Should DNS be on same server as webserver?
steve at ibctech.ca
Tue Jul 14 04:46:40 UTC 2009
John Almberg wrote:
> On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote:
>>>> On Mon, 13 Jul 2009 13:03:24 -0400,
>>>> Jon Radel <jon at radel.com> said:
>> J> Apache and Bind have both had their security issues over the years,
>> J> there's something to be said for running them on different servers to
>> J> reduce both the "all eggs in one basket" factor and the ease of
>> J> spreading an attack. (Yes, I'm assuming what you're actually
>> J> running....)
>> You can fix the security problems by dumping Bind and using djbdns.
>> It's very easy to set up a caching nameserver without using all the
>> memory on your system. See http://www.lifewithdjbdns.com/ for more.
> I actually do use djbdns. Super easy to use, once you figure it out.
...to run a DNS cache with djbdns, it doesn't take much figuring out:
(As root. I just tested this as I wrote it).
% pkg_add -r daemontools
% pkg_add -r ucspi-tcp
% echo 'svscan_enable="YES"' >> /etc/rc.conf
% mkdir /var/service
% /usr/local/etc/rc.d/svscan.sh start
% adduser -q
# add a 'dnscache' user. Put user in 'dnscache' group, and set the
# users shell to nologin
#rinse/repeat for a 'dnslog' user
% pkg_add -r djbdns
% dnscache-conf dnscache dnslog /etc/dnscache
% ln -s /etc/dnscache /var/service
# now edit your /etc/resolv.conf file, so that the first "nameserver"
# entry in the list points to 127.0.0.1
By default, your new cache will only listen on the loopback address
There is a single file in /etc/dnscache/root/ip, named 127.0.0.1
If you want this cache to serve internal /24 network queries:
% touch /etc/dnscache/root/ip/192.168.0
To restart the service after a change:
% svc -t /etc/dnscache
To down the cache:
% svc -d /etc/dnscache
To up the cache:
% svc -u /etc/dnscache
Note that this is only for the dnscache. Setting up an authoritative
server is pretty much just as simple. Note also that I had to do some
patching and hacking to make the tinydns web frontend (VegaDNS) allow
for IPv6 records properly... that's out of the scope of this mail though
(for the record, I use BIND for most things v6).
An example of the empty files that allow cache access:
amigo# ll /etc/dnscache/root/ip
-rw-r--r-- 1 root wheel 0 Aug 19 2008 127.0.0.1
-rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.104
-rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.105
-rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.106
-rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.107
-rw-r--r-- 1 root wheel 0 Aug 19 2008 208.70.108
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090714/aff3884f/smime.bin
More information about the freebsd-questions