think about the effect of DNS
queries - they are usually UDP based, and every new query is going
to create state. Read up on state table exhaustion.


Absolutely right; I wrote this Linux-centric article about it:

https://kb.isc.org/docs/aa-01183

It has not been updated to cover nftables.

Note also that this is a good reason NOT to use the NAT that
other posters have encouraged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Michael De Roover]

Simply stateless. Something along the lines of this (iptables):

# SSH may be internal only or moved to a different port
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
# Enable DNS on both TCP and UDP
iptables -A INPUT -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A INPUT
-m udp -p udp --dport 53 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
# Allow internal network traffic
iptables -A INPUT -s $internal -j
ACCEPT
# Set the general input policy to drop traffic.
iptables -P INPUT DROP

What I'm concerned with security-wise is that if BIND has an RCE
vulnerability, an unprivileged user might be able to "upload a shell"
that gets executed and listens on another port. With all other ports
closed, this can be prevented. It does not prevent against privilege
escalation vulnerabilities though, as root can of course adjust the
firewall at will. But I wouldn't consider security as "being
unhackable", rather making it as hard as possible to get in. A firewall
is a good starting point for that.

On Thu, 2020-10-15 at 21:38 +0200, sth...@nethelp.no wrote:
> > I would run a firewall even for BIND alone on a box in case the box
> > gets compromised through BIND. Allowing remote access and DNS, then
> > dropping everything else as the general firewall policy should be
> > pretty straightforward. But with the IP on this particular BIND box
> > being public, it's really like any other server on the internet.
> Port
> > forwarding or NAT in that case would be unnecessary.
> 
> Do you mean a simple stateless ACL, or a stateful firewall? If you
> really mean a stateful firewall: Think about the effect of DNS
> queries - they are usually UDP based, and every new query is going
> to create state. Read up on state table exhaustion.
> 
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
-- 
Michael De Roover 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[sthaug]

> I would run a firewall even for BIND alone on a box in case the box
> gets compromised through BIND. Allowing remote access and DNS, then
> dropping everything else as the general firewall policy should be
> pretty straightforward. But with the IP on this particular BIND box
> being public, it's really like any other server on the internet. Port
> forwarding or NAT in that case would be unnecessary.

Do you mean a simple stateless ACL, or a stateful firewall? If you
really mean a stateful firewall: Think about the effect of DNS
queries - they are usually UDP based, and every new query is going
to create state. Read up on state table exhaustion.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Michael De Roover]

I would run a firewall even for BIND alone on a box in case the box
gets compromised through BIND. Allowing remote access and DNS, then
dropping everything else as the general firewall policy should be
pretty straightforward. But with the IP on this particular BIND box
being public, it's really like any other server on the internet. Port
forwarding or NAT in that case would be unnecessary.

On Thu, 2020-10-15 at 21:01 +0200, Stephane Bortzmeyer wrote:
> On Thu, Oct 15, 2020 at 02:03:52PM -0400,
>  Kevin A. McGrail  wrote 
>  a message of 8 lines which said:
> 
> > Firewalls are cheap and the level of effort to run a bastion host
> > are
> > significant.
> 
> Firewalls are useful when you want to protect unamanaged printers and
> Windows boxes (or Web servers with a lot of crappy PHP) but a BIND
> server on a reasonably managed Unix box do not need them.
> 
-- 
Michael De Roover 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Kevin A. McGrail]

On 10/15/2020 2:50 PM, Jason Long via bind-users wrote:
> Yes.
> In the panel of domain name registrar I can enter something like 
> "NS1.example.net" and an IP address.
> I want to host the host t DNS server myself.

Oh yes, you will also need a domain name register that let's you
register the nameserver glue record.

For example, ns.pccc.com is authoritative for pccc.com which creates a
catch-22.  The solution is a nameserver glue record which your registrar
has to handle.

Regards,KAM

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 02:03:52PM -0400,
 Kevin A. McGrail  wrote 
 a message of 8 lines which said:

> Firewalls are cheap and the level of effort to run a bastion host are
> significant.

