[nylug-talk] DNS servers
Chris Knadle
Chris.Knadle at coredump.us
Wed Oct 17 18:12:57 EDT 2007
On Wednesday 17 October 2007, Kevin W wrote:
> When setting up a wirless router we forget to set the DNS servers and let
> the ISP set them which can slow down the connection.
>
> A lot of times a slow connection is realy the DNS servers, your are using -
> are overloaded. Most isp's run a standard BIND server that is very
> veunerable to floods that can be common with older Linksys routers.
Turns out this can be just as prevalent a problem for companies that try to
run a room of servers using the ISP's DNS server to answer queries. Running
a local DNS server [caching only at minimum] is usually a very good idea for
server rooms; it usually makes a very notable improvement in performance of
all services.
Running Bind [rather than some other DNS server] isn't wrong IMHO -- but it
really needs to be configured to only answer recursive queries for internal
networks in the config options. Otherwise anybody from the outside world
could use the DNS server to query any DNS entry [oh, they will], and that
leads to several problems.
Sadly, in practice I've rarely seen Bind set up "correctly".
Section 5.7.1 of this document has a good start:
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html
This type of setup is more difficult to do for larger ISPs that have many IP
network ranges, and reconfiguring DNS requires restarting the service during
which queries go unanswered. For both reasons I can understand why it may
not always be configured in a secure way, since DNS is a critical service.
Or is there another specific problem you know of with Bind as to why it
gets flooded?
-- Chris
--
Chris Knadle
Chris.Knadle at coredump.us
More information about the nylug-talk
mailing list