[gentoo-user] Running HTTP and DNS on same machine

[gentoo-user] Running HTTP and DNS on same machine

[Grant]

I currently use a free service to host the DNS records for my website,
but I'm thinking of running a DNS server on the same machine that runs
my website instead.  Would that be fairly trivial to set up and
maintain?  If so, which package should I use?

- Grant

Re: [gentoo-user] Running HTTP and DNS on same machine

[Alan McKinnon]

On Wed 17 August 2011 13:56:10 Grant did opine thusly:
> I currently use a free service to host the DNS records for my
> website, but I'm thinking of running a DNS server on the same
> machine that runs my website instead.  Would that be fairly trivial
> to set up and maintain?  If so, which package should I use?

The first question is Why?

There's no real benefit, it's a huge amount of work for little gain, 
you carry the cost of increased traffic yourself, and if that host 
goes blip, you not only lose access to the web server but to the 
entire zone as well.

Technically there's no good reason why you can't co-host web and dns. 
However, depending on your upper level domain and registrar, TWO dns 
servers may be a requirement (this is the norm) and you propose only 
one. Where's the second one going to be? Only one is a very bad idea 
indeed.

Your last two questions reveal that this is not something you are 
familiar with already, so I highly recommend you investigate 
everything thoroughly and fully understand just what you are letting 
yourself in for before deciding.

If you simply don't like your current DNS provider, then finding a 
different one you do like is quite simple.


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Running HTTP and DNS on same machine

[kashani]

On 8/17/2011 2:08 PM, Alan McKinnon wrote:
> On Wed 17 August 2011 13:56:10 Grant did opine thusly:
>> I currently use a free service to host the DNS records for my
>> website, but I'm thinking of running a DNS server on the same
>> machine that runs my website instead.  Would that be fairly trivial
>> to set up and maintain?  If so, which package should I use?
>
> The first question is Why?
>
> There's no real benefit, it's a huge amount of work for little gain,
> you carry the cost of increased traffic yourself, and if that host
> goes blip, you not only lose access to the web server but to the
> entire zone as well.
>
> Technically there's no good reason why you can't co-host web and dns.
> However, depending on your upper level domain and registrar, TWO dns
> servers may be a requirement (this is the norm) and you propose only
> one. Where's the second one going to be? Only one is a very bad idea
> indeed.
>
> Your last two questions reveal that this is not something you are
> familiar with already, so I highly recommend you investigate
> everything thoroughly and fully understand just what you are letting
> yourself in for before deciding.
>
> If you simply don't like your current DNS provider, then finding a
> different one you do like is quite simple.

Exactly what Alan said. It's not worth it and no registar will let you 
do it on one IP.

kashani

Re: [gentoo-user] Running HTTP and DNS on same machine

[Michael Mol]

On Wed, Aug 17, 2011 at 4:56 PM, Grant <emailgrant@gmail.com> wrote:
> I currently use a free service to host the DNS records for my website,
> but I'm thinking of running a DNS server on the same machine that runs
> my website instead.  Would that be fairly trivial to set up and
> maintain?  If so, which package should I use?

ISC bind is the de facto standard for DNS servers. I haven't
administered bind on Gentoo, but on Debian, most of the problems I run
into come from how Debian packages and updates configuration files.

I'm not running DNS servers in any major production capacity; I've got
a bind server at home linking my home domain and my employer's work
domain across a VPN, and updated dynamically via a dhcpd on the same
server. It's also serving as a caching recursive resolver for my home
network, which was *really* necessary when I was still on AT&T. (The
DSL link was dropping packets every now and again, and it's a PITA
when that happens to DNS queries)

If you want to get into managing your own DNS, and if there was
anything in that previous sentence you're unfamiliar with, I highly
recommend O'Reilly's DNS & Bind: 5th Edition before you commit any of
your services to your own server.

http://oreilly.com/catalog/9780596100575

-- 
:wq

Re: [gentoo-user] Running HTTP and DNS on same machine

[Alan McKinnon]