Firewalls are useful when you want to protect unamanaged printers and
Windows boxes (or Web servers with a lot of crappy PHP) but a BIND
server on a reasonably managed Unix box do not need them.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 11:16:05AM -0700,
 Fred Morris  wrote 
 a message of 50 lines which said:

> 2) If you want to run your own DNS nameservers, you will need to buy a
>book, read the (BIND) Administrator's Reference Manual, and/or some
>RFCs

Very bad advice. RFCs are not for the faint of heart and the RFC on
DNS (RFC 1034 and 1035) are among the most difficult. And they were
never kept up-to-date so there are a lot of obsolete things in it.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Jason Long via bind-users]

Thanks, but for some security reasons I don't like to host my DNS and Apache 
server on one server.






On Thursday, October 15, 2020, 08:53:30 PM GMT+3:30, alcol alcol 
 wrote: 







can't be done a tutorial for your specific case

follow the section for primary DNS and discard secondary section




aren't needed two IP one for web and one for DNS , if you want all can be done 
with 1 IP




be sure you have 80 443 53tcp 53udp open from internet to your server.












 
From: bind-users  on behalf of Jason Long via 
bind-users 
Sent: Thursday, October 15, 2020 6:57 PM
To: i...@nixmagic.com ; Michael De Roover 
; bind-users@lists.isc.org 
Subject: Re: How can I launch a private Internet DNS server? 
 


Yes, I have two static IP addresses. One is for DNS server and one is for my 
website. 
Excuse me, I just have one server for DNS and that tutorial is about secondary 
DNS server too. Can you show me another tutorial with one server and same goal?

The Internet DNS server for my goal is "Authoritative DNS" ? 






>  
>  
> On Thu, Oct 15, 2020 at 8:15 PM, Michael De Roover
> 
>  wrote:
> 
> 
>  Assuming that this is running off a home network, yes you could
> technically do it. Probably the registrar's name servers will be more
> reliable however. I'll also assume that your public IP is static.
> Otherwise it may only be suitable for the website, with a Dynamic DNS
> service that can regularly update the records as your IP changes. This
> means that you'll have to use someone else's DNS servers to host your
> records.
> 
> You can run BIND locally and make it an authoritative name server. Your
> router can port forward traffic to port 53/udp to your local IP that
> your DNS server is on. There are various tutorials online for making
> authoritative DNS servers, such as this one: 
> https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04
> .
> 
> At the registrar you'll need to select "custom name server" or
> something along those lines. Then you have to insert NS records there
> that point to the nameserver addresses for your domain(s). Check your
> registrar's documentation for instructions on how to add NS records.
> 
> 
> On Thu, 2020-10-15 at 16:36 +, Jason Long via bind-users wrote:
>> Hello,
>> I have a question about launching a DNS server with CentOS for
>> hosting a web server. Excuse me, if my question is so basic and
>> funny. I need expert advice about it.
>> I registered a domain name for my web site and in the panel of it, I
>> can enter my DNS server IP addresses. I want to launch a CentOS DNS
>> server that my Web site using it and users can visit my website from
>> the Internet. These two servers (DNS and Web server) are in a local
>> network and connected to the Internet with a Gateway. Each server has
>> an internal and a public IP address.
>> I want to enter my DNS server IP address in my website panel and
>> after it, users can visit my website from the Internet. I'm thankful
>> if anyone show me a tutorial to launch my DNS server for this goal.
>> All tutorials that I found on the internet are about internal DNS
>> servers, but I want to launch a DNS server for hosting my website.
>> Is Internet DNS server just possible for providers?
>> 
>> Thank you.
>> 
>> 
>> ___
>> Please visit  https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at  https://www.isc.org/contact/ for more
>> information.
>> 
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>>  https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Michael De Roover >
> 
> 
> 
> 




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Jason Long via bind-users]

My static IP addresses are public.






On Thursday, October 15, 2020, 08:42:42 PM GMT+3:30, Michael De Roover 
 wrote: 





Are these static IP's local or public? If local, you can instruct your
router to port forward to these. If these are public, I guess these
machines make a direct connection to the internet with a public IP on
their interface then? In that case you can omit any port forwarding.

The secondary DNS server is for redundancy. You can omit any
instructions regarding it when following the tutorial if you intend to
only make one. The server type would indeed be authoritative - the
other type would be recursive which is generally what ISP's have for
their customers, but I would avoid that because they can be used for
DNS amplification attacks (the authoriative ones can too but it's less
of an issue with those).

