your mail

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Sep 15 01:50:51 PDT 2004 

On Tue, Sep 14, 2004 at 02:12:36PM -0700, Joshua Lewis wrote:
> I don't think I have set up Bind9 correctly and I was hoping someone could
> point out any mistakes I may have made. I have tried to follow the
> examples in the handbook. I even bought DNS and BIND from O'riley.
> 
> I don't really know how to troubleshoot a DNS issue yet. I know of the
> tools I just don't understand them yet. I have a MS DNS server running
> fine as my secondary and when I try to troubleshoot it I can't tell if I
> am getting a response from my MS system or my FBSD system.

Right -- you're basically doing the right things, but you just haven't
achieved proficiency yet.  In general, keep reading. 'DNS and BIND' is
a very good start.  There's also a lot of good information on web
sites around the net.  Also look at the comp.protocols.dns.bind
newsgroup.  Also try out sites like:

    http://www.squish.net/dnscheck/

For debugging Bind9, start by getting Bind to log a lot of stuff.
First make sure that /var/log/all.log is enabled: edit
/etc/syslog.conf and uncomment the indicated line as instructed.  Then do:

    # touch /var/log/all.log
    # chmod 600 /var/log/all.log
    # kill -HUP `cat /var/run/syslogd.pid`

Quite a lot of stuff will be logged there, not just from bind.

You can get bind to log all queries by adding:

    logging {
        category "default" {
            "default_syslog";
            "default_debug";
        };
        category "queries" {
            "default_syslog";
            "default_debug";
        };
    };

to named.conf.  This is good for debugging, but tends to produce a lot
of output in the log files -- it's not a good idea to enable this
continually on a busy production server.
 
> Ultimately I would like to make this bind system my primary. Once that is
> done I have made arrangements for an off site system to act as my
> secondary for redundancy and I can eliminate the MS system all together.
> 
> Should I post my config info here or is that just a real bad idea? I mean
> anyone can get what they want from the internet I just don't know if
> posting it here is like inviting someone to crack my system.

Unfortunately there's not a great deal specific we can tell you unless
you ask more specific questions and present us with at least
documentation showing how something is going wrong.

Take a look at:

    http://www.boran.com/security/sp/bind9_20010430.html

for some very good advice about securing a Bind9 server.  That page
talks a lot about Solaris 9, so you'll have to do a little bit of
mental translation to make it fit under FreeBSD.
 
> Also I currently only have one FreeBSD system. I am trying to run multiple
> services on this one system Mail, DNS, WWW, SQL. It is a pretty beefy
> system and will have no problem handling the load. I just want to hide the
> hostname of the system when I can. I only have the one customer hitting
> the system and it is a real small company. This system is overkill for
> them so I am trying to utilize the system to the best of my ability. I
> know in a perfect world I should have them each running on separate
> systems however that is not feasible right now. I was thinking of getting
> some old P1 systems and moving DNS over to that. Any other recommendations
> are welcome.

You're quite right that putting all your eggs in the one basket is not
the best strategy.  However it is a relatively cheap strategy, and on
a low traffic setup it works OK.  The big risk is that a component
failure will take out your whole setup -- so make sure you have good
backups and think about your disaster recover planning: how quickly
can you get a busted machine back up and running?

A Pentium 1 system probably isn't a very good choice -- not so much
because the processor is slow (although that doesn't help) but because
systems of that age tend not to have much memory available.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040915/93b3c96c/attachment.bin

More information about the freebsd-questions mailing list