On Wed 17 August 2011 14:22:21 kashani did opine thusly:
> On 8/17/2011 2:08 PM, Alan McKinnon wrote:
> > On Wed 17 August 2011 13:56:10 Grant did opine thusly:
> >> I currently use a free service to host the DNS records for my
> >> website, but I'm thinking of running a DNS server on the same
> >> machine that runs my website instead.  Would that be fairly
> >> trivial to set up and maintain?  If so, which package should
> >> I use?> 
> > The first question is Why?
> > 
> > There's no real benefit, it's a huge amount of work for little
> > gain, you carry the cost of increased traffic yourself, and if
> > that host goes blip, you not only lose access to the web server
> > but to the entire zone as well.
> > 
> > Technically there's no good reason why you can't co-host web and
> > dns. However, depending on your upper level domain and
> > registrar, TWO dns servers may be a requirement (this is the
> > norm) and you propose only one. Where's the second one going to
> > be? Only one is a very bad idea indeed.
> > 
> > Your last two questions reveal that this is not something you
> > are
> > familiar with already, so I highly recommend you investigate
> > everything thoroughly and fully understand just what you are
> > letting yourself in for before deciding.
> > 
> > If you simply don't like your current DNS provider, then finding
> > a different one you do like is quite simple.
> 
> Exactly what Alan said. It's not worth it and no registar will let
> you do it on one IP.

I'm just itching to type up the long list of horror stories I've 
stored from people doing their own DNS thinking it was real easy.

But there's this little thing called an NDA and it says I can't :-(

Truly though, the devastation from DNS mistakes is horrendous. 
The primary error folk make is this:

You do not configure and treat the DNS service like any other service.
You do not USE the internet to maintain dns, as dns BUILDS the 
internet. 

It's a subtle distinction but a vital one.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Running HTTP and DNS on same machine

[Grant]

>> I currently use a free service to host the DNS records for my
>> website, but I'm thinking of running a DNS server on the same
>> machine that runs my website instead.  Would that be fairly trivial
>> to set up and maintain?  If so, which package should I use?
>
> The first question is Why?

My thinking was of the "may as well" variety but now it's sounding
like a very bad idea.  Are there DNS hosts you guys particularly like?

- Grant


> There's no real benefit, it's a huge amount of work for little gain,
> you carry the cost of increased traffic yourself, and if that host
> goes blip, you not only lose access to the web server but to the
> entire zone as well.
>
> Technically there's no good reason why you can't co-host web and dns.
> However, depending on your upper level domain and registrar, TWO dns
> servers may be a requirement (this is the norm) and you propose only
> one. Where's the second one going to be? Only one is a very bad idea
> indeed.
>
> Your last two questions reveal that this is not something you are
> familiar with already, so I highly recommend you investigate
> everything thoroughly and fully understand just what you are letting
> yourself in for before deciding.
>
> If you simply don't like your current DNS provider, then finding a
> different one you do like is quite simple.
>
>
> --
> alan dot mckinnon at gmail dot com

Re: [gentoo-user] Running HTTP and DNS on same machine

[Alan McKinnon]

On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly:
> On Wed, Aug 17, 2011 at 4:56 PM, Grant <emailgrant@gmail.com> wrote:
> > I currently use a free service to host the DNS records for my
> > website, but I'm thinking of running a DNS server on the same
> > machine that runs my website instead.  Would that be fairly
> > trivial to set up and maintain?  If so, which package should I
> > use?
> 
> ISC bind is the de facto standard for DNS servers. I haven't
> administered bind on Gentoo, but on Debian, most of the problems I
> run into come from how Debian packages and updates configuration
> files.
> 
> I'm not running DNS servers in any major production capacity; I've
> got a bind server at home linking my home domain and my employer's
> work domain across a VPN, and updated dynamically via a dhcpd on
> the same server. It's also serving as a caching recursive resolver
> for my home network, which was *really* necessary when I was still
> on AT&T. (The DSL link was dropping packets every now and again,
> and it's a PITA when that happens to DNS queries)

You're running an auth server and a cache on the same machine?

At a minimum they should be on different interfaces and preferably in 
chroots. Otherwise all manner of $BAD_STUFF happens.

I assume your home domain is small, in which case you'd probably get 
away with it. But still.

> If you want to get into managing your own DNS, and if there was
> anything in that previous sentence you're unfamiliar with, I highly
> recommend O'Reilly's DNS & Bind: 5th Edition before you commit any
> of your services to your own server.

Excellent book, up there with Mastering Regular Expressions.

The fellow who sits on the other side of the partition from me has 
that very edition - signed by Cricket.