On Thu, 2020-10-15 at 16:57 +, Jason Long wrote:
> Yes, I have two static IP addresses. One is for DNS server and one is
> for my website.
> Excuse me, I just have one server for DNS and that tutorial is about
> secondary DNS server too. Can you show me another tutorial with one
> server and same goal?
> The Internet DNS server for my goal is "Authoritative DNS" ? 
-- 
Michael De Roover 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Jason Long via bind-users]

Yes.
In the panel of domain name registrar I can enter something like 
"NS1.example.net" and an IP address.
I want to host the host t DNS server myself.






On Thursday, October 15, 2020, 08:36:35 PM GMT+3:30, Stephane Bortzmeyer 
 wrote: 





On Thu, Oct 15, 2020 at 04:36:58PM +,
Jason Long via bind-users  wrote 
a message of 1594 lines which said:

> in the panel of it, I can enter my DNS server IP addresses.

I assume you refer to the panel of your domain name registrar. If so,
it would be useful to know which is the label near the field where you
enter the IP address. It may be to give an IP address to the
www.yourdomainname, not to indicate your DNS server.

> I want to launch a CentOS DNS server that my Web site using it and
> users can visit my website from the Internet.

I have a meta-question: do you absolutely want to host the DNS
yourself (it is certainly possible but it is more work) or do you just
want to have "a Web site that people can visit"? If you don't have a
specific reason to host the DNS server(s) yourself, consider using a
DNS hoster (most domain name registrars can be DNS hosters).

"For the fun" or "to learn DNS" are perfectly valid reasons.

> All tutorials that I found on the internet are about internal DNS
> servers, but I want to launch a DNS server for hosting my website.

There is no real difference between an internal DNS server and a
publically reachable one. Same DNS, same software.


> Is Internet DNS server just possible for providers?


Certainly not. You can host a publically-reachable DNS server
yourself. It is not rocket science but it requires some basic
knowledge about the TCP/IP family of protocols and about how things
fit together.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Fred Morris]

If this is question has a simple answer, you're confounding it by not 
asking a simple, concise question.


On Thu, 15 Oct 2020, Jason Long via bind-users wrote:

[...]
I
need expert advice about it.


If you need expert advice that's accurate and guaranteed to work, hire a 
professional. ;-)


I registered a domain name for my web site 
and in the panel of it, I can enter my DNS server IP addresses. I want 
to launch a CentOS DNS server that my Web site using it and users can 
visit my website from the Internet.

[...]


1) The simple answer is that you don't need to run your own DNS server,
   you're done. Once you enter the address and server name correctly in
   your DNS registrar's control panel, that's how people will use the DNS
   to find the address of your that (web or whatever) server.

2) If you want to run your own DNS nameservers, you will need to buy a
   book, read the (BIND) Administrator's Reference Manual, and/or some
   RFCs to set them up properly. In terms of your registrar, you would
   enter the names of your DNS servers and addresses as A/ records,
   and set up NS records referencing the names of those DNS servers.

So which is it:

* Hi I'm Jason and I want to create a DNS record so that the world can
  find my web server. How do I do that? (answer #1)

* Hi I'm Jason and I want to run my own nameservers for a bunch of
  irrelevant reasons such as CentOS, web servers and stuff. How do I do
  that? (answer #2)

--

Fred Morris

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Kevin A. McGrail]

On 10/15/2020 1:00 PM, Stephane Bortzmeyer wrote:
> He said that the DNS server has a public IP address so port forwarding
> is probably not necessary. 

Firewalls are cheap and the level of effort to run a bastion host are
significant.

I'd recommend port forwarding as a necessary task.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] Re: How can I launch a private Internet DNS server?

[Kevin A. McGrail]

On 10/15/2020 12:57 PM, Jason Long via bind-users wrote:
> Yes, I have two static IP addresses. One is for DNS server and one is
> for my website.
> Excuse me, I just have one server for DNS and that tutorial is about
> secondary DNS server too. Can you show me another tutorial with one
> server and same goal?
> The Internet DNS server for my goal is "Authoritative DNS" ?

Recommend you setup a linux box with BIND or something installed behind
a firewall.

Port forward port 53 for protocols TCP AND UDP to your internal IP address.

Set up bind to respond to queries for the internal IP address (it likely
only responds to localhost by default)

Limit it so it doesn't do recursion for the internet queries

Setup a zone on the box for a domain.

