DNS and B*ND?

Aug. 25th, 2009 07:06 am
cheshirenoir: (Default)
[personal profile] cheshirenoir
Work has asked me to look at setting up a new server (Or pair of servers) to run as dual role DNS servers, looking up forwarded DNS requests from our network and being authoritive  for external requests from third parties.
Now I haven't touched the stuff since 2001, so I'm rather rusty. Back then I wasn't working on the coalface of it either, but I do remember using bind (Did I mention these are destined for Linux boxes?) when I did do this stuff.
The question, however, has been asked:
"Is bind still current, or has the industry moved on to something easier to manage?"
To which I don't have an easy answer. So I turn to you, my network of readers. This is for a production environment so security, scalability and reliability are paramount. If this means "Use bind, even if it is a pig cos it's damned robust" then so be it.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2009-08-25 12:28 am (UTC)
From: [identity profile] prk.livejournal.com
BIND still rules although there are others out there (DJB DNS, etc).

I'd suggest BIND, but make sure you specifically configure recursive lookups to only work for your internal IPs, not the global Internet.

prk.

Date: 2009-08-25 02:44 am (UTC)
From: [identity profile] cheshirenoir.livejournal.com
Thanks for that! My gut reaction was right. Nyer Nyer to the doubters at work.

Date: 2009-08-25 12:48 am (UTC)
From: [identity profile] tcpip.livejournal.com
"Use bind, even if it is a pig cos it's damned robust"

That's about right.

Date: 2009-08-25 02:45 am (UTC)
From: [identity profile] cheshirenoir.livejournal.com
Heh. And next step is to let the distro wars begin. (I'm gonna sneak in either an Ubuntu server or a Debian server.

Date: 2009-08-25 04:30 am (UTC)
From: [identity profile] tcpip.livejournal.com
A good choice for a DNS server imo... :)

Date: 2009-08-25 08:59 am (UTC)
From: [identity profile] rdmasters.livejournal.com
RedHat (says the RHCDS)!
SuSE (says the LCP)!
Ubuntu (says the pragmatist)!
Debian (says the zealot)!
Mandriva (mutters the oddball).
*BSD (says the paranoid with too much time)!
...
GENTOO! (Screams the raving loony....)


(Me? I draw the line just above "Zealot". You could also consider White Box and Centos if you want RedHat without the red, bleeding wallet...)


*Disclaimer - I run Ubuntu at home, have run SuSE and Mandriva, and am an RHCDS. It's alright, though, everyone agrees about the Gentoo users.

Date: 2009-08-25 05:52 am (UTC)
From: [identity profile] strangedave.livejournal.com
yeah, I will concur with my learned colleagues. There are alternatives, but nothing beats the configurabillity and robustness of BIND. I certainly still use it for all my DNS server needs. The tricky bit for BIND is usually its very specific requirements for config files, an editing tool for zone files etc is perhaps the easiest way to make it a big more reasonable to deal with.

I'd add that entire servers just for this job seems like overkill, unless you are talking thousands of clients, especially for a backup server. It would need to be a very big site indeed before I felt it was necessary to dedicate a server to it.

Date: 2009-08-25 05:55 am (UTC)
From: [identity profile] cheshirenoir.livejournal.com
The idea behind "dedicating" a machine to it (or in fact two machines) was based on using VMs to host it. Dedicating a machine to a task when they aren't real is a no-brainer IMO.

Date: 2009-08-25 06:26 am (UTC)
From: [identity profile] strangedave.livejournal.com
Oh, sure, if it is just a VM (which is obviously an inefficient use of computing resources in this case, but probably more than made up for by administrative efficiency overall).

Though I personally find it quite convenient to have bind and apache on the same (virtual) machine, as I often end up updating them at the same time for related things, and on occasion have set up scripts to update both at once from the same list of sites etc. YMMV.

Date: 2009-08-25 09:54 am (UTC)
From: [identity profile] cheshirenoir.livejournal.com
(which is obviously an inefficient use of computing resources in this case, but probably more than made up for by administrative efficiency overall).
I would be interested to discuss this with you one day IRL. One of the advantages we see in running VMs is much MORE efficiency in how we use our hardware.

Date: 2009-08-25 10:42 am (UTC)
From: [identity profile] strangedave.livejournal.com
I think you are right in general, I just think DNS is an unusually lightweight process for such a crucial function, small enough that the VM overhead is probably bigger than the process itself, and I'd probably not give it a VM of its own - but given it is fairly lightweight, it really doesn't matter than much anyway, just ensure the VM has enough dedicated ram and it will be fine. It is a sort of grain size of problem thing.

But overall, yes, VM leads to more efficient use of hardware, because most dedicated servers will be underutilised in some way - obviously, using a dedicated VM for DNS is much more efficient than dedicated hardware.

And in any case the administrative benefits of using VMs for lots of things are significant.

Date: 2009-08-25 09:04 am (UTC)
From: [identity profile] rdmasters.livejournal.com
Running it as a VM also allows you to have an instant-on backup if something nasty happens to it (e.g. a compromise).

There are a couple of nice tools available in Ubuntu for BIND9 maintenance. Red Hat, less so.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

cheshirenoir: (Default)
cheshirenoir

September 2021

S M T W T F S
   1234
567891011
12131415161718
19202122232425
26 27282930  

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Mar. 29th, 2026 11:34 am
Powered by Dreamwidth Studios