cowanrl
11-22-2003, 04:23 PM
I need to set up DNS servers for the two domains we use at work and I have a few questions.
I have set up DNS servers on private networks before. They provided DNS services for the internal domain and for the Internet through the use of forwarders or recursion.
This is my first attempt to set up DNS servers on the Internet that will provide DNS lookup for outsiders needing to access machines in our domains which have a direct connectin to the Internet. These servers will not provide any DNS lookup for machines behind our firewall on the private network.
One machine runs Win2k and is our web server. I will run Microsoft DNS on it. The other machine will be Linux and run the latest version of BIND.
Here are my questions:
1. Do these servers have to be set up master and slave so that changes to the master automatically update the slave?
There will be less than 10 entries in the 2 domains combined. There will be very few changes ever done to them once they are up and running. Both of these machines will be on the same KVM switch. If I do make a change to one, I can just log in to the other one and make the same change there. Is there some type of requirement that they be master/slave and update automatically?
2. Do these servers need to provide recursive lookup?
I envision these machines as only providing lookup for our domains. They should never need to provide lookup for anything else on the Internet. I will not use these servers as the DNS servers for my private network. I will continue to use the DNS servers provided by my ISP for that. I don't want anyone to be able to point their machines at my DNS servers for DNS services(they probably won't handle the load). I only want them to provide lookup for those accessing our web site, sending us e-mail and accessing the few other servers we have connectd to the Internet.
3. What do I need to do to secure the Linux DNS server?
The only service that will run on it will be named. I probably won't even run ssh on it. There won't be a GUI running on it all of the time. I'll set up our router that connects us to the Internet to only allow TCP and UDP ports 53 through to the address of the DNS server. I'll also set up iptables to only allow TCP and UDP ports 53 into the machine. Other than making sure that Linux and BIND are up to date with the latest security patches, is there anything else I need to do to make sure the server is secure? A link to some of documentation on securing the DNS server would be great.
Any help is greatly appreciated.
I have set up DNS servers on private networks before. They provided DNS services for the internal domain and for the Internet through the use of forwarders or recursion.
This is my first attempt to set up DNS servers on the Internet that will provide DNS lookup for outsiders needing to access machines in our domains which have a direct connectin to the Internet. These servers will not provide any DNS lookup for machines behind our firewall on the private network.
One machine runs Win2k and is our web server. I will run Microsoft DNS on it. The other machine will be Linux and run the latest version of BIND.
Here are my questions:
1. Do these servers have to be set up master and slave so that changes to the master automatically update the slave?
There will be less than 10 entries in the 2 domains combined. There will be very few changes ever done to them once they are up and running. Both of these machines will be on the same KVM switch. If I do make a change to one, I can just log in to the other one and make the same change there. Is there some type of requirement that they be master/slave and update automatically?
2. Do these servers need to provide recursive lookup?
I envision these machines as only providing lookup for our domains. They should never need to provide lookup for anything else on the Internet. I will not use these servers as the DNS servers for my private network. I will continue to use the DNS servers provided by my ISP for that. I don't want anyone to be able to point their machines at my DNS servers for DNS services(they probably won't handle the load). I only want them to provide lookup for those accessing our web site, sending us e-mail and accessing the few other servers we have connectd to the Internet.
3. What do I need to do to secure the Linux DNS server?
The only service that will run on it will be named. I probably won't even run ssh on it. There won't be a GUI running on it all of the time. I'll set up our router that connects us to the Internet to only allow TCP and UDP ports 53 through to the address of the DNS server. I'll also set up iptables to only allow TCP and UDP ports 53 into the machine. Other than making sure that Linux and BIND are up to date with the latest security patches, is there anything else I need to do to make sure the server is secure? A link to some of documentation on securing the DNS server would be great.
Any help is greatly appreciated.