Lucky bastard. He won't even let me touch it, never mind read it.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Running HTTP and DNS on same machine

[kashani]

On 8/17/2011 2:43 PM, Alan McKinnon wrote:
>
> I'm just itching to type up the long list of horror stories I've
> stored from people doing their own DNS thinking it was real easy.
>
> But there's this little thing called an NDA and it says I can't :-(

heh, I think I can dredge one up for you that no one will care about 
these days.

	This was at a large ISP in '99 known for their free Internet. Bind 8 
was fresh on the scene and somehow Network Engineering was in charge of 
DNS rather than Systems. My intern and I came up with a plan to have 
ns00.int as the internal master and make the rest of name servers slave 
off of it. All ns00 did was supply the production name servers with zones.

ns00 --> ns01(vip) --> ns01-[01-03]
     \--> ns02(vip) --> ns02-[01-03]
      \-> ns03(vip) --> ns03-[01-03]

Three virtual IPs and three name servers behind each vip.

This way we could have tools deal with updating zones on ns00 on the 
internal network and not have to push to a number of name servers. This 
worked well for a few months and we generally forgot about it. Almost a 
month after a reorganization in the local datacenter DNS went down. Well 
not down down, but our zones weren't working. After a hectic hour of 
freaking out, troubleshooting random things, and bouncing from machine 
to machine by IP address because none of DNS worked we realized our 
mistake. The TTL of the zone itself was set to three weeks. In the move 
Bind had silently died on ns00 which we didn't monitor because it was 
inside the corp network. The slaves dutifully stayed up and working till 
they hit the TTL of the zones and demanded to speak to the master again. 
Restarting Bind on the prod servers did nothing other than remove the 
already expired cache.
	Once restarted Bind on ns00 (and made it part of the runlevel) the prod 
server checked in and all was well.

The lessons:
	Monitor *all* of your DNS infrastructure
	DNS can break even with a large distributed system and it is never pretty.

kashani

Re: [gentoo-user] Running HTTP and DNS on same machine

[Alan McKinnon]

On Wed 17 August 2011 14:49:29 Grant did opine thusly:
> >> I currently use a free service to host the DNS records for my
> >> website, but I'm thinking of running a DNS server on the same
> >> machine that runs my website instead.  Would that be fairly
> >> trivial to set up and maintain?  If so, which package should
> >> I use?> 
> > The first question is Why?
> 
> My thinking was of the "may as well" variety but now it's sounding
> like a very bad idea.  Are there DNS hosts you guys particularly
> like?

Don't be too put off, it can be a good learning experience depending 
on how critical your domain is - some things don't matter if they are 
off-air for a week. The most valuable lessons you will ever learn are 
the ones where you then know what you should not do :-)

I can't advise on any free providers as a) I'm far away in a place 
that has nothing in common with your location and b) I've never 
interacted with any of them. Our DNS service is for corporate 
customers with guarantees and SLAs and contracted response times - a 
whole different ball game.



> - Grant
> 
> > There's no real benefit, it's a huge amount of work for little
> > gain, you carry the cost of increased traffic yourself, and if
> > that host goes blip, you not only lose access to the web server
> > but to the entire zone as well.
> > 
> > Technically there's no good reason why you can't co-host web and
> > dns. However, depending on your upper level domain and
> > registrar, TWO dns servers may be a requirement (this is the
> > norm) and you propose only one. Where's the second one going to
> > be? Only one is a very bad idea indeed.
> > 
> > Your last two questions reveal that this is not something you
> > are
> > familiar with already, so I highly recommend you investigate
> > everything thoroughly and fully understand just what you are
> > letting yourself in for before deciding.
> > 
> > If you simply don't like your current DNS provider, then finding
> > a different one you do like is quite simple.
> > 
> > 
> > --
> > alan dot mckinnon at gmail dot com
-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Running HTTP and DNS on same machine

[Alan McKinnon]

On Wed 17 August 2011 15:08:09 kashani did opine thusly:
> On 8/17/2011 2:43 PM, Alan McKinnon wrote:
> > I'm just itching to type up the long list of horror stories I've
> > stored from people doing their own DNS thinking it was real
> > easy.
> > 
> > But there's this little thing called an NDA and it says I can't
> > :-(
> heh, I think I can dredge one up for you that no one will care about
> these days.
> 
> 	This was at a large ISP in '99 known for their free Internet.

I'm glad you detailed that story, now I know I'm not the only one :-)

Long long ago (in the 90s) when a current colleague started working 
here, he wanted access to the hidden primary (like your ns00).

