Should DNS be on same server as webserver?

Tue Jul 14 04:46:40 UTC 2009

John Almberg wrote:
> 
> On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote:
> 
>>>> On Mon, 13 Jul 2009 13:03:24 -0400,
>>>> Jon Radel <jon at radel.com> said:
>>
>> J> Apache and Bind have both had their security issues over the years,
>> and
>> J> there's something to be said for running them on different servers to
>> J> reduce both the "all eggs in one basket" factor and the ease of
>> J> spreading an attack.  (Yes, I'm assuming what you're actually
>> J> running....)
>>
>>    You can fix the security problems by dumping Bind and using djbdns.
>>    It's very easy to set up a caching nameserver without using all the
>>    memory on your system.  See http://www.lifewithdjbdns.com/ for more.
> 
> 
> I actually do use djbdns. Super easy to use, once you figure it out.

...to run a DNS cache with djbdns, it doesn't take much figuring out:

(As root. I just tested this as I wrote it).

% pkg_add -r daemontools
% pkg_add -r ucspi-tcp
% echo 'svscan_enable="YES"' >> /etc/rc.conf
% mkdir /var/service
% /usr/local/etc/rc.d/svscan.sh start

% adduser -q

# add a 'dnscache' user. Put user in 'dnscache' group, and set the
# users shell to nologin

#rinse/repeat for a 'dnslog' user

% pkg_add -r djbdns
% rehash

% dnscache-conf dnscache dnslog /etc/dnscache

% ln -s /etc/dnscache /var/service

# now edit your /etc/resolv.conf file, so that the first "nameserver"
# entry in the list points to 127.0.0.1

__END__

By default, your new cache will only listen on the loopback address
(127.0.0.1).

There is a single file in /etc/dnscache/root/ip, named 127.0.0.1

If you want this cache to serve internal /24 network queries:

% touch /etc/dnscache/root/ip/192.168.0

To restart the service after a change:

% svc -t /etc/dnscache

To down the cache:

% svc -d /etc/dnscache

To up the cache:

% svc -u /etc/dnscache

Note that this is only for the dnscache. Setting up an authoritative
server is pretty much just as simple. Note also that I had to do some
patching and hacking to make the tinydns web frontend (VegaDNS) allow
for IPv6 records properly... that's out of the scope of this mail though
(for the record, I use BIND for most things v6).

An example of the empty files that allow cache access:

amigo# ll /etc/dnscache/root/ip
total 0
-rw-r--r--  1 root  wheel  0 Aug 19  2008 127.0.0.1
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.104
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.105
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.106
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.107
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.108
...

Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090714/aff3884f/smime.bin