[sf-lug] sf-lug.org DNS review

Rick Moen rick at linuxmafia.com
Wed Sep 27 10:01:40 PDT 2017


Cf. my review this morning of balug.org DNS at 
https://lists.balug.org/pipermail/balug-admin/2017-September/000931.html


1.  We have four nameservers.  This is in the recommended range.
RFC2182 section 5 recommends at least 3.  RFC1912 section 2.8
recommends no more than 7.

If we have one or two more friends running auth nameservers, adding them
would be gravy.

2.  No glue records for two nameservers (ns1.linuxmafia.com,
ns.primate.net), because they are out-of-bailiwick for the .org TLD
nameservers.  This means queries to them are just a little slower than
to the other two for which glue information gets supplied.

If you want to fix that, assign my ns1.linuxmafia.com nameserver IP
(198.144.195.186) and Aaron T. Porter's ns.primate.net (198.144.194.12)
the names NS2.SF-LUG.ORG and NS3.SF-LUG.ORG in the domain record,
removing the entries for NS1.LINUXMAFIA.COM and NS.PRIMATE.NET.  That
fixes the glue records at the parent (.org) zone.  And then don't forget
to make the same switch in the in-zone records served at master
nameserver NS1.SF-LUG.ORG.

3.  Information leakage.  NS1.SF-LUG.ORG / 198.144.194.238 answers
(correctly) CHAOS class queries about its version.

:r! dig version.bind txt chaos @NS1.SF-LUG.ORG +short
"9.9.5-9+deb8u14-Debian"

It'd be a good idea to turn this off, as IMO it's a bad idea to give out
to Internet random parties _accurate_ information about what versions
you run of public-facing software.  I like to return amusing lies,
myself.  My stanza in /etc/bind/named.conf.options :

options {
        directory "/var/cache/bind";
        version     "Shirley, you're joking";
        hostname    "ns1.linuxmafia.com";
        //server-id is essentially redundant to hostname, default is none
        //server-id  none;
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion {
        [redacted]
        };
        allow-query {
        [redacted]
        };
        dnssec-validation yes;
};


4.  No SPF records.  Given that the domain doesn't currently send mail,
it would be prudent to add a TXT record to accompany _each_ 'A' record,
declaring that there are no valid SMTP mail senders for that FQDN.

Other than that, it looks good.




More information about the sf-lug mailing list