[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A rookie question on BIND &/| name servers

To: Petter Adsen <petter@nil.net>
Subject: Re: A rookie question on BIND &/| name servers
From: "J.C. Roberts" <unknown@abac.com>
Date: Thu, 01 Mar 2001 05:58:43 -0800
Cc: misc@openbsd.org
Organization: None
References: <qt0s9topdkuepp0ebkgui222iaier4dqrj@4ax.com> <3A9E459C.5070304@nil.net>

On Thu, 01 Mar 2001 13:50:36 +0100, you wrote:

>J.C. Roberts wrote:
>
>> I'm stuck out on the fringe of connectivity where my choices are 24.6
>> modem or StarBand two way satellite. I have both right now and have my
>> new OpenBSD box connected to my StarBand transceiver to do firewalling
>> and NAT for my lan.
>> 
>> The biggest bummer on satellite is latency cause it takes time for
>> packets to make the 45,000 mile trip up and down from the satellite.
>> I'm guessing I could speed things considerably by running my own name
>> server on the BSD box, this way DNS resolution can skip the 90,000
>> mile round trip.
>> 
>> I've never run a name server before and haven't started the mandatory
>> RTFM for doing so but I'm curious when running BIND, can you make it
>> mirror the contents of the root servers?
>> 
>> Is there a better choice than BIND for a local name server?
>
>In theory, I guess you _could_, somehow, pull SOA records from the root 
>servers and mirror them locally, but I think you'd run into lots of 
>practical problems actually doing it. First of all, it's a considerable 
>amount of information, and you'd have no way of knowing what zones have 
>been updated or not since you mirrored the information. Also, you would 
>still have to do lookups every time you'd want to actually reach a host, 
>since you can't mirror every nameserver on the net.
>
>Alternatively, and what I suggest you do, you could run a caching-only 
>nameserver locally. You would still need to resolve each host you need 
>to reach, but then you won't need to resolve it again until you restart 
>your nameserver or the TTL on that particular resource record runs out, 
>which could be anything from minutes to weeks.
>
>Another solution would be to do DNS lookups over the modem line if it's 
>always connected (but I'm guessing it isn't?).
>
>As to a better choice than BIND - I personally don't think so. There's a 
>package called djbdns from the author of qmail, I don't quite trust his 
>software for a number of reasons, YMMV. BIND has had its share of 
>security problems, but as long as you keep up to date on any patches for 
>the version you run and monitor your machine for any sign of problems, I 
>feel you should be OK.
>
>The DNS-HOWTO for Linux is a fairly good quick primer on DNS, though it 
>applies to BIND 8 (which is not the default on OpenBSD) a lot of it 
>still applies. It should help you get a caching server up fairly quickly.
>
>This may not be what you wanted to hear, but I hope it's any help. Feel 
>free to mail me if there is anything else you'd like to know or if this 
>is unclear - English is not my first language.
>
>Regards,
>
>Petter

First and foremost, thank you for your time and insight. In the last
two weeks I've gone from stomping around in the NT kernel with a hex
editor to running OpenBSD and actually having source code, so a lot of
this stuff is very new to me.

I've been doing some reading on "djbdns" and "dnscache" by Dan
Bernstien (qmail) and you're not the first person to mention not
trusting his code... -Is there some piece of bugtraq history that I
haven't been able to find?

I was thinking about the dnscache but after reading the following...

http://cr.yp.to/djbdns/dnscache.html
-----------------------------------------------------------------------
dnscache uses a fixed-size table, under 256K, to keep track of as many
as 200 simultaneous UDP queries and 20 simultaneous TCP connections.
It also dynamically allocates memory, usually just a few bytes but
occasionally much more, for each active query. If it runs out of
memory handling a query, it discards that query.
-----------------------------------------------------------------------

I started having second thoughts. When a web browser loads a page with
a lot of images, it spawns a lot of connections. I'm not sure if all
of these connections need to be resolved by DNS but they might be. I
don't know whether or not the DNS resolution is being done via udp or
tcp but with just a hand full of users, saturating the larger 200
simultaneous connections on dnscache seems fairly probable.

The people putting together OpenBSD put BIND 4.x in there for a reason
and they obviously know a vast amount more than I do. Since I'm not
going to be serving names publicly, I'd guess BIND security is less of
an issue because I can (should be able to :) block outside access to
it with IP Filter.

I'm going to find and read the HOW-To you mentioned and ponder the
decision until I learn more about both of them.

Thanks Again,

J.C. Roberts

Follow-Ups:
- Re: A rookie question on BIND &/| name servers
  - From: Henning Brauer <lists-openbsd@bsws.de>
- Re: A rookie question on BIND &/| name servers
  - From: Al Lipscomb <arl@q7.net>

References:
- A rookie question on BIND &/| name servers
  - From: "J.C. Roberts" <unknown@abac.com>

Prev by Date: Re:
Next by Date: Re: logging to serial console
Prev by thread: Re: A rookie question on BIND &/| name servers
Next by thread: Re: A rookie question on BIND &/| name servers
Index(es):
- Date
- Thread