On 2008/05/07 19:21, Sam Fourman Jr. wrote:
> > > I assume that if I want to host email for 10 different domains I have
> > > to have these set
> > >
> > > allow-recursion { any; };
> >
> > This allows anybody to use your nameserver as a resolver (e.g.
> > anyone can ask you to lookup domains for them). You shouldn't
> > do this at all without a very good reason (one example being if
> > you're providing DNS to VPN clients and filtering non-VPN traffic).
> > Doing so without other controls leaves you open to being an
> > attack amplifier for anyone who can send a UDP packet with an
> > invalid source address, and also may open you up to DNS poisoning.
> >
> > If you're currently using a setup that involves the same IP
> > address for both authoritative (domains you host) and recursive
> > queries (client DNS requests), you should get these split onto
> > separate addresses.
> >
>
> so if I understand this, the correct way to setup DNS
> is to have one nameserver do just recursive quires
> and a separate name server on a separate ip address have the actual domain
> files
That's how I usually do things, it gives a clear separation, and
most people don't need a powerful machine to host authoritative dns.
Other options include running two daemons bound to different
addresses (I have some systems where I do this, usually with nsd
for auth, BIND for resolver), or using one daemon with views
and "match-destinations".
It's also possible to use views with "match-clients", but I'm
not keen on this, it makes things difficult when customers transfer
a domain away, and makes it hard to filter or separate things onto
different machines if you want to do that sometime.
I also usually run named on mail servers, just answering to
localhost queries, forwarding to a main resolver - this saves a
bunch of local network traffic when you have messages stuck in
queues.
