-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Mike,
pls see comments w/some suggestions for options you might try below... On 6/1/2010 4:37 PM, Mike Hammett wrote: > I have setup Unbound with DNSSEC. Oddly enough, both NameBench and DNS > Benchmark report my Windows DNS server as faster than Unbound, while > Unbound is faster than my previous BIND setup. > > DNS Benchmark consistently rates my local servers faster than anything > else on the Internet, while NameBench reported most of its public > servers as faster than mine. Ideas as to why? I didn't check to see if > there were any overlaps in the public DNS servers they used. Too many > IPs to compare. > > > On 5/26/2010 11:40 AM, Mike Hammett wrote: >> I am setting up some new DNS servers and I'd like to figure out what the >> quickest caching DNS server is. Google keeps telling me to go to Open >> DNS. I'm not opposed to them and may use them as either primary or >> secondary, but I want at least one server within my own network. >> >> Recommendations? >> Try La MaraDNS. I use it Authoritatively for rootservers, TLD Servers, SLD Servers, and stub resolvers too and have been pretty happy with it. As of the last time I checked however, Sam doesn't plan to integrate DNSCurve into it anytime soon though. Too many folks over at cr.yp.to berating him for not having done so already, so he has purposefully stalled on that. http://www.maradns.org/ If all your looking for is a recursive resolver, then it might be beneficial for you to check out Deadwood (YMMV): http://www.maradns.org/deadwood I'm pretty leary of using BIND, and IMO, if you do you should (must) always compile from source and run in a jail - or you'll be sorry (Yes you will). i.e., http://www.freerepublic.com/focus/f-news/2058173/posts and search for 'mara' on the page. Anyone who installs BIND from an rpm is either a student in a lab... or a fool. There has always seemed to be a continuous and endless stream of BIND exploits just waiting to surface in the 0day world. Exploits that can find you 0wn3d. Such exploits are just typical of Vixieware - and although he and I haven't spoken in years and prolly never will again, it isn't really his fault, that monolithic nameserver just keeps growing and growing, to the point where even a good third of the ICANN rootservers out there aren't even running BIND. The same trend for software bugs can be seen, for example in Eric's Sendmail too - it's monolithic, and it only gets bigger, even though I like Sendmail a lot (and Exim and Postfix). That's just the vagaries of running monolithic daemons, and not to speak ill of the applications simply for that particular reason. Don't get me wrong. I still run BIND here and there and I do like it (Prolly coz I've been running it since it existed), and would even run BIND on a wyndoze box before I would even consider MS's DNS server (That's just plain WRONG). If you're a wise soul, then you're almost certainly not running an RPM based distro of Linux anyway for your purpose built, mission critical machinery, and if you're wise enough to be running Slackware Linux then I can provide you with Slackware Packages or SlackBuilds to install La MaraDNS for any version of Slackware from 10.0 through -current. Lemme know if you're interested in any of those packages. wrt DJB, his TinyDNS is, all pain-in-the-arse issues aside, really good stuff if your so inclined to apply all the patches necessary to plug the holes, and check out dnscache for a recursive server - but beware of some of the obvious issues before you do (i.e., the akamai exploits and other problems with resolution - for cache poisoning exploits see http://your.org/djbdns/). His community of supporters are very zealous and have a lot of kewl contribs for DJBDNS to their credit - so you won't be alone in support, although they are rather quick to flame over there. If all you're looking for is strictly an Authoritative Server, then note that some of the ICANN rootservers are running NSD. It is good stuff and it is small too - but no recursion. I don't have any direct experience running Unbound or PowerDNS, so you'll have to look elsewhere for firsthand expertise on those. Besides, it's simple enough to generate BIND or any other kind of zonefile from SQL databases and Perl scripts. I can't stress to you enough that if you are going to run BIND that you MUST tweak and compile it yourself - and run it chroot'd. Period. I know other people here will say they've never had a problem with BIND vulnerabilities, but you're running an ISP and many of those people prolly never even knew when they were actually rooted. 0day w/BIND is like the day before duck season opens for the Romanian script kiddies - it's not if, but how many hundreds of instances of named have been compromised by each these little cr4ck3r bois. I can remember rolling back to BIND 4 and reporting specific BIND 8 versions via chaos to keep them off of our backs (works too for a few days until there's a patch, since most of them don't focus on really old exploits or keep those kits on hand). Finally, I would like to point out that I wholeheartedly agree with Bernstein on one very important point that you can use to tune your DNS servers (and by proxy, everyone elses), and that is to never ever ever ever ever use CNAME RRs in your zonefiles. There's just no justification for it whatsoever, and it causes completely unnecessary recursion where there doesn't need to be any - use A RRs instead. There's no competent or compelling reason why you shouldn't use A RRs instead of CNAME RRs (especially with MX RRs!!!). If you look at the default zonefile templates that come with those CentOS cPanel accounts, you'll see that the MX records have CNAMES for them. Why? Because Cricket Liu had them in his book? Get rid of CNAMES: http://cr.yp.to/djbdns/notes.html#aliases and http://www.faqts.com/knowledge_base/view.phtml/aid/8815/fid/699 Well Mike, I know I don't chide in her much but I certainly hope that helps. Sounds like you've got lots of time to play around before you have to entrench yourself in one of the camps anyway, so keep us posted and I'm definitely interested in hearing how you're progressing on this. Kindest regards, - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.760.666.2703 (US) TEL: +44.702.405.1909 (UK) http://NorthTech.US -----BEGIN PGP SIGNATURE----- iQEcBAEBAwAGBQJMBuWNAAoJEE1wgkIhr9j3zs4IAIvy8jnnVagEDZlllrwerXjF mmo4V4h05Y7nprepVLFKL8pmVQdVB0GEpDxeD0er154R5+W278+u+UrqIH9C4Wl5 iaoVoWpw57IyVefwjxK8/NjdxRWmRk2DgyJpUZP1xMb7fWCaNQ9uxdKOfw47IlHA iMouSapca3kjVIQ/stq1LORPbZBQ0PnbszL1Iv6NE2GAD+w8XaiLSz+XY6ssIy4G j8PeyO5/f0U8BrqaqhnB8LuQbTfE4PsmTvnWb/eFqzhWE8x4SUz2FR6ZdgZG1Kbk Rvdg2wVawK9404TX2gp14HpI9NzT2i4o0Fd03YCP9qM92LwwEyIB3j9Ut7H8Iik= =0Fh7 -----END PGP SIGNATURE----- -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
