From: Rodolfo J. P. <rp...@in...> - 2001-09-10 04:22:24
|
At 9/9/2001 05:33 PM -0700, you wrote: >Ok, I probably should give a little background... I served my own DNS with >my old ISP and it worked very well. The same technique did not work with >my new ISP. Serving your own is somewhat more flexible, but is one more thing to manage and BIND is, overall, pretty much a security risk on its own. That being said, doing your own or outsourcing is irrelevant as long as one of the two at least is *always* reachable; you don't ever want both NS's to be out of comission or unreachable at the same time. >So I opted for their DNS/Nameserver service to free my server from having >to perform that function in addition to the other things I wish to do. OK. At this point, you can basically remove bind from your system if you so wish. Doing so or not is your choice, but it's basically become irrelevant. I'll act as though it no longer exists (which, for the purposes of myself or anyone else looking for it, is true). >While I had a feeling I was overdoing it with the DNS, I figured I had to >point to their servers in some way so the zone files seemed like a logical >way to approach that. "Logic is a proven method of arriving at the wrong conclusion with confidence." Unknown author, but oh-so-true. Yes, logical, but incorrect. You need to check four files: /etc/host.conf: will usually contain the simple line "order hosts,bind" which means it will first check your /etc/hosts file for name->IP conversions, then ask its nameservers if /etc/hosts doesn't have it. This is good, since you can have private IP addresses in /etc/hosts and anything not found in there will be found via DNS. /etc/hosts: contains IP addresses and their names. Has a man page. /etc/nsswitch.conf: roughly the same purpose as host.conf. Different somehow... I've never used it so you probably don't need it. Surely *someone* needs it, but simple nets like your and mine probably don't. /etc/resolv.conf: usually contains three or four lines. The first line is "search sezonline.com" which means: if you type "joe" as a hostname and the system can't find "joe" it will try "joe.sezonline.com". You can have more than one thing here but don't; again, your simple system won't need it and it'll slow down timeouts when the host isn't easily found. The other lines are all "nameserver 111.222.333.444". I recommend you keep two lines in here; if one fails you get the other one. But with three nameservers set up, timeouts get really long. These are the nameservers which your entire computer (sendmail, apache, everybody) will ask when they need name service. When you run your own BIND, you put your own IP first here. If your ISP runs your site and is your upstream, put their nameservers here; they'll be topographically close to you (one or two hops max) and will respond quickly. >Anyway, what I want to do is serve web pages (this seems to be working >fine), serve email and mailing lists (I did so successfully before as well), >and now I wish to add a DHCP server. As I now have an additional ethernet >card in my server as well as another hub. You're putting all these services on your gateway box to the Internet? So this one box is going to be firewall, router, gateway, and email/web/DHCP server? OK... not the best security scenario, but understandable for *personal* networks. Hey... you can't have everything in life, and in this case you're sacrificing some security for convenience. Please make sure you set up a good firewall on your system. Certainly be *very* careful of what goes through the outside interface. And *particularly* make sure you're not allowing DHCP or other internal traffic out to the Internet. >BTW, you made a reference earlier to the use of the "@" sign in the zone >records. I've noticed that a lot of people find this odd. I found the use >of that in "The Complete Linux Reference" by Richard Peterson published by >Osborne. > >I found this text to be the best as far as DNS goes. Bow down and worship "DNS & BIND" published by O'Reilly, also known as the "bat book" due to O'Reilly's habit of putting a different species on each cover. I'm sending you one of my zonefiles just so you have another with which to compare; I'm not claiming it's perfect or anything, just giving you more exposure to DNS. Note: I do some virtual hosting, so I automatically set up www,imap,ftp,pop,smtp,secure,ns1,ns2 and other hostnames with A records using Webmin. I don't use all the hostnames all the time, but it's nice to have them. Also, I don't fully understand CNAME's... I only know that they *cannot* be used with MX records. Having said that, anything you can do with a CNAME you can do with an A so I just use all A records, no CNAMEs ever. Hopefully this oughta get you going. -- Rodolfo J. Paiz rp...@in... |