[BALUG-Admin] balug.org DNS review
Rick Moen
rick@linuxmafia.com
Wed Sep 27 09:25:12 PDT 2017
Just checking on things, in the wake of the departure from Dreamhost.
1. We have three nameservers. This is in the recommended range,
barely: RFC2182 section 5 recommends at least 3. RFC1912 section 2.8
recommends no more than 7.
If we have one or two more friends running auth nameservers, adding them
would be gravy.
2. No glue records for one nameserver (ns1.linuxmafia.com), because it
is out-of-bailiwick for the .org TLD nameservers. This means queries to
it are just a little slower than to the other two for which glue
information gets supplied.
If you want to fix that, assign my nameserver IP (198.144.195.186) the
name NS2.BALUG.ORG in the domain record, removing the entry for
NS1.LINUXMAFIA.COM. That fixes the glue records at the parent (.org) zone.
And then don't forget to make the same switch in the in-zone records
served at master nameserver NS1.BALUG.ORG.
3. Information leakage. NS1.BALUG.ORG / 198.144.194.238 answers
(correctly) CHAOS class queries about its version.
:r! dig version.bind txt chaos @NS1.BALUG.ORG +short
"9.9.5-9+deb8u14-Debian"
It'd be a good idea to turn this off. I like to return amusing lies,
myself. My stanza in /etc/bind/named.conf.options :
options {
directory "/var/cache/bind";
version "Shirley, you're joking";
hostname "ns1.linuxmafia.com";
//server-id is essentially redundant to hostname, default is none
//server-id none;
auth-nxdomain no; # conform to RFC1035
allow-recursion {
[redacted]
};
allow-query {
[redacted]
};
dnssec-validation yes;
};
Other than that, it looks good.
More information about the BALUG-Admin
mailing list