Results 1 to 21 of 21
  1. #1
    Join Date
    May 2007
    Posts
    1,979

    DNS server : recursive and caching?

    Hi guys I would like to provide ( for free) DNS servers just like google does.

    Iīd like to offer it to some guys from a communitarian project Im involved in and if possible to limit access just for them.

    I was asking myself whats the type of DNS servers I should setup?

    should I set up "Recursive and caching name server" ?

    If so, which software would work with less footprint on VPSīs ?

    Appreciate

  2. #2
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    BIND would do it, you could set up a firewall so that only selective IP addresses can connect in on port 53 so that the whole world wouldn't be able to use them.
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  3. #3
    Join Date
    May 2007
    Posts
    1,979
    thx mike. Ive read about bind 9 but there has been people that mentioned preference towards tinydns and djbdns IIRC.

    regarding location of boxes: they should be closer to client that makes the request or where? Im quite lost

  4. #4
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    Quote Originally Posted by elvis1 View Post
    thx mike. Ive read about bind 9 but there has been people that mentioned preference towards tinydns and djbdns IIRC.

    regarding location of boxes: they should be closer to client that makes the request or where? Im quite lost
    The closer the better as DNS latency will delay things (at least, on the first look-up as most browsers/computers these days do their own DNS caching).

    BIND and NSD is what I personally have experience with so I couldn't advise you as far as tinydns and djbdns but as long as they're capable of meeting your needs and you're comfortable working with them then go for it
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  5. #5
    Join Date
    May 2007
    Posts
    1,979
    Quote Originally Posted by MikeDVB View Post
    The closer the better as DNS latency will delay things (at least, on the first look-up as most browsers/computers these days do their own DNS caching).

    BIND and NSD is what I personally have experience with so I couldn't advise you as far as tinydns and djbdns but as long as they're capable of meeting your needs and you're comfortable working with them then go for it

    I still dont get it: closer to what you make reference


    Appreciate.

  6. #6
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    Quote Originally Posted by elvis1 View Post
    I still dont get it: closer to what you make reference


    Appreciate.
    Whoever it is that will be using the nameservers/resolvers.
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  7. #7
    Join Date
    May 2007
    Posts
    1,979
    Quote Originally Posted by MikeDVB View Post
    Whoever it is that will be using the nameservers/resolvers.
    Gotcha!

    makes tons of sense.

    Thanks

  8. #8
    Join Date
    May 2007
    Posts
    1,979
    so .. caching + recursive is what I need then?

  9. #9
    Join Date
    Aug 2010
    Location
    Sorting Office
    Posts
    6,901
    As I can probably guess what you're up to (insider knowledge LOL) ...

    Quote Originally Posted by elvis1 View Post
    so .. caching + recursive is what I need then?
    Recursive is more important and I doubt that you'll want to cache much for your particular needs.

    2 things to check for if you're going to use a VPS for this:

    1) Find one that gives you access to multiple CPUs rather than just one, so that it will handle simultaneous queries quicker,

    and 2) Use a VPS that has full access to IPTABLES so that you can use something like CSF easily to control who can/cannot access your resolvers.

  10. #10
    Join Date
    Apr 2011
    Location
    Las Vegas, NV
    Posts
    1,627
    Quote Originally Posted by elvis1 View Post
    Hi guys I would like to provide ( for free) DNS servers just like google does.

    Iīd like to offer it to some guys from a communitarian project Im involved in and if possible to limit access just for them.

    I was asking myself whats the type of DNS servers I should setup?

    should I set up "Recursive and caching name server" ?

    If so, which software would work with less footprint on VPSīs ?

    Appreciate
    There are two ways to setup a DNS server that will do general DNS lookups.

    1. As you already noted, one way would be recursion, which would forward the request to the DNS server used in your server network settings. That would work pretty well, and no one would even notice that you were doing it that way, but it wouldn't be quite as snappy as hosting your own lookup database.
    2. You could setup a "root zone" in BIND (named) which will contain the internic "hints" file. The hints file is made available every day at 5 am and 5 pm local Tulsa time, and contains the universal DNS information. With the root zone and hints file, you would have your own self-contained server.