He was given a bare machine (no OS) with these instructions:

It's 10am, by 4pm I want a name server running on that hardware, 
authoritative for domain xxx.yyy.zzz, live on the internet, with 
firewall installed and all reasonable security precautions taken. You 
do not have to register xxx.yyy.zzz with any registrar, we will test 
it with "dig @".

He passed :-)

The same fellow 3 years later found one day that the company zone had 
not loaded after an update (the name servers are self-hosted in that 
zone) and the support person that did it had done it twice before 
recently. Ten minutes later an ACL was in place and only systems could 
edit the zone. The entire company was told to propose sub-domains for 
their own teams and systems would delegate them - the uproar was 
fantastic but he stood his ground. He was 100% right of course and we 
still benefit today.

Lessons learned:
  - do not ever mess with your DNS admin
  - $DEITY says "sir" in hushed tones when addressing the dns admin


> 	Bind
> 8 was fresh on the scene and somehow Network Engineering was in
> charge of DNS rather than Systems. My intern and I came up with a
> plan to have ns00.int as the internal master and make the rest of
> name servers slave off of it. All ns00 did was supply the
> production name servers with zones.
> 
> ns00 --> ns01(vip) --> ns01-[01-03]
>      \--> ns02(vip) --> ns02-[01-03]
>       \-> ns03(vip) --> ns03-[01-03]
> 
> Three virtual IPs and three name servers behind each vip.
> 
> This way we could have tools deal with updating zones on ns00 on the
> internal network and not have to push to a number of name servers.
> This worked well for a few months and we generally forgot about it.
> Almost a month after a reorganization in the local datacenter DNS
> went down. Well not down down, but our zones weren't working. After
> a hectic hour of freaking out, troubleshooting random things, and
> bouncing from machine to machine by IP address because none of DNS
> worked we realized our mistake. The TTL of the zone itself was set
> to three weeks. In the move Bind had silently died on ns00 which we
> didn't monitor because it was inside the corp network. The slaves
> dutifully stayed up and working till they hit the TTL of the zones
> and demanded to speak to the master again. Restarting Bind on the
> prod servers did nothing other than remove the already expired
> cache.
> 	Once restarted Bind on ns00 (and made it part of the runlevel) 
the
> prod server checked in and all was well.
> 
> The lessons:
> 	Monitor *all* of your DNS infrastructure
> 	DNS can break even with a large distributed system and it is 
never
> pretty.
> 
> kashani
-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Running HTTP and DNS on same machine

[Paul Hartman]

On Wed, Aug 17, 2011 at 3:56 PM, Grant <emailgrant@gmail.com> wrote:
> I currently use a free service to host the DNS records for my website,
> but I'm thinking of running a DNS server on the same machine that runs
> my website instead.  Would that be fairly trivial to set up and
> maintain?  If so, which package should I use?

Just to counter all of the scary stories, I recently (within the past
month or so) installed bind for the first time and set it up after a
few days of googling around and reading docs. It seems to be working
properly and securely, but I'd be lying if I said there wasn't a large
amount of dumb luck, finger-crossing and hand-waving involved on my
part to get it working. I have some familiarity with editing DNS zone
files (on other people's servers) so I wasn't going into it completely
blind.

I don't know if I'd call it "fairly trivial", but with howto's and
google at your fingertips you should be able to get it set up properly
if you really want to.

Usually the web-based DNS management by your domain name registrar or
hosting provider are good enough for most "personal domain" kind of
usage (like mine). In my case there was something that their web-based
editor didn't support (TXT records on subdomains or something like
that), and mostly because I just felt like trying to do it myself.
Since they are my personal domains, nobody else will suffer if I break
everything. Others are in the (lucky? not so lucky?) positions of
administering systems where things actually have to work right the
first time and all the time. :)

Re: [gentoo-user] Running HTTP and DNS on same machine

[Adam Carter]

> Just to counter all of the scary stories,

Yeah, i'd like to counter too. While the implications of getting it
wrong are serious, technically its quite simple. I run my own DNS, and
use a couple of free secondaries (http://www.twisted4life.com and
http://www.everydns.net).

The upsides of running your own DNS is that you learn the ins and
outs. So, if the DNS is for business that will loose money if you
stuff it up, then i'll tend to agree with the naysayers, but if its a
home domain then go ahead. And if you don't have a home domain, get
one as a learning exercise and once you're mastered that you can
re-consider if you want to move the business domain.

