#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2013
    Posts
    2
    Rep Power
    0

    DNS/BIND Infrastructure Design


    I've recently inherited some external DNS servers. I am by no means a DNS expert, but they run on UNIX and I am the most qualified on my team for that. They host the zone for my company's internet namespaces. We also use them for external resolution by our internal clients.

    The servers are not configured to use forwarders. For zones they are primary for, they answer. For zones they are not authoritative for, they go the root servers. In order for my servers to query the root, do they need to be registered with an organization like register.com? Do they need A records, NS records, or both?

    Thanks for helping me understand this.
  2. #2
  3. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,593
    Rep Power
    4207
    Nope, you're good as is. The DNS software comes with a list of known root servers. For resolving non-authoritative domains, you don't need to register anything.

    On the other hand, if you guys decide to purchase a new domain and make your DNS servers authoritative for that domain, then you need to tell your registrar that your DNS servers are the authoritative servers.

    By the way, BIND does both nameresolver and authoritative DNS services in the same program. Another popular DNS software called tinydns actually has two separate programs, one for each task (because some people only want to run one or the other)
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2013
    Posts
    2
    Rep Power
    0
    Our external DNS servers perform dual roles for us. They host the records for our customer-facing web domains -- for which we are SOA, and they provide external name resolution for our internal clients.

    Recursion-
    We've got recursion enabled with the parameter "recursion yes". Do we also need to use the "allow-recursion" and "allow-recursion on" parameters? Is it an absolute must-have, or is it simply a best-practice? If we don't explicity define "allow-recursion", from what subnets will it allow recursive queries? I understand this is related to the "allow-query-cache" parameter. What if neither are defined?
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2013
    Posts
    2
    Rep Power
    0

    Yes, put allow-recursion and list IPAs allowed.


    Originally Posted by kingnothing
    Recursion-
    We've got recursion enabled with the parameter "recursion yes". Do we also need to use the "allow-recursion" and "allow-recursion on" parameters? Is it an absolute must-have, or is it simply a best-practice? If we don't explicity define "allow-recursion", from what subnets will it allow recursive queries? I understand this is related to the "allow-query-cache" parameter. What if neither are defined?
    Yes, you should put an allow-recursion line and enter only the IPAs that you want recursion to be allowed from. If you do not, then you will eventually be abused, as anyone and anything from the Internet can do a recursive lookup on any domain on the Internet.

    You can leave the allow-query-cache out depending if you want to limit recursive results handed out from cache or not.
    For both allow-query-cache and allow-recursion, they default to "any" if not specified.

    "any" is a predefined ACL within bind and probably within other DNS softwares too. Like localnet and localhost are.

IMN logo majestic logo threadwatch logo seochat tools logo