No subject


Wed Oct 17 20:55:38 EDT 2007 

Ill find the RFC and post it.

QW

Chris Knadle <Chris.Knadle at coredump.us> wrote: On Wednesday 17 October 2007, Kevin W wrote:
>   When setting up a wirless router we forget to set the DNS servers and let
> the ISP set them which can slow down the connection.
>
> A lot of times a slow connection is realy the DNS servers, your are using -
> are overloaded. Most isp's run a standard BIND server that is very
> veunerable to floods that can be common with older Linksys routers.

   Turns out this can be just as prevalent a problem for companies that try to 
run a room of servers using the ISP's DNS server to answer queries.  Running 
a local DNS server [caching only at minimum] is usually a very good idea for 
server rooms; it usually makes a very notable improvement in performance of 
all services.
   Running Bind [rather than some other DNS server] isn't wrong IMHO -- but it 
really needs to be configured to only answer recursive queries for internal 
networks in the config options.  Otherwise anybody from the outside world 
could use the DNS server to query any DNS entry [oh, they will], and that 
leads to several problems.
   Sadly, in practice I've rarely seen Bind set up "correctly".

Section 5.7.1 of this document has a good start: 
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html

This type of setup is more difficult to do for larger ISPs that have many IP 
network ranges, and reconfiguring DNS requires restarting the service during 
which queries go unanswered.  For both reasons I can understand why it may 
not always be configured in a secure way, since DNS is a critical service.

   Or is there another specific problem you know of with Bind as to why it 
gets flooded?

   -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us
_____________________________________________________________________________
Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
The nylug-talk mailing list is at nylug-talk at nylug.org
The list archive is at http://nylug.org/pipermail/nylug-talk
To subscribe or unsubscribe: http://nylug.org/mailman/listinfo/nylug-talk


       
---------------------------------
Building a website is a piece of cake. 
Yahoo! Small Business gives you all the tools to get online.

More information about the nylug-talk mailing list