Re: choice of server, I chose BIND as its what the companies I have
worked at use, both ISC BIND and QIP's port of it. djbdns may be
technically superior (eg code separation into different binaries) but
its not as if BIND is very problematic these days. I havent bothered
with chrooting BIND for a long time, but that's only on internal only
DNS or my home DNS. For business internet facing DNS I probably still
would, or use something more modern like Solaris sparse zones.

Re: [gentoo-user] Running HTTP and DNS on same machine

[Pandu Poluan]

Adding to success stories:

I've deployed bind-9 on FreeBSD, Debian, and Arch. The most trouble
was with Debian, what with the 'compositing trees' etc. The easiest
was with FreeBSD. All three DNS servers are now in their eighth month
of production, handling half of my company's NS needs.

It's really not difficult. Complex, yes, but not difficult. With the
help of http://www.zytrax.com/books/dns and the handbooks, I finished
the FreeBSD and Arch installations in one day. (The Debian took
another day of hair-pulling to understand HTF they put their
compositing files together).

One tip from me would be to prepare the DNS servers beforehand, test
them, *then* ask the registrar to transfer the domain name to you.
Like others have posted, most will require you to provide at least two
authoritative NS.

In my situation, I have 1 server in the cloud, and 2 servers in the
company (responding to DNS requests via 2 different ISPs).

That said, I might be installing a different NS for the 4th NS for
diversity (i.e., prevent a single attack from disabling all 4 NS
servers).

Rgds,


On 2011-08-18, Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:
> On Wed, Aug 17, 2011 at 3:56 PM, Grant <emailgrant@gmail.com> wrote:
>> I currently use a free service to host the DNS records for my website,
>> but I'm thinking of running a DNS server on the same machine that runs
>> my website instead.  Would that be fairly trivial to set up and
>> maintain?  If so, which package should I use?
>
> Just to counter all of the scary stories, I recently (within the past
> month or so) installed bind for the first time and set it up after a
> few days of googling around and reading docs. It seems to be working
> properly and securely, but I'd be lying if I said there wasn't a large
> amount of dumb luck, finger-crossing and hand-waving involved on my
> part to get it working. I have some familiarity with editing DNS zone
> files (on other people's servers) so I wasn't going into it completely
> blind.
>
> I don't know if I'd call it "fairly trivial", but with howto's and
> google at your fingertips you should be able to get it set up properly
> if you really want to.
>
> Usually the web-based DNS management by your domain name registrar or
> hosting provider are good enough for most "personal domain" kind of
> usage (like mine). In my case there was something that their web-based
> editor didn't support (TXT records on subdomains or something like
> that), and mostly because I just felt like trying to do it myself.
> Since they are my personal domains, nobody else will suffer if I break
> everything. Others are in the (lucky? not so lucky?) positions of
> administering systems where things actually have to work right the
> first time and all the time. :)
>
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: [gentoo-user] Running HTTP and DNS on same machine

[kashani]

On 8/17/2011 5:18 PM, Adam Carter wrote:
>> Just to counter all of the scary stories,
>
> Yeah, i'd like to counter too. While the implications of getting it
> wrong are serious, technically its quite simple. I run my own DNS, and
> use a couple of free secondaries (http://www.twisted4life.com and
> http://www.everydns.net).
>
> The upsides of running your own DNS is that you learn the ins and
> outs. So, if the DNS is for business that will loose money if you
> stuff it up, then i'll tend to agree with the naysayers, but if its a
> home domain then go ahead. And if you don't have a home domain, get
> one as a learning exercise and once you're mastered that you can
> re-consider if you want to move the business domain.

	Alan and I would have had a vastly different take on this if it had 
been phrased as "I want to setup DNS at home for learning and 
convenience." Instead the email in my mind read as, "I'd like to 
introduce a single point of failure into my system and I'd like to do it 
with something I don't fully understand to boot."

Yes, I have a rich and cynical inner monologue. This is well known.

