<SNIP> > > The second DNS server should be on a different network from the first. > > The DNS and other services can share one IP address by port forwarding > at the gateway. > > For most SOHO's this can be done with but a single IP. > > As for DNS, best to leave that to one of the well run third party DNS > providers. Sure, it's something you can do yourself if you want. But > why bother when you have free providers like EveryDNS who will do it > for you for free? And you can never hope to reach the levels of > redundancy that they can boast of.
This is an excellent point. With the security of DNS becoming an ever more difficult to manage albatross for most folks, and with DNS RFCs being ignored by home-brew DNS admins (and unfortunately many DNS admins for these hosting companies, so watch out), it's worthwhile to host your DNS at a reputable DNS provider. There are a few things to watch out for, however: 1. Make sure that your domain points to the A record hostnames for your DNS provider. All too often I come across zones that are pointed to CNAMES in their NS or SOA records. This is very bad, and most BIND 9.x servers will fail to look your domain up in this circumstance. 2. Make sure that the DNS hostnames/IPs that you provide your domain registrar are the same as the machines that are actually authoritative for your zone, instead of boxes that then re-delegate your zone to someone else. This saves time in lookups, and removes potential problems later on. 3. Make sure that your DNS admin's zone is in good shape. If you are being hosted by foo.com, make sure that foo.com's zone doesn't have any of the mistakes I mentioned above. If they do, don't host with them, or point the mistakes out and make them fix them before hosting your zone with that provider. Their mistakes will become your headaches if they're not fixed. 4. If you change your zone, make sure to lower the TTL in your SOA record at least 1 week before you move the zone to another provider, and that the old provider removes your zone from their DNS servers as soon as the new zone is set up with the new provider. This may require some cajoling, as sometimes providers are slow to remove their old zones. It is, however, imperative, as most DNS servers will continue to look your zone up on the last known authoritative server until that server is no longer authoritative. These are all actually good class topics, and something that is worth elaborating on. I'd be happy to have such a talk, and discuss some DNS security stuff as well. Is there any interest in this? > With things like port forwarding and reverse proxying you can do some > amazing things with just one IP address. You'd never know that traffic > coming into my one IP could be directed into any one of half a dozen > servers (to say nothing of all the other boxes hiding behind NAT). Being the secondary (or tertiary or quartiary) DNS authority for your own zone is fine, but most times it makes more sense to let someone in a datacenter, on a different network, with redundant power and routing be the at least the primary, and you take over the secondary zone. *NOTE*: Make sure that your provider either sets you up to transfer your zone (which many may not do), or you make sure that your zones match 100%, down to the serial number in the SOA record. Regards, Ben Pitzer --------------------------------------------- "Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." --Ben Franklin-- -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
