Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Sep 2004 09:50:42 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Joshua Lewis <jmlewis@dslextreme.com>
Cc:        questions@freebsd.org
Subject:   Re: your mail
Message-ID:  <20040915085042.GA23645@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <1440a11160a66f0a88b0a.20040914141236.wzyrjvf@www.dslextreme.com>
References:  <1440a11160a66f0a88b0a.20040914141236.wzyrjvf@www.dslextreme.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 14, 2004 at 02:12:36PM -0700, Joshua Lewis wrote:
> I don't think I have set up Bind9 correctly and I was hoping someone could
> point out any mistakes I may have made. I have tried to follow the
> examples in the handbook. I even bought DNS and BIND from O'riley.
>=20
> I don't really know how to troubleshoot a DNS issue yet. I know of the
> tools I just don't understand them yet. I have a MS DNS server running
> fine as my secondary and when I try to troubleshoot it I can't tell if I
> am getting a response from my MS system or my FBSD system.

Right -- you're basically doing the right things, but you just haven't
achieved proficiency yet.  In general, keep reading. 'DNS and BIND' is
a very good start.  There's also a lot of good information on web
sites around the net.  Also look at the comp.protocols.dns.bind
newsgroup.  Also try out sites like:

    http://www.squish.net/dnscheck/

For debugging Bind9, start by getting Bind to log a lot of stuff.
First make sure that /var/log/all.log is enabled: edit
/etc/syslog.conf and uncomment the indicated line as instructed.  Then do:

    # touch /var/log/all.log
    # chmod 600 /var/log/all.log
    # kill -HUP `cat /var/run/syslogd.pid`

Quite a lot of stuff will be logged there, not just from bind.

You can get bind to log all queries by adding:

    logging {
        category "default" {
            "default_syslog";
            "default_debug";
        };
        category "queries" {
            "default_syslog";
            "default_debug";
        };
    };

to named.conf.  This is good for debugging, but tends to produce a lot
of output in the log files -- it's not a good idea to enable this
continually on a busy production server.
=20
> Ultimately I would like to make this bind system my primary. Once that is
> done I have made arrangements for an off site system to act as my
> secondary for redundancy and I can eliminate the MS system all together.
>=20
> Should I post my config info here or is that just a real bad idea? I mean
> anyone can get what they want from the internet I just don't know if
> posting it here is like inviting someone to crack my system.

Unfortunately there's not a great deal specific we can tell you unless
you ask more specific questions and present us with at least
documentation showing how something is going wrong.

Take a look at:

    http://www.boran.com/security/sp/bind9_20010430.html

for some very good advice about securing a Bind9 server.  That page
talks a lot about Solaris 9, so you'll have to do a little bit of
mental translation to make it fit under FreeBSD.
=20
> Also I currently only have one FreeBSD system. I am trying to run multiple
> services on this one system Mail, DNS, WWW, SQL. It is a pretty beefy
> system and will have no problem handling the load. I just want to hide the
> hostname of the system when I can. I only have the one customer hitting
> the system and it is a real small company. This system is overkill for
> them so I am trying to utilize the system to the best of my ability. I
> know in a perfect world I should have them each running on separate
> systems however that is not feasible right now. I was thinking of getting
> some old P1 systems and moving DNS over to that. Any other recommendations
> are welcome.

You're quite right that putting all your eggs in the one basket is not
the best strategy.  However it is a relatively cheap strategy, and on
a low traffic setup it works OK.  The big risk is that a component
failure will take out your whole setup -- so make sure you have good
backups and think about your disaster recover planning: how quickly
can you get a busted machine back up and running?

A Pentium 1 system probably isn't a very good choice -- not so much
because the processor is slow (although that doesn't help) but because
systems of that age tend not to have much memory available.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--WIyZ46R2i8wDzkSu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBSAJiiD657aJF7eIRAo7fAJ0RZLqAvvIyH/W9FwvuMxiaKKTN0wCgiv4/
NrMIRvGD4fJ4z7fnAN8QFUE=
=kdnm
-----END PGP SIGNATURE-----

--WIyZ46R2i8wDzkSu--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040915085042.GA23645>