    Note that you can also have recursion along with your root zone, which would pickup any lookups that your hints file doesn't know.

    You should be aware that many system operators frown in DNS recursion because it is often used as a ploy to drain resources during a DDoS attack. For that reason disabling recursion is a standard security precaution that many system operators take. I can tell you that I always disable recursion.

  11. #11
    Join Date
    May 2007
    Posts
    1,979
    Quote Originally Posted by F-DNS View Post
    As I can probably guess what you're up to (insider knowledge LOL) ...


    LOL.
    indeed, its what you know !

    Quote Originally Posted by F-DNS View Post
    Recursive is more important and I doubt that you'll want to cache much for your particular needs.
    Good, that clears the whole picture


    Quote Originally Posted by F-DNS View Post
    2 things to check for if you're going to use a VPS for this:

    1) Find one that gives you access to multiple CPUs rather than just one, so that it will handle simultaneous queries quicker,
    Im taking down note

    Quote Originally Posted by F-DNS View Post
    and 2) Use a VPS that has full access to IPTABLES so that you can use something like CSF easily to control who can/cannot access your resolvers.
    Other than requesting such info to the provider, is there any way I can tell if Ill have access to IPT?

    Guesstimating, how many locations should I get?

    appreciate A

  12. #12
    Join Date
    May 2007
    Posts
    1,979
    Quote Originally Posted by ajonate View Post
    There are two ways to setup a DNS server that will do general DNS lookups.

    1. As you already noted, one way would be recursion, which would forward the request to the DNS server used in your server network settings. That would work pretty well, and no one would even notice that you were doing it that way, but it wouldn't be quite as snappy as hosting your own lookup database.
    2. You could setup a "root zone" in BIND (named) which will contain the internic "hints" file. The hints file is made available every day at 5 am and 5 pm local Tulsa time, and contains the universal DNS information. With the root zone and hints file, you would have your own self-contained server.


    Note that you can also have recursion along with your root zone, which would pickup any lookups that your hints file doesn't know.

    You should be aware that many system operators frown in DNS recursion because it is often used as a ploy to drain resources during a DDoS attack. For that reason disabling recursion is a standard security precaution that many system operators take. I can tell you that I always disable recursion.

    very informative but some things are a tad confusing to me :

    a- if recursion is usually disabled, how could I possibly use it?
    b- would this methodology be any good to resolve around 5 exp 12 requests per day with no issues?

    edit : how much could this "lookup database" be ( size wise)?

    appreciate
    Last edited by elvis1; 05-08-2011 at 06:35 PM.

  13. #13
    Join Date
    Apr 2011
    Location
    Las Vegas, NV
    Posts
    1,627
    Quote Originally Posted by elvis1 View Post
    a- if recursion is usually disabled, how could I possibly use it?
    b- would this methodology be any good to resolve around 5 exp 12 requests per day with no issues?

    edit : how much could this "lookup database" be ( size wise)?
    Recursion is enabled in BIND by default, so it's not that terrible of a thing. If you wish to disable recursion, add the following line to your options commands at the top of your /etc/named.conf file.

    options {
    allow-recursion { localhost; };
    [other stuff];
    };


    You need to allow recursion for your own machine (localhost) because you will need it to resolve hosts when you do things like wget. The "allow-recursion" statement above only allows it for localhost, refusing all other recursive requests.

    As for the number of lookups your DNS server hand handle, that depends on the performance of your server. There are free DNS benchmarking utilities (both web based and downloadable software) available by Googling to get an idea if how much load your DNS server can handle.

    I'm not sure how big the hints file is since I don't maintain one. I run an authoritative-only DNS server.
    Last edited by ajonate; 05-08-2011 at 06:53 PM.

