[sf-lug] sf-lug.com DNS review

Rick Moen rick at linuxmafia.com
Wed Sep 27 10:02:41 PDT 2017


Cf. my review this morning of balug.org DNS at 
https://lists.balug.org/pipermail/balug-admin/2017-September/000931.html


1.  We have three nameservers.  This is in the recommended range,
barely.  RFC2182 section 5 recommends at least 3.  RFC1912 section 2.8
recommends no more than 7.

If we have one or two more friends running auth nameservers, adding them
would be gravy.

2.  No glue records for one nameserver (ns.primate.net), because is is
out-of-bailiwick for the .org TLD nameservers.  This means queries to
it is just a little slower than to the other two for which glue
information gets supplied.

If you want to fix that, assign my Aaron T. Porter's ns.primate.net 
(198.144.194.12) the name NS2.SF-LUG.COM in the domain record,
removing the entry for NS.PRIMATE.NET.  That fixes the glue records at
the parent (.com) zone.  And then don't forget to make the same switch
in the in-zone records served at master nameserver NS1.SF-LUG.ORG.

3.  Information leakage.  NS1.SF-LUG.COM / 198.144.194.238 answers
(correctly) CHAOS class queries about its version.

:r! dig version.bind txt chaos @NS1.SF-LUG.ORG +short
"9.9.5-9+deb8u14-Debian"

It'd be a good idea to turn this off, as IMO it's a bad idea to give out
to Internet random parties _accurate_ information about what versions
you run of public-facing software.  I like to return amusing lies,
myself.  My stanza in /etc/bind/named.conf.options :

options {
        directory "/var/cache/bind";
        version     "Shirley, you're joking";
        hostname    "ns1.linuxmafia.com";
        //server-id is essentially redundant to hostname, default is none
        //server-id  none;
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion {
        [redacted]
        };
        allow-query {
        [redacted]
        };
        dnssec-validation yes;
};


4.  No SPF records for most 'A' records.  There is a single SPF RR
accompanying the 'A' record for FQDN 'sf-lug.com.', but not for any of
the others.  It would be prudent to add a TXT record to accompany _each_
'A' record, declaring that there are no valid SMTP mail senders for that
FQDN.

5.  SOA record lists Jim Stockford's e-mail address as the hostmaster
for contact about zone issues.  Fine if that remains the case, but I
just wanted to verify.

Other than that, it looks good.





More information about the sf-lug mailing list