Re: DNS

[ksemat at eahd.or.ug]

On Mon, 26 Jun 2000, Brian Candler wrote:

> Date: Mon, 26 Jun 2000 10:37:46 +0100
> From: Brian Candler <B.Candler at pobox.com>
> To: ksemat at eahd.or.ug
> Cc: afnog at afnog.org
> Subject: Re: DNS
> 
> On Mon, Jun 26, 2000 at 08:30:52AM +0300, ksemat at eahd.or.ug wrote:
> > Yeah that is quite true but would it be for every single IP address or
> > just for those that I want to delegate? Because I only want to delegate
> > about three IPs. So can I have my file like this
> >  at  IN SOA dar1.afsat.com ....
> >  at  IN NS ...
> >  at  IN NS .....
> > 1 IN PTR ....
> > 2 IN PTR ....
> > etc
> > 208 86400 IN NS eahd.or.ug.
> > I hope this is possible but is it necessary? Can various clients run DNS
> > without being authoritative for their reverse zone and have no problems at
> > all? i.e can I have for example just a a ptr record on dar1 pointing
> > 208.132.129.216.in-addr.arpa to eahd.or.ug and eahd will run a name server
> > without any problems? Because if this is so then there is no need to go to
> > all this trouble.
> 
> I am confused.
> 
> 132.129.216.in-addr.arpa is delegated to sauron.kersur.net and
> deathstar.kersur.net. Do you run those machines? If you do, you don't have
> to ask questions about delegation - you already have it for all those IP
> addresses. If you don't (i.e. they are at your upstream) then it's their
> responsibility.
> 
> (1) They can put the record in directly
> 
> 164  IN PTR wawa.eahd.or.ug.
> 208  IN PTR alpha.eahd.or.ug.
> 
> [In this case you need absolutely _nothing_ on your own name servers to
> handle your reverse DNS, because it's all in this zone - the same as the way
> people all over the Internet find it]
> I am not in charge of sauron deathstar or dar1 I just have three IPs
from them I already do have what you've pointed out above i.e
in the zone file I do have
208 IN PTR eahd.or.ug.
164 IN PTR wawa.eahd.or.ug.
178 IN PTR ns.schoolnet.sc.ug.
But Someone confused me once with some kind of statement saying that to
run a nameserver I should be authoritative for the reverse zone for that
IP. That not being authoritative for it may bring me some problems Is
there anything to this? 
> (2) They can put in CNAME records pointing to a zone which you _do_ control:
> 
> 164  IN CNAME 164.in-addr.eahd.or.ug.
> 208  IN CNAME 208.in-addr.eahd.or.ug.
> 
> Then you put the corresponding PTR records in your own zone:
> 
> [eahd.or.ug zonefile]
> 164.in-addr   IN PTR  wawa.eahd.or.ug.
> 208.in-addr   IN PTR  alpha.eahd.or.ug.
> 
> (3) They can delegate individual IP addresses
> 
> 164  IN NS eahd.or.ug.
>      IN NS secondary.example.com.
> 208  IN NS eahd.or.ug.
>      IN NS secondary.example.com.
> 
> Then you set up two zones:
> 
> eahd.or.ug.  primary  164.132.129.216.in-addr.arpa
>  at   SOA  ( ... )
>    NS   eahd.or.ug.
>    NS   secondary.example.com.
>    PTR  wawa.eahd.or.ug.
> 
> eahd.or.ug.  primary  208.132.129.216.in-addr.arpa
>  at   SOA  ( ... )
>    NS   eahd.or.ug.
>    NS   secondary.example.com.
>    PTR  alpha.eahd.or.ug.
> 
> Plus you have to set up secondary.example.com to be secondary for both those
> zones. This is messy.
> 
> If you only have 2 IP addresses from your upstream, I recommend solution
> (1). If you have a larger block, I recommend solution (2).
> 
> > Also I have taken your suggestion seriously and I am going to implement it
> > but my question is that can a 330 MHZ 3Gigabyte pentium II processor
> > handle the DNS load in the meantime?
> > There would be about 90 zones on it and yet I want it to do recursive
> > queries because some clients use it as a relay for their mail.
> 
> That is more than big enough!!
> 
> At the ISP where I work, which has more than 10,000 modems, their primary
> authoritative (non-caching) DNS server is a P-II/400 with 128M of RAM. The
> RAM footprint of a non-caching DNS server does not grow - this is a good
> reason for keeping it separate. The secondary is a P166/64M.
> 
> The caching servers are P-II/350 with 512M of RAM.
> 
> I suggest that any reliable P75 or above would be absolutely fine as a
> nameserver - with a small amount of RAM for your primary/secondary (with
> only 90 zones - we have thousands here) and some more RAM in the caching
> servers.
> 
> > Also I have only been on linux for less than a year and haven't really
> > used BSD can you point me to places where I can a get a really good
> > firewall I understand that BSD does not use ipchains which is what I know
> > and I don't yet reallt know ipfilter and ipfwadm.
> 
> FreeBSD has its own 'ipfw' syntax. Its manual page is actually quite a good
> reference: man ipfw. It has stateful rules, which can allow you to build a
> more secure firewall that Linux. But if you are going to build a
> packet-filtering firewall, make sure you have a _very_ clear understanding
> of the issues involved, and all the option bits on TCP packets!!
> 
> The O'Reilly "Building Internet Firewalls" book is pretty good on this sort
> of stuff.
> 
> You shouldn't need firewall rules on your nameservers. Just make sure you
> turn off any daemons you don't need in /etc/rc.conf:
> sendmail_flags="-q30m"       # don't be a listener on port 25
> portmap_enable="NO"
> inetd_enable="NO"            # if you don't need telnet (use ssh instead)
> 
> Cheers,
> 
> Brian.
> 
Otherwise thank you so much for all the help you've given me I have
learn't a lot from this exchange I hope to keep in touch with you and
glean some more knowledge. Once again thank you very much.
 Sematimba Noah
Network Administrator
Uganda Online
-------------------------------------------------------------------------------
ksemat at eahd.or.ug P.O.Box 1254 Kampala 



-----
This is the afnog mailing list, managed by Majordomo 1.94.4

To send a message to this list, e-mail afnog at afnog.org
To send a requet to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is mantained by owner-afnog at afnog.org