[TriLUG] Slides from last night's DNS Presentation

[Aaron Joyner]

Rick DeNatale wrote:
> Understood, but I wasn't talking about protecting a DNS server from
> DOS attacks my gripe was about ISPs who keep legitimate e-mails from
> getting to me because they've ended up temporarily or not on a list
> like spamcop.net.

Speaking from the provider's prospective, it's a tragedy to throw mail 
away.  I can certainly understand why some shops think it's necessary, 
after all Intrex pulls through roughly a million messages a day, and 
spam scanning all of those takes quite a bit of horsepower.  Still, your 
suggestion of treating spamcop or any other RBL as a "weight" in the 
system is the best advice _for_a_provider_.  Now if you're one of the 
few, or the only user of your mail system - it is certainly in your 
rights to make that decision, but a provider shouldn't make it 
unilaterally for all of their users.


> Yes, that's how I understand it, but in a typical SOHO setup with a
> single dynamic ISP supplied ip address a lan behind a NAT router, with
> all of the externally viewed name mapping to the only ip address I've
> got I'm not sure I see either how to or why I should use views.

Given your situation as you describe it (an internal server which is 
only accessed by one set of clients), views really doesn't do much for 
you.  Now if you intend to change the roll of that server, it could be 
more useful.  More about that in a second.

> How well do the DNS protocols support domains, as opposed to hosts,
> with dynamic addresses? Dyndns doesn't seem to support exposing name
> servers on a dynamic address, do any similar outfits allow it?

The DNS protocols are incredibly flexible.  On the other hand, providers 
are often not quite as flexible.  Also keep in mind that flexibility is 
always a trade off.

I'm going to make some assumptions.  First, I'm going to assume you want 
to host your own DNS (not necessarily the best idea, but we'll assume 
it).  If you want to do this, there's nothing to prevent you from 
pulling up what ever web interface your DNS registrar provides you, 
setting your NS record to your current dynamic IP address, and clicking 
Update.  Then setup BIND accordingly on your home machine, make sure TCP 
and UDP ports 54 are redirected in to your name server, and you *should* 
be in good shape.

Now of course, there are some caveats to this situation.  When your IP 
address eventually changes, every DNS server that has the old NS records 
cached will keep trying to talk to that DNS server until the record 
expires.  You can work against this one of two ways.  The simplest is 
turning down the cache time, something short like a few hours is 
probably sufficient.  I ran my DNS this way for several years when all I 
had at my disposal was a few dynamic DNS machines.

This brings us to the next idea - more than one DNS server.  If you have 
another friend on a dynamic IP, you can share the load between the two 
of you, and have a reasonably reliable DNS setup.  How?  Simple.  Setup 
your friends box as a slave server, and add him as an NS record.  Then, 
when your box's IP changes, all of those hosts which have your old 
record cached will try to talk to the machine that moved, give up, and 
then talk to your friend.  He can conveniently update his DNS with the 
new IPs and will hand out the appropriate updates to everyone the first 
time they ask - instant propagation of your new IP.  Of course if you 
both have DNS domains that you want to maintain, you can serve as a 
backup for each other, and things can happen rather quickly.  This is 
what's commonly referred to as a peering agreement, although a bit on 
the informal side.  :)  It's to your mutual benefit to cooperate.

Okay, so you don't have any friends.  And you post to this list but you 
don't know anyone else who runs a DNS server.  Well, there are always 
commercial solutions.  <shameless plug>Intrex.net, my employer, offers 
secondary DNS services for the ridiculously cheap price of $2 / month, 
and will waive the setup fee for TriLUG members.  We will also do full 
DNS services for $5 / month (normally $8/month) for TriLUG members, 
again w/ no setup fee.</shameless plug>  There are of course other 
commercial solutions, feel free to investigate around on the web.  Since 
it's terribly important that at least one of your DNS servers be 
accessible at all times, the benefits of having a backup DNS server, 
with a static IP, in a secured data-center on redundant connections 
can't be overstated.  If your business or other critical infrastructure 
depends on DNS, regardless of any commercial affiliations, please place 
some importance on having reliable DNS.  :)

Aaron S. Joyner