[conspire] Internet Privacy: today's vote and measures to take

Ehud Kaldor ehud.kaldor at gmail.com
Mon Apr 3 13:05:06 PDT 2017 

quoting:
>     version     "Shirley, you're joking";

shouldn't it be "Shirley, you can't be serious"
("I am serious, and don't call me Shirley").



On Mon, Apr 3, 2017 at 12:16 PM Rick Moen <rick at linuxmafia.com> wrote:

> Quoting Ehud Kaldor (ehud.kaldor at gmail.com):
>
> > so, what you're saying is that if i have Bind9 running as a local DNS, i
> > can just remove the 'forward' section and be done with it?
>
> I think so.  Comment it out for caution's sake, though.  ;->  (You want
> to be able to revert your change quickly if need be.  In fact, I
> recommend keeping all of /etc in verion control.  Joey Hess's etckeeper
> is good for that.)
>
> Quoting
>
> https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04
> :
>
>   A forwarding DNS server offers the same advantage of maintaining a
>   cache to improve DNS resolution times for clients. However, it actually
>   does none of the recursive querying itself. Instead, it forwards all
>   requests to an outside resolving server and then caches the results to
>   use for later queries.
>
>   This lets the forwarding server respond from its cache, while not
>   requiring it to do all of the work of recursive queries. This allows the
>   server to only make single requests (the forwarded client request)
>   instead of having to go through the entire recursion routine. This may
>   be an advantage in environments where external bandwidth transfer is
>   costly, where your caching servers might need to be changed often, or
>   when you wish to forward local queries to one server and external
>   queries to another server.
>
> This bit:
>
> options {
>         directory "/var/cache/bind";
>
>         recursion yes;
>         allow-query { goodclients; };
>
>         forwarders {
>                 8.8.8.8;
>                 8.8.4.4;
>         };
>
> You would turn into:
>
>
> options {
>         directory "/var/cache/bind";
>
>         recursion yes;
>         allow-query { goodclients; };
>
> //       forwarders {
> //               8.8.8.8;
> //               8.8.4.4;
>         };
>
>
> That's taken from the digitalocean.com page.  Here's the example from my
> very own aging instance of BIND9 on Debian:
>
> /etc/bind $ less named.conf.options
> options {
>         directory "/var/cache/bind";
>
>         // If there is a firewall between you and nameservers you want
>         // to talk to, you might need to uncomment the query-source
>         // directive below.  Previous versions of BIND always asked
>         // questions using port 53, but BIND 8.1 and later use an
>         // unprivileged
>         // port by default.
>
>         // query-source address * port 53;
>
>         version     "Shirley, you're joking";
>         hostname    "ns1.linuxmafia.com";
>         //server-id is essentially redundant to hostname, default is
>         //none
>         //server-id  none;
>
>         // If your ISP provided one or more IP addresses for stable
>         // nameservers, you probably want to use them as forwarders.
>         // Uncomment the following block, and insert the addresses
>         // replacing
>         // the all-0's placeholder.
>         //forwarders {
>         //      198.144.192.4;
>         //      // 209.81.9.1;
>         //      // 165.90.49.12;
>         //};
>
>         auth-nxdomain no;    # conform to RFC1035
>
>         allow-recursion {
>         127.0.0.0/8;
>         192.168.0.0/24;
>         10.0.0.0/8;
>         198.144.195.186/29;
>         };
>         allow-query {
>         127.0.0.0/8;
>         192.168.0.0/24;
>         10.0.0.0/8;
>         198.144.195.186/29;
>         };
>         dnssec-validation yes;
> };
>
>
> BTW, it's past time to migrate to better alternatives to BIND9,
> _especially_ if you are only doing recursive nameservice (and no
> serving up of authoritative DNS to the public for your or others'
> domains).  The problem with BIND9 is that it's a kitchen sink
> (and also slow, large, and has a sketchy security history).
>
> I feel sheepish about still running BIND9 in 2017, but I _do_ provide
> both recursive and authoritative DNS and thus need to handle both types,
> and also migrating to better things is part of my larger 'Get off
> antique stuff without breaking production services' problem.
>
> My own preference for a better recursive-only package is Unbound, and my
> preference for an authorative-only package is NSD.  To run both (as each
> wants to bind to port 53), I'll need to rearchitect just a little.
>
> But anyway, for recursive-only deployments, I'd urge giving BIND9 a pass
> and deploying Unbound instead.
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20170403/e6a32063/attachment.html>

More information about the conspire mailing list