  14. #14
    Join Date
    Aug 2010
    Location
    Sorting Office
    Posts
    6,901
    Quote Originally Posted by elvis1 View Post
    Other than requesting such info to the provider, is there any way I can tell if Ill have access to IPT?
    Well a clue is that XEN VPSs generally behave better with IPTABLES than VZ, but that's not a cast-iron guide and can be set/cured by the provider with what they setup on the host node. It's best to ask before you buy.

    Quote Originally Posted by elvis1 View Post
    Guesstimating, how many locations should I get?
    You could do it all with 1, but then you've no redundancy. 2 both placed close to the people who are generating the lookups would be better.

    ajonate has given you some excellent pointers, but I'm thinking (with insider knowledge again) that you're trying to deal with the number of queries required rather than deal with your own root file and hints.

    Have a read of http://linux.die.net/man/5/resolv.conf and pay particular attention to the rotate section. My guess is that you're trying to distribute the load of the number of queries you're generating, and not upset one host or resolver with all the traffic? You may not even need your own resolvers - Maybe you just need to distribute the requests more?

    Quote Originally Posted by elvis1 View Post
    appreciate A
    Welcome J

  15. #15
    Join Date
    May 2007
    Posts
    1,979
    Guys, Ive read and understood your points, Ive still need to process lots of information.

    @F-DNS : sure, I would like to distribute queries as much as possible. Its not my idea to piss off no one.

    OFC I will use >1 . Fact is that I did not know how much was "enough". Most queries are submitted either from the US or Europe which makes it much easier/cheaper.


    @ajonate: many thanks for all the valuable info


    EDIT: would the rotate thing be able to be combined with a Maxmind DB to know where the queries come from to select one of the VPS ( with both : less latency and load )?
    Last edited by elvis1; 05-08-2011 at 07:23 PM.

  16. #16
    Join Date
    Aug 2010
    Location
    Sorting Office
    Posts
    6,901
    Quote Originally Posted by elvis1 View Post
    EDIT: would the rotate thing be able to be combined with a Maxmind DB to know where the queries come from to select one of the VPS ( with both : less latency and load )?
    Don't try to reinvent the wheel - DNS already knows how to pick its favourites and still check to see if there's a new better option, once in a while

  17. #17
    Join Date
    May 2007
    Posts
    1,979
    Quote Originally Posted by F-DNS View Post
    Don't try to reinvent the wheel - DNS already knows how to pick its favourites and still check to see if there's a new better option, once in a while
    LOL. that defines me quite well

  18. #18
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163
    PowerDNS recursor is probably a better product if you are just looking to provide DNS lookup services, a bit lighter than BIND and has historically had less security problems.

    We use pdns on our caches, and BIND on authoritive servers.

    It is wise to keep authoritive and caching servers separate for security reasons.

  19. #19
    Join Date
    May 2007
    Posts
    1,979
    Thanks but thats not free and I would like to avoid paying for it ( not for the needed infra).

  20. #20
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163

  21. #21
    Join Date
    May 2007
    Posts
    1,979
    my bad.. Im checking it

    thx

Similar Threads

  1. IPv6 Recursive DNS Server
    By EZ-CONCEPT in forum Hosting Security and Technology
    Replies: 4
    Last Post: 01-20-2011, 12:37 PM
  2. DNS Caching Server
    By PhilG in forum Hosting Security and Technology
    Replies: 4
    Last Post: 12-12-2007, 03:41 AM
  3. Do you use DNS Caching?
    By lexington in forum Dedicated Server
    Replies: 7
    Last Post: 12-17-2006, 09:56 PM
  4. caching dns and resychronizing mail
    By yourwayit in forum Hosting Security and Technology
    Replies: 0
    Last Post: 06-12-2006, 01:26 PM
  5. DNS Recursive lookups. enable or disable?
    By HD Fanatic in forum Dedicated Server
    Replies: 1
    Last Post: 02-23-2005, 08:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •