[conspire] Internet Privacy: today's vote and measures to take
Rick Moen
rick at linuxmafia.com
Mon Apr 3 12:15:58 PDT 2017
Quoting Ehud Kaldor (ehud.kaldor at gmail.com):
> so, what you're saying is that if i have Bind9 running as a local DNS, i
> can just remove the 'forward' section and be done with it?
I think so. Comment it out for caution's sake, though. ;-> (You want
to be able to revert your change quickly if need be. In fact, I
recommend keeping all of /etc in verion control. Joey Hess's etckeeper
is good for that.)
Quoting
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04
:
A forwarding DNS server offers the same advantage of maintaining a
cache to improve DNS resolution times for clients. However, it actually
does none of the recursive querying itself. Instead, it forwards all
requests to an outside resolving server and then caches the results to
use for later queries.
This lets the forwarding server respond from its cache, while not
requiring it to do all of the work of recursive queries. This allows the
server to only make single requests (the forwarded client request)
instead of having to go through the entire recursion routine. This may
be an advantage in environments where external bandwidth transfer is
costly, where your caching servers might need to be changed often, or
when you wish to forward local queries to one server and external
queries to another server.
This bit:
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
forwarders {
8.8.8.8;
8.8.4.4;
};
You would turn into:
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
// forwarders {
// 8.8.8.8;
// 8.8.4.4;
};
That's taken from the digitalocean.com page. Here's the example from my
very own aging instance of BIND9 on Debian:
/etc/bind $ less named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an
// unprivileged
// port by default.
// query-source address * port 53;
version "Shirley, you're joking";
hostname "ns1.linuxmafia.com";
//server-id is essentially redundant to hostname, default is
//none
//server-id none;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses
// replacing
// the all-0's placeholder.
//forwarders {
// 198.144.192.4;
// // 209.81.9.1;
// // 165.90.49.12;
//};
auth-nxdomain no; # conform to RFC1035
allow-recursion {
127.0.0.0/8;
192.168.0.0/24;
10.0.0.0/8;
198.144.195.186/29;
};
allow-query {
127.0.0.0/8;
192.168.0.0/24;
10.0.0.0/8;
198.144.195.186/29;
};
dnssec-validation yes;
};
BTW, it's past time to migrate to better alternatives to BIND9,
_especially_ if you are only doing recursive nameservice (and no
serving up of authoritative DNS to the public for your or others'
domains). The problem with BIND9 is that it's a kitchen sink
(and also slow, large, and has a sketchy security history).
I feel sheepish about still running BIND9 in 2017, but I _do_ provide
both recursive and authoritative DNS and thus need to handle both types,
and also migrating to better things is part of my larger 'Get off
antique stuff without breaking production services' problem.
My own preference for a better recursive-only package is Unbound, and my
preference for an authorative-only package is NSD. To run both (as each
wants to bind to port 53), I'll need to rearchitect just a little.
But anyway, for recursive-only deployments, I'd urge giving BIND9 a pass
and deploying Unbound instead.
More information about the conspire
mailing list