	That said if you want to setup Bind (which I prefer) the Gentoo wiki 
has a decent how-to. I wrote the original incarnation 7-8 years ago and 
people have kept it updated. It looks mostly correct though I can see a 
few places where it needs some clean up. Even with the cruft it is light 
years ahead of the official Gentoo Bind doc and includes a number of 
config entries to make troubleshooting and running ISP type name servers 
easier and safer.

http://en.gentoo-wiki.com/wiki/BIND

kashani

Re: [gentoo-user] Running HTTP and DNS on same machine

[Peter Humphrey]

On Wednesday 17 August 2011 23:51:12 Alan McKinnon wrote:

> Long long ago (in the 90s) when a current colleague started working
> here, he wanted access to the hidden primary (like your ns00).
> 
> He was given a bare machine (no OS) with these instructions:
> 
> It's 10am, by 4pm I want a name server running on that hardware,
> authoritative for domain xxx.yyy.zzz, live on the internet, with
> firewall installed and all reasonable security precautions taken. You
> do not have to register xxx.yyy.zzz with any registrar, we will test
> it with "dig @".
> 
> He passed :-)

A better man than me!

> The same fellow 3 years later found one day that the company zone had
> not loaded after an update (the name servers are self-hosted in that
> zone) and the support person that did it had done it twice before
> recently. Ten minutes later an ACL was in place and only systems could
> edit the zone. The entire company was told to propose sub-domains for
> their own teams and systems would delegate them - the uproar was
> fantastic but he stood his ground. He was 100% right of course and we
> still benefit today.
> 
> Lessons learned:
>   - do not ever mess with your DNS admin
>   - $DEITY says "sir" in hushed tones when addressing the dns admin

I enjoyed that tale - thank you Alan.

-- 
Rgds
Peter		Linux Counter 5290, 1994-04-23

Re: [gentoo-user] Running HTTP and DNS on same machine

[Michael Mol]

On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly:
>> On Wed, Aug 17, 2011 at 4:56 PM, Grant <emailgrant@gmail.com> wrote:
>> > I currently use a free service to host the DNS records for my
>> > website, but I'm thinking of running a DNS server on the same
>> > machine that runs my website instead.  Would that be fairly
>> > trivial to set up and maintain?  If so, which package should I
>> > use?
>>
>> ISC bind is the de facto standard for DNS servers. I haven't
>> administered bind on Gentoo, but on Debian, most of the problems I
>> run into come from how Debian packages and updates configuration
>> files.
>>
>> I'm not running DNS servers in any major production capacity; I've
>> got a bind server at home linking my home domain and my employer's
>> work domain across a VPN, and updated dynamically via a dhcpd on
>> the same server. It's also serving as a caching recursive resolver
>> for my home network, which was *really* necessary when I was still
>> on AT&T. (The DSL link was dropping packets every now and again,
>> and it's a PITA when that happens to DNS queries)
>
> You're running an auth server and a cache on the same machine?

Split across a couple views, but yeah. And no recursion allowed on the wan side.

>
> At a minimum they should be on different interfaces and preferably in
> chroots. Otherwise all manner of $BAD_STUFF happens.

Hm. Interested.

echo $BAD_STUFF

(or URI)

-- 
:wq

Re: [gentoo-user] Running HTTP and DNS on same machine

[Grant]

>> Just to counter all of the scary stories,
>
> Yeah, i'd like to counter too. While the implications of getting it
> wrong are serious, technically its quite simple. I run my own DNS, and
> use a couple of free secondaries (http://www.twisted4life.com and
> http://www.everydns.net).

everydns.net is merging with dyn.com and you have to migrate it
yourself.  There is a $4.95 "migration fee" and they aren't clear
about whether the service will be free for everydns.net users once you
pay the fee.  dyn.com DNS starts at $30/year normally.

Is it alright to sign up for DNS service from your server host?

- Grant

Re: [gentoo-user] Running HTTP and DNS on same machine

[Jarry]

On 18-Aug-11 2:18, Adam Carter wrote:
>> Just to counter all of the scary stories,
>
> Yeah, i'd like to counter too. While the implications of getting it
> wrong are serious, technically its quite simple. I run my own DNS, and
> use a couple of free secondaries (http://www.twisted4life.com and
> http://www.everydns.net).

The same here. I have been running my own dns for about 2 years,
primary for a few domains. As secondaries I use twisted4life,
xname, afraid, nether, and rollernet. Never had any problem.
I did this mainly because my registrar had terrible web-interface
which I simply refused to use. As a side-effect, I learned a lot
about dn-system. Now I'm playing with dnssec, and it's quite
interesting...

I do run dns with www on the same server (in addition to ftp,
mail, and a few more things), but each of those services in
its own vserver-guest...