Point your domain registrar to the IP address of your DNS box.

Voila, you now have an authoritative name server.

Regards,
KAM

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[alcol alcol]

can't be done a tutorial for your specific case
follow the section for primary DNS and discard secondary section

aren't needed two IP one for web and one for DNS , if you want all can be done 
with 1 IP

be sure you have 80 443 53tcp 53udp open from internet to your server.




From: bind-users  on behalf of Jason Long via 
bind-users 
Sent: Thursday, October 15, 2020 6:57 PM
To: i...@nixmagic.com ; Michael De Roover 
; bind-users@lists.isc.org 
Subject: Re: How can I launch a private Internet DNS server?

Yes, I have two static IP addresses. One is for DNS server and one is for my 
website.
Excuse me, I just have one server for DNS and that tutorial is about secondary 
DNS server too. Can you show me another tutorial with one server and same goal?
The Internet DNS server for my goal is "Authoritative DNS" ?



On Thu, Oct 15, 2020 at 8:15 PM, Michael De Roover
 wrote:
Assuming that this is running off a home network, yes you could
technically do it. Probably the registrar's name servers will be more
reliable however. I'll also assume that your public IP is static.
Otherwise it may only be suitable for the website, with a Dynamic DNS
service that can regularly update the records as your IP changes. This
means that you'll have to use someone else's DNS servers to host your
records.

You can run BIND locally and make it an authoritative name server. Your
router can port forward traffic to port 53/udp to your local IP that
your DNS server is on. There are various tutorials online for making
authoritative DNS servers, such as this one:
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04
.

At the registrar you'll need to select "custom name server" or
something along those lines. Then you have to insert NS records there
that point to the nameserver addresses for your domain(s). Check your
registrar's documentation for instructions on how to add NS records.

On Thu, 2020-10-15 at 16:36 +, Jason Long via bind-users wrote:
> Hello,
> I have a question about launching a DNS server with CentOS for
> hosting a web server. Excuse me, if my question is so basic and
> funny. I need expert advice about it.
> I registered a domain name for my web site and in the panel of it, I
> can enter my DNS server IP addresses. I want to launch a CentOS DNS
> server that my Web site using it and users can visit my website from
> the Internet. These two servers (DNS and Web server) are in a local
> network and connected to the Internet with a Gateway. Each server has
> an internal and a public IP address.
> I want to enter my DNS server IP address in my website panel and
> after it, users can visit my website from the Internet. I'm thankful
> if anyone show me a tutorial to launch my DNS server for this goal.
> All tutorials that I found on the internet are about internal DNS
> servers, but I want to launch a DNS server for hosting my website.
> Is Internet DNS server just possible for providers?
>
> Thank you.
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users

--
Michael De Roover mailto:i...@nixmagic.com>
>

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Michael De Roover]

Are these static IP's local or public? If local, you can instruct your
router to port forward to these. If these are public, I guess these
machines make a direct connection to the internet with a public IP on
their interface then? In that case you can omit any port forwarding.

The secondary DNS server is for redundancy. You can omit any
instructions regarding it when following the tutorial if you intend to
only make one. The server type would indeed be authoritative - the
other type would be recursive which is generally what ISP's have for
their customers, but I would avoid that because they can be used for
DNS amplification attacks (the authoriative ones can too but it's less
of an issue with those).

On Thu, 2020-10-15 at 16:57 +, Jason Long wrote:
> Yes, I have two static IP addresses. One is for DNS server and one is
> for my website.
> Excuse me, I just have one server for DNS and that tutorial is about
> secondary DNS server too. Can you show me another tutorial with one
> server and same goal?
> The Internet DNS server for my goal is "Authoritative DNS" ? 
-- 
Michael De Roover 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 04:57:16PM +,
 Jason Long via bind-users  wrote 
 a message of 173 lines which said:

> I have two static IP addresses. One is for DNS server and one is for
> my website.

Note that you can put the two servers on the same machine, using the
same IP address, since the two protocols use different ports (53 for
DNS and 443 for HTTP).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 04:36:58PM +,
 Jason Long via bind-users  wrote 
 a message of 1594 lines which said:

> in the panel of it, I can enter my DNS server IP addresses.

