[TriLUG] Slides from last night's DNS Presentation
Aaron Joyner
aaron at joyner.ws
Fri Oct 15 19:46:11 EDT 2004
Rick DeNatale wrote:
> Understood, but I wasn't talking about protecting a DNS server from
> DOS attacks my gripe was about ISPs who keep legitimate e-mails from
> getting to me because they've ended up temporarily or not on a list
> like spamcop.net.
Speaking from the provider's prospective, it's a tragedy to throw mail
away. I can certainly understand why some shops think it's necessary,
after all Intrex pulls through roughly a million messages a day, and
spam scanning all of those takes quite a bit of horsepower. Still, your
suggestion of treating spamcop or any other RBL as a "weight" in the
system is the best advice _for_a_provider_. Now if you're one of the
few, or the only user of your mail system - it is certainly in your
rights to make that decision, but a provider shouldn't make it
unilaterally for all of their users.
> Yes, that's how I understand it, but in a typical SOHO setup with a
> single dynamic ISP supplied ip address a lan behind a NAT router, with
> all of the externally viewed name mapping to the only ip address I've
> got I'm not sure I see either how to or why I should use views.
Given your situation as you describe it (an internal server which is
only accessed by one set of clients), views really doesn't do much for
you. Now if you intend to change the roll of that server, it could be
more useful. More about that in a second.
> How well do the DNS protocols support domains, as opposed to hosts,
> with dynamic addresses? Dyndns doesn't seem to support exposing name
> servers on a dynamic address, do any similar outfits allow it?
The DNS protocols are incredibly flexible. On the other hand, providers
are often not quite as flexible. Also keep in mind that flexibility is
always a trade off.
I'm going to make some assumptions. First, I'm going to assume you want
to host your own DNS (not necessarily the best idea, but we'll assume
it). If you want to do this, there's nothing to prevent you from
pulling up what ever web interface your DNS registrar provides you,
setting your NS record to your current dynamic IP address, and clicking
Update. Then setup BIND accordingly on your home machine, make sure TCP
and UDP ports 54 are redirected in to your name server, and you *should*
be in good shape.
Now of course, there are some caveats to this situation. When your IP
address eventually changes, every DNS server that has the old NS records
cached will keep trying to talk to that DNS server until the record
expires. You can work against this one of two ways. The simplest is
turning down the cache time, something short like a few hours is
probably sufficient. I ran my DNS this way for several years when all I
had at my disposal was a few dynamic DNS machines.
This brings us to the next idea - more than one DNS server. If you have
another friend on a dynamic IP, you can share the load between the two
of you, and have a reasonably reliable DNS setup. How? Simple. Setup
your friends box as a slave server, and add him as an NS record. Then,
when your box's IP changes, all of those hosts which have your old
record cached will try to talk to the machine that moved, give up, and
then talk to your friend. He can conveniently update his DNS with the
new IPs and will hand out the appropriate updates to everyone the first
time they ask - instant propagation of your new IP. Of course if you
both have DNS domains that you want to maintain, you can serve as a
backup for each other, and things can happen rather quickly. This is
what's commonly referred to as a peering agreement, although a bit on
the informal side. :) It's to your mutual benefit to cooperate.
Okay, so you don't have any friends. And you post to this list but you
don't know anyone else who runs a DNS server. Well, there are always
commercial solutions. <shameless plug>Intrex.net, my employer, offers
secondary DNS services for the ridiculously cheap price of $2 / month,
and will waive the setup fee for TriLUG members. We will also do full
DNS services for $5 / month (normally $8/month) for TriLUG members,
again w/ no setup fee.</shameless plug> There are of course other
commercial solutions, feel free to investigate around on the web. Since
it's terribly important that at least one of your DNS servers be
accessible at all times, the benefits of having a backup DNS server,
with a static IP, in a secured data-center on redundant connections
can't be overstated. If your business or other critical infrastructure
depends on DNS, regardless of any commercial affiliations, please place
some importance on having reliable DNS. :)
Aaron S. Joyner
More information about the TriLUG
mailing list