Jarry
-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] Running HTTP and DNS on same machine

[Michael Mol]

On Thu, Aug 18, 2011 at 1:26 PM, Jarry <mr.jarry@gmail.com> wrote:
>
> The same here. I have been running my own dns for about 2 years,
> primary for a few domains. As secondaries I use twisted4life,
> xname, afraid, nether, and rollernet. Never had any problem.
> I did this mainly because my registrar had terrible web-interface
> which I simply refused to use. As a side-effect, I learned a lot
> about dn-system. Now I'm playing with dnssec, and it's quite
> interesting...
>
> I do run dns with www on the same server (in addition to ftp,
> mail, and a few more things), but each of those services in
> its own vserver-guest...

Interesting is an understatement. DNS is fascinating. I've got syslogd
on my router set up to send everything to tty1, which I also disabled
getty on, so I get to watch my syslog scroll by while I'm in the room.
I've been doing it this way for most of this year, and I've watched
DNS change in that time. For example:
* I'm seeing far fewer errors logged complaining about EDNS. That's been nice.
* I'm seeing fewer errors logged about bad AAAA lookups (FORMERR et
al). Most sites which publish AAAA records seem to be doing it OK,
although some CDNs, Google+ and Wikipedia *still* aren't doing it
right.

I've also switched from AT&T ADSL to Comcast in that time (though my
IPv6 comes from 6to4 in both cases), so some of those changes may be
an ISP-level issue.

--
:wq

Re: [gentoo-user] Running HTTP and DNS on same machine

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1702 bytes --]

Am 18.08.2011 03:35, schrieb Michael Mol:
> On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly:
>>> On Wed, Aug 17, 2011 at 4:56 PM, Grant <emailgrant@gmail.com> wrote:
>>>> I currently use a free service to host the DNS records for my
>>>> website, but I'm thinking of running a DNS server on the same
>>>> machine that runs my website instead.  Would that be fairly
>>>> trivial to set up and maintain?  If so, which package should I
>>>> use?
>>>
>>> ISC bind is the de facto standard for DNS servers. I haven't
>>> administered bind on Gentoo, but on Debian, most of the problems I
>>> run into come from how Debian packages and updates configuration
>>> files.
>>>
>>> I'm not running DNS servers in any major production capacity; I've
>>> got a bind server at home linking my home domain and my employer's
>>> work domain across a VPN, and updated dynamically via a dhcpd on
>>> the same server. It's also serving as a caching recursive resolver
>>> for my home network, which was *really* necessary when I was still
>>> on AT&T. (The DSL link was dropping packets every now and again,
>>> and it's a PITA when that happens to DNS queries)
>>
>> You're running an auth server and a cache on the same machine?
> 
> Split across a couple views, but yeah. And no recursion allowed on the wan side.
> 
>>
>> At a minimum they should be on different interfaces and preferably in
>> chroots. Otherwise all manner of $BAD_STUFF happens.
> 
> Hm. Interested.
> 
> echo $BAD_STUFF
> 
> (or URI)
> 

URI: http://cr.yp.to/djbdns/separation.html

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] Running HTTP and DNS on same machine

[Grant]

>>> Just to counter all of the scary stories,
>>
>> Yeah, i'd like to counter too. While the implications of getting it
>> wrong are serious, technically its quite simple. I run my own DNS, and
>> use a couple of free secondaries (http://www.twisted4life.com and
>> http://www.everydns.net).
>
> The same here. I have been running my own dns for about 2 years,
> primary for a few domains. As secondaries I use twisted4life,
> xname, afraid, nether, and rollernet. Never had any problem.
> I did this mainly because my registrar had terrible web-interface
> which I simply refused to use. As a side-effect, I learned a lot
> about dn-system. Now I'm playing with dnssec, and it's quite
> interesting...
>
> I do run dns with www on the same server (in addition to ftp,
> mail, and a few more things), but each of those services in
> its own vserver-guest...
>
> Jarry

Are those vserver-guest instances for security?  I didn't know people
used those for each service they run on the same machine.

