From owner-freebsd-questions@FreeBSD.ORG  Wed Sep 15 08:50:51 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7696F16A4CE
	for <questions@freebsd.org>; Wed, 15 Sep 2004 08:50:51 +0000 (GMT)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id 0099343D3F
	for <questions@freebsd.org>; Wed, 15 Sep 2004 08:50:50 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	i8F8ogSd024034
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 15 Sep 2004 09:50:42 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)i8F8ogA8024033;
	Wed, 15 Sep 2004 09:50:42 +0100 (BST)	(envelope-from matthew)
Date: Wed, 15 Sep 2004 09:50:42 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Joshua Lewis <jmlewis@dslextreme.com>
Message-ID: <20040915085042.GA23645@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	Joshua Lewis <jmlewis@dslextreme.com>, questions@freebsd.org
References: <1440a11160a66f0a88b0a.20040914141236.wzyrjvf@www.dslextreme.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu"
Content-Disposition: inline
In-Reply-To: <1440a11160a66f0a88b0a.20040914141236.wzyrjvf@www.dslextreme.com>
User-Agent: Mutt/1.4.2.1i
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6
	(smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 15 Sep 2004 09:50:43 +0100
	(BST)
X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version
	0.75l	on smtp.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.64
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: questions@freebsd.org
Subject: Re: your mail
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2004 08:50:51 -0000


--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 14, 2004 at 02:12:36PM -0700, Joshua Lewis wrote:
> I don't think I have set up Bind9 correctly and I was hoping someone could
> point out any mistakes I may have made. I have tried to follow the
> examples in the handbook. I even bought DNS and BIND from O'riley.
>=20
> I don't really know how to troubleshoot a DNS issue yet. I know of the
> tools I just don't understand them yet. I have a MS DNS server running
> fine as my secondary and when I try to troubleshoot it I can't tell if I
> am getting a response from my MS system or my FBSD system.

Right -- you're basically doing the right things, but you just haven't
achieved proficiency yet.  In general, keep reading. 'DNS and BIND' is
a very good start.  There's also a lot of good information on web
sites around the net.  Also look at the comp.protocols.dns.bind
newsgroup.  Also try out sites like:

    http://www.squish.net/dnscheck/

For debugging Bind9, start by getting Bind to log a lot of stuff.
First make sure that /var/log/all.log is enabled: edit
/etc/syslog.conf and uncomment the indicated line as instructed.  Then do:

    # touch /var/log/all.log
    # chmod 600 /var/log/all.log
    # kill -HUP `cat /var/run/syslogd.pid`

Quite a lot of stuff will be logged there, not just from bind.

You can get bind to log all queries by adding:

    logging {
        category "default" {
            "default_syslog";
            "default_debug";
        };
        category "queries" {
            "default_syslog";
            "default_debug";
        };
    };

to named.conf.  This is good for debugging, but tends to produce a lot
of output in the log files -- it's not a good idea to enable this
continually on a busy production server.
=20
> Ultimately I would like to make this bind system my primary. Once that is
> done I have made arrangements for an off site system to act as my
> secondary for redundancy and I can eliminate the MS system all together.
>=20
> Should I post my config info here or is that just a real bad idea? I mean
> anyone can get what they want from the internet I just don't know if
> posting it here is like inviting someone to crack my system.

Unfortunately there's not a great deal specific we can tell you unless
you ask more specific questions and present us with at least
documentation showing how something is going wrong.

Take a look at:

    http://www.boran.com/security/sp/bind9_20010430.html

for some very good advice about securing a Bind9 server.  That page
talks a lot about Solaris 9, so you'll have to do a little bit of
mental translation to make it fit under FreeBSD.
=20
> Also I currently only have one FreeBSD system. I am trying to run multiple
> services on this one system Mail, DNS, WWW, SQL. It is a pretty beefy
> system and will have no problem handling the load. I just want to hide the
> hostname of the system when I can. I only have the one customer hitting
> the system and it is a real small company. This system is overkill for
> them so I am trying to utilize the system to the best of my ability. I
> know in a perfect world I should have them each running on separate
> systems however that is not feasible right now. I was thinking of getting
> some old P1 systems and moving DNS over to that. Any other recommendations
> are welcome.

You're quite right that putting all your eggs in the one basket is not
the best strategy.  However it is a relatively cheap strategy, and on
a low traffic setup it works OK.  The big risk is that a component
failure will take out your whole setup -- so make sure you have good
backups and think about your disaster recover planning: how quickly
can you get a busted machine back up and running?

A Pentium 1 system probably isn't a very good choice -- not so much
because the processor is slow (although that doesn't help) but because
systems of that age tend not to have much memory available.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--WIyZ46R2i8wDzkSu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBSAJiiD657aJF7eIRAo7fAJ0RZLqAvvIyH/W9FwvuMxiaKKTN0wCgiv4/
NrMIRvGD4fJ4z7fnAN8QFUE=
=kdnm
-----END PGP SIGNATURE-----

--WIyZ46R2i8wDzkSu--