[TriLUG] OT: DSL for SOHO in Chapel Hill

Ben Pitzer uncleben at mindspring.com
Tue Jan 27 10:02:27 EST 2004


<SNIP>

>
> The second DNS server should be on a different network from the first.
>
> The DNS and other services can share one IP address by port forwarding
> at the gateway.
>
> For most SOHO's this can be done with but a single IP.
>
> As for DNS, best to leave that to one of the well run third party DNS
> providers.  Sure, it's something you can do yourself if you want.  But
> why bother when you have free providers like EveryDNS who will do it
> for you for free?  And you can never hope to reach the levels of
> redundancy that they can boast of.

This is an excellent point.  With the security of DNS becoming an ever more
difficult to manage albatross for most folks, and with DNS RFCs being
ignored by home-brew DNS admins (and unfortunately many DNS admins for these
hosting companies, so watch out), it's worthwhile to host your DNS at a
reputable DNS provider.  There are a few things to watch out for, however:

1.  Make sure that your domain points to the A record hostnames for your DNS
provider.  All too often I come across zones that are pointed to CNAMES in
their NS or SOA records.  This is very bad, and most BIND 9.x servers will
fail to look your domain up in this circumstance.
2.  Make sure that the DNS hostnames/IPs that you provide your domain
registrar are the same as the machines that are actually authoritative for
your zone, instead of boxes that then re-delegate your zone to someone else.
This saves time in lookups, and removes potential problems later on.
3.  Make sure that your DNS admin's zone is in good shape. If you are being
hosted by foo.com, make sure that foo.com's zone doesn't have any of the
mistakes I mentioned above.  If they do, don't host with them, or point the
mistakes out and make them fix them before hosting your zone with that
provider.  Their mistakes will become your headaches if they're not fixed.
4.  If you change your zone, make sure to lower the TTL in your SOA record
at least 1 week before you move the zone to another provider, and that the
old provider removes your zone from their DNS servers as soon as the new
zone is set up with the new provider.  This may require some cajoling, as
sometimes providers are slow to remove their old zones.  It is, however,
imperative, as most DNS servers will continue to look your zone up on the
last known authoritative server until that server is no longer
authoritative.

These are all actually good class topics, and something that is worth
elaborating on.  I'd be happy to have such a talk, and discuss some DNS
security stuff as well.  Is there any interest in this?


> With things like port forwarding and reverse proxying you can do some
> amazing things with just one IP address.  You'd never know that traffic
> coming into my one IP could be directed into any one of half a dozen
> servers (to say nothing of all the other boxes hiding behind NAT).

Being the secondary (or tertiary or quartiary) DNS authority for your own
zone is fine, but most times it makes more sense to let someone in a
datacenter, on a different network, with redundant power and routing be the
at least the primary, and you take over the secondary zone.  *NOTE*:  Make
sure that your provider either sets you up to transfer your zone (which many
may not do), or you make sure that your zones match 100%, down to the serial
number in the SOA record.


Regards,
Ben Pitzer

---------------------------------------------

"Those that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 --Ben Franklin--




More information about the TriLUG mailing list