FreeBSD Mail Archives

Date:      Tue, 14 Jul 2009 00:46:43 -0400
From:      Steve Bertrand <steve@ibctech.ca>
To:        John Almberg <jalmberg@identry.com>
Cc:        vogelke+unix@pobox.com, freebsd-questions@freebsd.org
Subject:   Re: Should DNS be on same server as webserver?
Message-ID:  <4A5C0DB3.5090205@ibctech.ca>
In-Reply-To: <7DD18C43-5B03-4624-9487-ACC4AFAF000F@identry.com>
References:  <20090713222746.5D519BF05@kev.msw.wpafb.af.mil> <7DD18C43-5B03-4624-9487-ACC4AFAF000F@identry.com>


[-- Attachment #1 --]
John Almberg wrote:
> 
> On Jul 13, 2009, at 6:27 PM, Karl Vogel wrote:
> 
>>>> On Mon, 13 Jul 2009 13:03:24 -0400,
>>>> Jon Radel <jon@radel.com> said:
>>
>> J> Apache and Bind have both had their security issues over the years,
>> and
>> J> there's something to be said for running them on different servers to
>> J> reduce both the "all eggs in one basket" factor and the ease of
>> J> spreading an attack.  (Yes, I'm assuming what you're actually
>> J> running....)
>>
>>    You can fix the security problems by dumping Bind and using djbdns.
>>    It's very easy to set up a caching nameserver without using all the
>>    memory on your system.  See http://www.lifewithdjbdns.com/ for more.
> 
> 
> I actually do use djbdns. Super easy to use, once you figure it out.

...to run a DNS cache with djbdns, it doesn't take much figuring out:

(As root. I just tested this as I wrote it).

% pkg_add -r daemontools
% pkg_add -r ucspi-tcp
% echo 'svscan_enable="YES"' >> /etc/rc.conf
% mkdir /var/service
% /usr/local/etc/rc.d/svscan.sh start

% adduser -q

# add a 'dnscache' user. Put user in 'dnscache' group, and set the
# users shell to nologin

#rinse/repeat for a 'dnslog' user

% pkg_add -r djbdns
% rehash

% dnscache-conf dnscache dnslog /etc/dnscache

% ln -s /etc/dnscache /var/service

# now edit your /etc/resolv.conf file, so that the first "nameserver"
# entry in the list points to 127.0.0.1

__END__

By default, your new cache will only listen on the loopback address
(127.0.0.1).

There is a single file in /etc/dnscache/root/ip, named 127.0.0.1

If you want this cache to serve internal /24 network queries:

% touch /etc/dnscache/root/ip/192.168.0

To restart the service after a change:

% svc -t /etc/dnscache

To down the cache:

% svc -d /etc/dnscache

To up the cache:

% svc -u /etc/dnscache

Note that this is only for the dnscache. Setting up an authoritative
server is pretty much just as simple. Note also that I had to do some
patching and hacking to make the tinydns web frontend (VegaDNS) allow
for IPv6 records properly... that's out of the scope of this mail though
(for the record, I use BIND for most things v6).

An example of the empty files that allow cache access:

amigo# ll /etc/dnscache/root/ip
total 0
-rw-r--r--  1 root  wheel  0 Aug 19  2008 127.0.0.1
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.104
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.105
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.106
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.107
-rw-r--r--  1 root  wheel  0 Aug 19  2008 208.70.108
...

Steve

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
���0��0�C�K9�����AbxI�U�w0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B10UThawte Freemail Member10	*�H��
	steve@ibctech.ca0�"0
	*�H��
�0�
���D��Z�杙�<��2�Iⵀ�f�r�sE�6�����q?�0.>
S@Œ!�V?A�\Q�
r�-�a��Z�
Ō�f/����0�{�O�YQ�hɏ�ߴ�
F��_\��Q���0�BF�=<��_.a�*�3���e�pe��Y|�t�ݼ�c�vl��ҷ+@p��i��Q�A{��2�E��9�WN�4�[�Z��`�h�6��V�M���/zPb�d�(GC�����^K6X��V4��j<t���-0+0U0�steve@ibctech.ca0U�00
	*�H��
��æ���|����85a����Qz-*3HG������		����.s��*��Fw�*����`��HvF��w;���9���ytƘ�n��0taC/�:�W�C�+�LÙ{�O��q� ��1��n0��0�C�K9�����AbxI�U�w0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B10UThawte Freemail Member10	*�H��
	steve@ibctech.ca0�"0
	*�H��
�0�
���D��Z�杙�<��2�Iⵀ�f�r�sE�6�����q?�0.>
S@Œ!�V?A�\Q�
r�-�a��Z�
Ō�f/����0�{�O�YQ�hɏ�ߴ�
F��_\��Q���0�BF�=<��_.a�*�3���e�pe��Y|�t�ݼ�c�vl��ҷ+@p��i��Q�A{��2�E��9�WN�4�[�Z��`�h�6��V�M���/zPb�d�(GC�����^K6X��V4��j<t���-0+0U0�steve@ibctech.ca0U�00
	*�H��
��æ���|����85a����Qz-*3HG������		����.s��*��Fw�*����`��HvF��w;���9���ytƘ�n��0taC/�:�W�C�+�LÙ{�O��q� ��1��n0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�d0�`0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0	+���0	*�H��
	1	*�H��
0	*�H��
	1
090714044643Z0#	*�H��
	1����z�l�N����H��0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0��*�H��
	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0
	*�H��
�D��3C�BϬ˞R�t&"�l��a�_�M�=�:~�s9�;�M+�A����F�R���X��Lv�ʀO�F�&϶�PM�܁Fd,s�S����#��&�L��),Q6�w'e��RҞ��ǟS2�"HyN��&Y'
���K����C�-��ؿ��ƴ5��{�)3Jc�;ߤ�+e=���:�i���r4)Q�a$���M�/k�7Y���<��I���峏<��nO7̼W���oq��c����

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A5C0DB3.5090205>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation