What is Digg?Sponsored by Dragon Age: Origins
Join the Dragon Age: Origins development team on Facebook view!
facebook.com/DragonAgeOrigins - EA presents BioWare's new dark fantasy epic Dragon Age: Origins. '9/10' from Game Informer.
50 Comments
- inactive, on 10/12/2007, -0/+9I used Bind in the past, after the second time my system was broken into using
Bind vulnerabilities I came up with a better solution. I put a linux system onto a
bootable floppy disk with a simple dns server on it. I then write protected it and
put it on a seperate old junk machine. If it gets hacked you just reboot. There's
no trust between it and anything else and there's nothing permanently writable
on it. - duk0r, on 10/12/2007, -0/+8Snazzy but, I have been running BIND for over 5 years now. Not once has it ever been compromised. Yeah it may be handy to have something like that but I imagine adding zones and updating is a pain.
- duk0r, on 10/12/2007, -0/+8For those that want to test your DNS server(s): http://www.dnsstuff.com/
- AaronTheYoung, on 10/12/2007, -0/+5How would that "blow" bind out of the water? What do you mean by real time? When I make changes to my DNS, I reload my changed zone files with a single command (rndc reload) and it's done. Why the HECK would I need a SQL database to manage my zone files? I'm sure I might be overlooking an advantage to doing this, but SQL seems like overkill to me.
- samboy, on 10/12/2007, -0/+5The problem with djbdns is that it hasn't changed one iota in over five years, can not be downloaded as a convenient package for most distributions (djbdns isn't open source), and many web sites won't resolve with djbdns' recursive resolver (akadns problem).
- Teratogen, on 10/12/2007, -2/+7I'm cheap. I just assign an extra IP address to the same box and run one domain name server.
- inactive, on 10/12/2007, -2/+6looking for DNS webinterface tools have a look here http://www.debianhelp.co.uk/bindweb.htm
- decode, on 10/12/2007, -0/+4Nope, Domain Name System Servers.
http://en.wikipedia.org/wiki/Domain_name_system - lolwtfhaha, on 10/12/2007, -1/+5I'm even cheaper; I assign both dns servers to my one ip address. godaddy lets you do it so it must be safe, right? :-P
- samboy, on 10/12/2007, -0/+4It would be nice if you gave a reason why you don't like BIND. It is the security history? THe configuration format?
BIND 9 does not have the security problems BIND 8 had. I agree that BIND configuration is a little cryptic, but then again, djbdns' configuration is also rather cryptic (djbdns' zone files look like line noise).
I have gone to some effort to make MaraDNS easy to configure:
http://www.maradns.org/
- Sam - pcgeek101, on 10/12/2007, -0/+3lol good idea ... unless said hackers get physical access to the machine, they can't change any data on it =D
- jo42, on 10/12/2007, -0/+3"rndc reload" is the proper way update named with configuration changes.
- Teratogen, on 10/12/2007, -1/+4I'm also running two web sites on it.
- dkorunic, on 10/12/2007, -0/+3@xero9: You are spreading FUD.
1) The reason of existence for secondary NS is to provide DNS replies even if primary NS is down (let alone the Round-Robin load balancing etc.). If primary DNS is down, secondary NS will still provide the correct data (if given some way of zone synchronization such as AXFR/IXFR/rsync/whatever). You actually don't need two DNS servers, but it is recommended to have at *least* two hosted at different AS (different ISPs, different geolocations, etc) to provide redundancy even in case of major ISP failure.
IP aliasing *will* not help in any way to provide such redundancy.. and proves that you actually don't understand how DNS works as a hierarchical system.
2) You can actually edit any RR in any DNS zone and *reload* just the needed data: command is "rndc reload". You can even dynamically update the data from any of configured clients (dynamical dns) using transaction-based DNS updates. No need to reboot. No need to restart service. - lysander, on 10/12/2007, -0/+3It's not clear that recompiling is all that big a win. The best part of debian is keeping all your software up-to-date, including security fixes.
- Teratogen, on 10/12/2007, -0/+3thanks for the tip that will free up one of my ip addresses...
- samboy, on 10/12/2007, -0/+3BIND 8 had a lot of security problems; BIND 9 is a complete rewrite with a much better security history than BIND 8 (there has only been one security hole that people could use to hack your system in BIND 9; that one hole was caused by the OpenSSH libraries, not BIND 9's code).
If you want something else that is even more secure, my own DNS server has the best security history for any currently maintained DNS server:
http://www.maradns.org/
I am not implying that other currently maintained DNS servers (namely, BIND and PowerDNS) are insecure; all three currently maintained DNS servers are secure if you stay current.
The one DNS server I can not recommend is djbdns; the problem is that the code hasn't been changed one iota in five years, and the license isn't an open-source license that allows someone else to make djbdns current. Djbdns has real-world problems today; a number of web sites won't resolve if you use djbdns. - axxs, on 10/12/2007, -0/+2umm .. why do you have to reboot the server with bind? just send it a HUP signal :
kill -HUP `cat /var/run/named.pid`
and it reloads it's config - spytromics, on 10/12/2007, -0/+2If you are running an old box with a read-only floppy drive, the chances are that it's headless. It's probably just easier for him to press the reset button on the box than to login and restart the process.
Plus rebooting also ensures that any virus code that might remain in memory is cleared, assuming the read-only floppy is still clean. - pcgeek101, on 10/12/2007, -0/+2http://www.bind9.net is another great resource for learning about DNS too.
- cakefart, on 10/12/2007, -0/+2Howto forge is pretty decent, but this article falls short in a couple of places.
I think the title is misleading- its more about setting up basic master & slave services in a local network, than "mastering" DNS. Also, there are many good, if not great, alternatives to using BIND. One of my favorites is pdnsd, which is considerably more secure, lightweight, and simpler to manage than BIND.
I would guess that many people reading the article probably only need a caching server, as they're just using their computer for things like playing games, web surfing, music, and word processing. Also, pdnsd is perfect for a laptop that gets rebooted often, connects to a lot of networks, or uses dial-up.
I'm currently using it on Ubuntu:
sudo apt-get -y install pdnsd
And Mac OSX:
Although it's a simple ./config;make;make install, making a launchd entry can be a pain- I used the utility "Launchd Editor" to create the plist file.
http://linuxgazette.net/issue65/sunil.html
http://www.phys.uu.nl/~rombouts/pdnsd.html
http://freshmeat.net/projects/pdnsd/?branch_id=41927&release_id=216618
---
That said, BIND really isn't all that bad, nor is the Windows Server DNS service. I've found the ORA DNS & BIND book to be exceptionally helpful- the editing (and indexing) is above average for an ORA book, and the examples are excellent. - samboy, on 10/12/2007, -0/+2Yes. :-)
- thatsiebguy, on 10/12/2007, -0/+2This literally shows up once a month.. Its really not that hard, I don't know why it has to constantly be dugg...
- xero9, on 10/12/2007, -0/+1My bad. I meant restart BIND, not reboot the computer.
And @AaronTheYoung:
Web-based DNS management is a GREAT thing. Also I have people who have sites hosted on my server, so for them to be able to log into a nice utility I wrote and change DNS settings on their own is a great thing. - kirigoe, on 10/12/2007, -1/+2the reason you want two seperate servers is for redundancy, if your primary DNS is down for more than the TTL of your domain data, your websites are going to start becoming unavailable. for even further safety, the two servers should be physically seperate and on different networks. i.e. - if you need your domains to stay up, either build your DNS infrastructure right or outsource the secondary server (or both)
- inactive, on 10/12/2007, -2/+3looking for nslookup tutorials check this http://www.debianhelp.co.uk/nslookup.htm very useful for all DNS users and admins
- dosle, on 10/12/2007, -0/+1not to knock you but if you took the time to do that and looked into building the most secure DNS system you'd know a ton more about it and the inner workings. that's just my viewpoint on things like this though...
- whitesaint, on 10/12/2007, -0/+1Would this be doable on a BSD based system? Such as Mac OS X?
- jonathanchong, on 10/12/2007, -0/+1However, if you have your nameservers on your web server, if you web server is down, the site won't be accessible anyway even if your nameservers were hosted elsewhere.
- mooninite, on 10/12/2007, -3/+4Rebooting? Simply restart the "named" service to apply changes. You are still used to Windows arn't you.
- dantelephoneman, on 10/12/2007, -2/+3OK call me lazy and cheap I use free DNS services from http://www.everydns.net/.
Dan - www.shoreperformance.com - blakis49, on 10/12/2007, -0/+1Use OpenBSD. Bind is installed by default. It is also chrooted by default. Why waste your time?
- samboy, on 10/12/2007, -0/+1Djbdns is *not* Open Source. If you go to Google.com and type in "Open Source", here is the first page that pops up:
http://www.opensource.org/docs/definition.php
This is the Open Source Definition. Note that word "Definition". In this definition, the third clause is as follows "The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software." djbdns does *not* follow this clause.
The only people I know who have redefined "open source" to mean "you have the source, but you can't distribute modified version of the program" are DJB advocates. Since the official definition says otherwise, it is downright dishonest to call DJB's software "open source".
The fact that djbdns hasn't changed in over five years is a problem because:
* Its list of root servers is out of date, making the program less reliable
* Certain domains can not resolve with djbdns' resolver. This was not a problem five years ago, but the internet has changed and djbdns hasn't changed to keep up.
- Sam - jonathanchong, on 10/12/2007, -0/+1However, if you have your nameservers on your web server, if you web server is down, the site won't be accessible anyway even if your nameservers were hosted elsewhere.
- pyite, on 10/12/2007, -0/+1MyDNS is my favorite dns server. It stores the info in a MySQL database instead of those annoying bind files. It does not do caching, it is only for master zone info. You can use MySQL replication instead of AXFR's, which is nice.
The benefits are: SQL commands for dns changes (a drawback for some, I'm sure :) ), and highly scalable. We have > 400k domains and millions of A/MX/CNAME records. - ubica, on 10/12/2007, -0/+1How do I add a fake DNS entry on MS DNS server/ Active Directory crap?
so that i can do http://mywebsite/ --> 192.168.1.33 - samboy, on 10/12/2007, -0/+1The problem with pdnsd is that it is not being currently maintained; the last release of pdnsd was last January and the program has had security problems. I have had users of my DNS program tell me that pdnsd is unstable and is prone to crashing.
You may want to check out my own DNS offering:
http://www.maradns.org/
The only feature pdnsd has that MaraDNS doesn't is the ability to store its cache in a file.
A simple recursive (caching) DNS configuration requires only a single three line configuration file.
Full documentation for MaraDNS is here:
http://www.maradns.org/tutorial/tutorial.html
- Sam - ScottDaMan, on 10/12/2007, -0/+1Hurray for teaching thousands on the methods used to domain taste. :)
- yousaf404, on 08/20/2009, -0/+1Get .com Domain Name 799* PKR Rupees Per Year
Visit: http://www.shahg.com
Get Your Own Website And Hosting Only 1499 Rs Per Year
Visit: http://www.shahg.com
Get up to 5GB Webhosting 699* PKR Rupees Per Year
Visit: http://www.shahg.com - xero9, on 10/12/2007, -3/+3First of all, you don't need two domain servers. All you need is two IPs (which can be on the same box). For someone running websites off a cheap dedicated server for example isn't going to dish out the cash for a 2nd server for DNS
Secondly, PowerDNS is FAR better in my opinion. One really sweet feature is the ability to manage your DNS records in a MySQL table in real time, without rebooting. Blows BIND out of the water. - pcgeek101, on 10/12/2007, -1/+1@mooninite: I'm used to Windows, and I don't have to reboot my DNS servers ... hmmmmm ....
- buddy2001, on 02/04/2009, -0/+0For those that want to test your DNS server(s) for free:
http://thednsreport.com/ - mydave, on 07/25/2008, -0/+0MyDNS is my favorite dns server.
http://www.sitemapwriter.com
http://www.rsschanelwriter.com
http://www.emergencysoft.com - mike503, on 10/12/2007, -3/+1bind--
djbdns++
powerdns++ (i suppose)
djbdns is probably even easier to install. heh
... basically, anything but bind! - fukov, on 10/12/2007, -2/+0@samboy
djbdns is obviously open source but the license does not allow modified distributions.
What is the problem "that it hasn't changed one iota in over five years", exactly? - eclectro, on 10/12/2007, -4/+1Offtopic, but this really needs to reach the front page guys. Forgive me, but it's important.
http://www.digg.com/environment/Free_the_Maps_help_make_public_domain_maps_available_to_the_public - AlexFerny, on 10/12/2007, -7/+2BIND sucks
djbdns is soo much nicer (tinydns / dnscache) - inactive, on 10/12/2007, -8/+1DNS Servers? Domain Name Server Servers?
- jonnyfatman, on 10/12/2007, -8/+0What a load of crap, all that command-line nonsense.
- lpmusix, on 10/12/2007, -15/+2Good, that way when the one machine dies, you're screwed. You lose, try again later. K-thx.
© Digg Inc. 2009
— Content created and posted by Digg users is