From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E678513888F for ; Mon, 12 Oct 2015 17:43:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1DFE4E07DD; Mon, 12 Oct 2015 17:43:19 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 06AA0E07D1 for ; Mon, 12 Oct 2015 17:43:17 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Zlh7v-0001hB-Se for gentoo-user@lists.gentoo.org; Mon, 12 Oct 2015 19:43:12 +0200 Received: from static-71-122-242-106.tampfl.fios.verizon.net ([71.122.242.106]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 12 Oct 2015 19:43:11 +0200 Received: from wireless by static-71-122-242-106.tampfl.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 12 Oct 2015 19:43:11 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: DNS server packages Date: Mon, 12 Oct 2015 17:43:06 +0000 (UTC) Message-ID: References: <561A114B.9020701@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 71.122.242.106 (Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 SeaMonkey/2.38) X-Archives-Salt: 6ee9ca76-180c-4c21-b0af-a87c97bc9e35 X-Archives-Hash: f3bfa302671826b013d243d81b0b75ce Alan McKinnon gmail.com> writes: > > I need to setup DNS primary/secondary systems on gentoo. So right now > > I'm looking for a suggested list of packages to install with Bind, > > iptables and DNSSEC-tools as these (2) gentoo dns servers will only > > run the minimum packages to operate securely? > auth or cache? These are the (2) net facing primary and slave dns servers, just for the few domain names I willauthenticate. They'll be behind a firewall (iptables/dmz) with no internal zone information. Strictly auth, public facing, with DNSsec. The plan is to go slow with manual configuration and and slow add features like a database, as I roll out new auth-DNS servers on newer, embedded hardware (very small very low power, but lots of ram (2G)). So over time the scope will evolve. It's a manual approach to a refresher for me. Eventually one of the auth-dns-slaves will be an arm cluster for performance testing on mesos. (That's a ways off). So also, the iptables rules for such a setup will need to be revisited, dusting off what I use to use. Again, the importance is trying different packages and sniffing the results and examining log files (manually and with scripts) on a log host. So only ports 53 (public/routable net visible and port 22 from a select sets of private ips is all these will need. > First of all, bind is a pain to use. Reason: it's actually a reference > implementation that as usual got forced into production use. It's slower > than it could be because it deals with every possible corner case per RFC. > As an auth server (few queries) it's OK Bind is an old acquaintance of mine:: been a few years, hence the post. I may test/migrate to something else, later. > As a cache (many queries), there are better servers out there. I prefer > unbound. A Caching DNS server for internal usages is another project for another time. It will be totally isolated; still, good to know. > > Also, what is the (nominal) minimum amount of RAM needed to keep all > > routes in ram in these name servers? > I don't understand. DNS servers don't keep routes in memory - routers do > that. Perhaps you mean cached DNS records? > DNS is light on RAM, there are only so many records typical users will > look up. DNS caches not too long ago ran for years problem free with a > puny few hundred MB. It's not something to be worried about. There should be a way to keep all the responses for the zones info they server in ram? I know it often happens without intervention, but surely there are published methods to insure this info is kept "in ram" like bcachefs? Also flushing and ram usage status monitoring, as these auth dns servers will eventually migrate to low power embedded machines where keeping things in ram is critical to performance. 'eix -cC net-dns | grep auth'