I assume you refer to the panel of your domain name registrar. If so,
it would be useful to know which is the label near the field where you
enter the IP address. It may be to give an IP address to the
www.yourdomainname, not to indicate your DNS server.

> I want to launch a CentOS DNS server that my Web site using it and
> users can visit my website from the Internet.

I have a meta-question: do you absolutely want to host the DNS
yourself (it is certainly possible but it is more work) or do you just
want to have "a Web site that people can visit"? If you don't have a
specific reason to host the DNS server(s) yourself, consider using a
DNS hoster (most domain name registrars can be DNS hosters).

"For the fun" or "to learn DNS" are perfectly valid reasons.

> All tutorials that I found on the internet are about internal DNS
> servers, but I want to launch a DNS server for hosting my website.

There is no real difference between an internal DNS server and a
publically reachable one. Same DNS, same software.

> Is Internet DNS server just possible for providers?

Certainly not. You can host a publically-reachable DNS server
yourself. It is not rocket science but it requires some basic
knowledge about the TCP/IP family of protocols and about how things
fit together.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Stephane Bortzmeyer]

On Thu, Oct 15, 2020 at 06:45:01PM +0200,
 Michael De Roover  wrote 
 a message of 65 lines which said:

> Your router can port forward traffic to port 53/udp to your local IP
> that your DNS server is on.

He said that the DNS server has a public IP address so port forwarding
is probably not necessary. 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Jason Long via bind-users]

Yes, I have two static IP addresses. One is for DNS server and one is for my 
website.Excuse me, I just have one server for DNS and that tutorial is about 
secondary DNS server too. Can you show me another tutorial with one server and 
same goal?The Internet DNS server for my goal is "Authoritative DNS" ? 


 
 
  On Thu, Oct 15, 2020 at 8:15 PM, Michael De Roover wrote:  
 Assuming that this is running off a home network, yes you could
technically do it. Probably the registrar's name servers will be more
reliable however. I'll also assume that your public IP is static.
Otherwise it may only be suitable for the website, with a Dynamic DNS
service that can regularly update the records as your IP changes. This
means that you'll have to use someone else's DNS servers to host your
records.

You can run BIND locally and make it an authoritative name server. Your
router can port forward traffic to port 53/udp to your local IP that
your DNS server is on. There are various tutorials online for making
authoritative DNS servers, such as this one: 
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04
.

At the registrar you'll need to select "custom name server" or
something along those lines. Then you have to insert NS records there
that point to the nameserver addresses for your domain(s). Check your
registrar's documentation for instructions on how to add NS records.

On Thu, 2020-10-15 at 16:36 +, Jason Long via bind-users wrote:
> Hello,
> I have a question about launching a DNS server with CentOS for
> hosting a web server. Excuse me, if my question is so basic and
> funny. I need expert advice about it.
> I registered a domain name for my web site and in the panel of it, I
> can enter my DNS server IP addresses. I want to launch a CentOS DNS
> server that my Web site using it and users can visit my website from
> the Internet. These two servers (DNS and Web server) are in a local
> network and connected to the Internet with a Gateway. Each server has
> an internal and a public IP address.
> I want to enter my DNS server IP address in my website panel and
> after it, users can visit my website from the Internet. I'm thankful
> if anyone show me a tutorial to launch my DNS server for this goal.
> All tutorials that I found on the internet are about internal DNS
> servers, but I want to launch a DNS server for hosting my website.
> Is Internet DNS server just possible for providers?
> 
> Thank you.
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Michael De Roover 

  
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[Michael De Roover]

Assuming that this is running off a home network, yes you could
technically do it. Probably the registrar's name servers will be more
reliable however. I'll also assume that your public IP is static.
Otherwise it may only be suitable for the website, with a Dynamic DNS
service that can regularly update the records as your IP changes. This
means that you'll have to use someone else's DNS servers to host your
records.

You can run BIND locally and make it an authoritative name server. Your
router can port forward traffic to port 53/udp to your local IP that
your DNS server is on. There are various tutorials online for making
authoritative DNS servers, such as this one: 
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04
.

At the registrar you'll need to select "custom name server" or
something along those lines. Then you have to insert NS records there
that point to the nameserver addresses for your domain(s). Check your
registrar's documentation for instructions on how to add NS records.