- Grant

Re: [gentoo-user] Running HTTP and DNS on same machine

[Michael Mol]

On Thu, Aug 18, 2011 at 2:17 PM, Florian Philipp <lists@binarywings.net> wrote:
> Am 18.08.2011 03:35, schrieb Michael Mol:
>> On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>>> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly:
>>> At a minimum they should be on different interfaces and preferably in
>>> chroots. Otherwise all manner of $BAD_STUFF happens.
>>
>> Hm. Interested.
>>
>> echo $BAD_STUFF
>>
>> (or URI)
>>
>
> URI: http://cr.yp.to/djbdns/separation.html

Ah, gotcha. Yeah, I'm a bit worried about that. Even though I use a
FQDN, I'm only authorative within my own network and I don't (yet)
expose my DNS records publicly. (It all resolves to RFC1918
addresses...what'd be the point?)

-- 
:wq

Re: [gentoo-user] Running HTTP and DNS on same machine

[Michael Mol]

On Thu, Aug 18, 2011 at 2:22 PM, Grant <emailgrant@gmail.com> wrote:
>> I do run dns with www on the same server (in addition to ftp,
>> mail, and a few more things), but each of those services in
>> its own vserver-guest...
>>
>> Jarry
>
> Are those vserver-guest instances for security?  I didn't know people
> used those for each service they run on the same machine.

If you can do resource allotments, it can be handy to prevent a
runaway process on one machine from sucking all the CPU, RAM or disk
I/O away from other services.

-- 
:wq

Re: [gentoo-user] Running HTTP and DNS on same machine

[Jarry]

On 18-Aug-11 20:22, Grant wrote:
>>>> Just to counter all of the scary stories,
>>
>> I do run dns with www on the same server (in addition to ftp,
>> mail, and a few more things), but each of those services in
>> its own vserver-guest...
>
> Are those vserver-guest instances for security?  I didn't know people
> used those for each service they run on the same machine.

It is a kind of "better chroot". Some services are not easy
to make running chrooted but can still run in vserver guest.

I think it is good to have services running separated.
If one of them gets compromised, others still keep running.
One more extra layer of security, worth trying. The only
service I'm running on "master-server" (host) is ssh on
non-standard port, with pretty tight firewall rules...

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] Running HTTP and DNS on same machine

[Stroller]

On 18 August 2011, at 01:18, Adam Carter wrote:
> …  I … use a couple of free secondaries … 
> http://www.everydns.net).

Only for the next 14 days.

I'll check out twisted4life.com but would grateful for any other suggestions. There's no money in free DNS, unfortunately. 

Stroller.

Re: [gentoo-user] Running HTTP and DNS on same machine

[Alan McKinnon]

On Thu 18 August 2011 14:36:26 Michael Mol did opine thusly:
> On Thu, Aug 18, 2011 at 2:17 PM, Florian Philipp 
<lists@binarywings.net> wrote:
> > Am 18.08.2011 03:35, schrieb Michael Mol:
> >> On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon 
<alan.mckinnon@gmail.com> wrote:
> >>> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly:
> >>> At a minimum they should be on different interfaces and
> >>> preferably in chroots. Otherwise all manner of $BAD_STUFF
> >>> happens.
> >> 
> >> Hm. Interested.
> >> 
> >> echo $BAD_STUFF
> >> 
> >> (or URI)
> > 
> > URI: http://cr.yp.to/djbdns/separation.html
> 
> Ah, gotcha. Yeah, I'm a bit worried about that. Even though I use a
> FQDN, I'm only authorative within my own network and I don't (yet)
> expose my DNS records publicly. (It all resolves to RFC1918
> addresses...what'd be the point?)

On your scale you'd probably get away with it, that's why I made that 
little note earlier.

Throughout this thread I've been replying from the viewpoint of having 
very large auth servers to maintain, I have to deal with stuff you'd 
likely never see, simply because you only have one zone. My employers 
have seen fit to sign up something like 40,000 zones from customers 
then said "Here you Alan, make this work."

Aside from security and integrity issues, all sorts of interesting 
data problems happen on that scale, and they all seem the trace back 
to inappropriate use of glue. Sooner or later you will find a record 
you need to look up for purposes other than it being an NS, and you 
have it already in glue. If you are using that bind instance also as a 
cache, it will never do a proper look up for that glue record as it is 
ALREADY authoritative. You will go nuts and turn your brains into 
scrambled eggs trying to find that one. (exactly the same weird issues 
can be found in almost any kind of coding problem using data and 
linked data structures, it's not unique to DNS).

Any large DNS provider should (and almost all do) keep the caches and 
auth servers distinctly separate. Most also split top-level and 
second-level domains too.


-- 
alan dot mckinnon at gmail dot com