On Thu, 2020-10-15 at 16:36 +, Jason Long via bind-users wrote:
> Hello,
> I have a question about launching a DNS server with CentOS for
> hosting a web server. Excuse me, if my question is so basic and
> funny. I need expert advice about it.
> I registered a domain name for my web site and in the panel of it, I
> can enter my DNS server IP addresses. I want to launch a CentOS DNS
> server that my Web site using it and users can visit my website from
> the Internet. These two servers (DNS and Web server) are in a local
> network and connected to the Internet with a Gateway. Each server has
> an internal and a public IP address.
> I want to enter my DNS server IP address in my website panel and
> after it, users can visit my website from the Internet. I'm thankful
> if anyone show me a tutorial to launch my DNS server for this goal.
> All tutorials that I found on the internet are about internal DNS
> servers, but I want to launch a DNS server for hosting my website.
> Is Internet DNS server just possible for providers?
> 
> Thank you.
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Michael De Roover 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can I launch a private Internet DNS server?

[alcol alcol]

A DNS server can exist if you follow NIC instractions.
Mainly have you a leased line ever on? primary DNS can't be down or NIC could 
down your domain.
Then you have to install and configure it. Better a fedora core , and CHROOT, 
DNS is one of the services more targeted to enter inside a system.




From: bind-users  on behalf of Jason Long via 
bind-users 
Sent: Thursday, October 15, 2020 6:36 PM
To: bind-users@lists.isc.org 
Subject: How can I launch a private Internet DNS server?

Hello,
I have a question about launching a DNS server with CentOS for hosting a web 
server. Excuse me, if my question is so basic and funny. I need expert advice 
about it.
I registered a domain name for my web site and in the panel of it, I can enter 
my DNS server IP addresses. I want to launch a CentOS DNS server that my Web 
site using it and users can visit my website from the Internet. These two 
servers (DNS and Web server) are in a local network and connected to the 
Internet with a Gateway. Each server has an internal and a public IP address.
I want to enter my DNS server IP address in my website panel and after it, 
users can visit my website from the Internet. I'm thankful if anyone show me a 
tutorial to launch my DNS server for this goal.
All tutorials that I found on the internet are about internal DNS servers, but 
I want to launch a DNS server for hosting my website.
Is Internet DNS server just possible for providers?

Thank you.
[cid:f7342160-8dbf-4516-a2a7-958f3ccc8a1a]

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [External] How can I launch a private Internet DNS server?

[Kevin A. McGrail]

On 10/15/2020 12:36 PM, Jason Long via bind-users wrote:
> I have a question about launching a DNS server with CentOS for hosting
> a web server. Excuse me, if my question is so basic and funny. I need
> expert advice about it.
> I registered a domain name for my web site and in the panel of it, I
> can enter my DNS server IP addresses. I want to launch a CentOS DNS
> server that my Web site using it and users can visit my website from
> the Internet. These two servers (DNS and Web server) are in a local
> network and connected to the Internet with a Gateway. Each server has
> an internal and a public IP address.
> I want to enter my DNS server IP address in my website panel and after
> it, users can visit my website from the Internet. I'm thankful if
> anyone show me a tutorial to launch my DNS server for this goal.
> All tutorials that I found on the internet are about internal DNS
> servers, but I want to launch a DNS server for hosting my website.
> Is Internet DNS server just possible for providers?

Do you have a hosting service with a static IP that doesn't block ports
53 for TCP and UDP?  That's a hard and fast requirement to even consider
this route.

Regards,
KAM

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How can I launch a private Internet DNS server?

[Jason Long via bind-users]

Hello,I have a question about launching a DNS server with CentOS for hosting a 
web server. Excuse me, if my question is so basic and funny. I need expert 
advice about it.I registered a domain name for my web site and in the panel of 
it, I can enter my DNS server IP addresses. I want to launch a CentOS DNS 
server that my Web site using it and users can visit my website from the 
Internet. These two servers (DNS and Web server) are in a local network and 
connected to the Internet with a Gateway. Each server has an internal and a 
public IP address.I want to enter my DNS server IP address in my website panel 
and after it, users can visit my website from the Internet. I'm thankful if 
anyone show me a tutorial to launch my DNS server for this goal.All tutorials 
that I found on the internet are about internal DNS servers, but I want to 
launch a DNS server for hosting my website.Is Internet DNS server just possible 
for providers?
Thank you.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users