Re: Anyone good with DNS stuff?

I've learned a little bit more about this since I last begin working on setting it up. I found this:

I see in /etc/resolv.conf:
I believe those two IP addresses, 208.109.96.1 and 208.109.96.2 are the authorative DNS nameservers, right? Even if I wanted to setup reverse DNS pointers, this is something that only GoDaddy can do. Is that correct?

I see this:
With mine:
Those AUTHORITY: 0 for my nameservers and the AUTHORITY: 1 for their nameserver makes me think this is something that only GoDaddy can setup for me. What do you think?

Re: Anyone good with DNS stuff?

Correct.

Re: Anyone good with DNS stuff?

Good to go. Per Hansson, are you familiar with something called round robin by any chance? I believe that's something that I'm interested in, if I understand the definition correctly.

I have two IP addresses for my one server. I have one A record that points one IP address to the domain. I also have one A record that points that same IP address to the hostname. Finally, I have one A record that points one IP address to my first nameserver and then another A record that points the second IP address to the second nameserver.

I want it so when me or anyone else does something like ping my domain or hostname, the first time, the answer will come from the first IP address. The second time they do something like that, I want it so the answer comes from the second IP address. Third time, it goes back to the first, etc.

I thought all I had to do was create another A name for my domain and assign it the second IP address. So I had two A records for my domain, each with a different IP address. But every time I pinged it, only the second IP address would respond, never the first.

What did I do wrong? Should I have created another A record for the hostname as well or something? Any thoughts?

Thanks!

Re: Anyone good with DNS stuff?

I can't think of much practical reason to bother with round robin DNS if it just leads to the same machine anyway.

A DNS lookup is not necessarily done every time you resolve an address. A lot of caching is done in recursive name servers (i.e. the ones looking up names for ordinary users), and hopefully in most clients as well. That is why every DNS record has a Time To Live. Round robin DNS can help spread requests for sites that have tons of clients looking up names (think Google, not BadCaps).

Re: Anyone good with DNS stuff?

I believe you're correct Uniballer. The idea is to set it up now with my VPS that I lease but after successfully getting it setup, when we move into the new house, point one of the records to my home server for redundancy but mainly, just to learn. I don't think it's the best option for redundancy though. Let me give an example.

I have one DNS A record pointing my domain name to the IP address assigned to me by GoDaddy. I have another DNS A record pointing that same domain to my server at my house. They both have Apache running and the same site. Let's say my house PC goes down. When someone tries connecting, if they query the DNS A record and get the one that points to my house, it'll still try to connect. They won't get routed to the GoDaddy server.

I think the only real reason to use Round Robin would be for load balancing. And mainly, I'd be doing it just for the learning experience. I wonder how it'd work with a mail server though. If one mail server goes down, will the client automatically try the other mail server? I wonder if the mail servers can be synced, so if one gets an e-mail, the other one gets it as well...Just stuff for me to think about.

Aren't recursive name servers bad and are the main reason stuff like DDoS's are possible? I don't fully understand all of this yet but I thought I remembered seeing something about how recursive name servers should be disabled or something. I remember doing something in a configuration file for bind or something that disabled recursive query's or something like that. This was based on some security scan that recommended it, along with hiding the version of bind that I'm running from the public.

Re: Anyone good with DNS stuff?

What home connection do you have ? Seems like you're making extra work for yourself with all the replication that would have to be going on.
How often are you expecting your server at GoDaddy to go down ?
You're talking about load distribution not balancing.

Re: Anyone good with DNS stuff?

Personally, I would not run an Internet-accessible server on a LAN with internal machines. This is what a DMZ is for. I have always been much more comfortable with dedicated server machines, as well (there have been some interesting exploits that relied on a single poorly configured machine doing SMTP, FTP and HTTP).

Use MX records for email server redundancy and availability.

Almost all ISP name resolving servers handle recursive queries. It's easier on the clients and saves ISP bandwidth by enriching their DNS caches.

You probably don't want to allow your name server to resolve queries from random Internet sites recursively. This is at least partly to avoid cache poisoning.

BIND has had a lot of security issues over the years. Make sure you update it as problems are found and fixed. Hiding your version of BIND only helps if somebody tries to check the version rather than just check whatever exploit they are interested in. I have been running Unbound on my FreeBSD systems for queries from systems on my LANs. I do not run an internal authoritative name server reachable from the Internet at this time.

Re: Anyone good with DNS stuff?

Right now, it's just 30Mbps. But we're supposed to be getting fiber soon and I think if we do, I'll have a fast enough connection.

In all honesty, the idea was to try and slowly move away from GoDaddy but try to keep both servers up and running at first until I was certain my home server was working properly and could handle everything. I wanted to setup the redundancy by having two servers and then after a month or so of seeing how everything worked, shutdown the GoDaddy VPS.

I will research the load distribution some. Thanks for the information!

Re: Anyone good with DNS stuff?

I planned on having two IP addresses at my house, one for the LAN and then one for the server. I was going to have a router hooked up though for the server, with one of those built in firewalls. Maybe this was a bad idea though. I didn't want our local PCs sharing the same IP address with the server for security reasons. One time, I had set it up so anything on the local area network was allowed to my Linux machine and I hadn't really thought it threw too well.

I configured iptables to accept all traffic from the LAN and I had a webserver setup to test stuff before I uploaded it to my main server and I had an ssh server and an ftp server and when I was checking the logs, my wife's PC was trying to get in via SSH. Her machine was doing some sort of brute force attack and just randomly guessing usernames and passwords. We ended up formatting and reinstalling Windows on her laptop.

Re: Anyone good with DNS stuff?

I was suggesting the way you were talking about using DNS is not classed as load balancing. There is no checking of server capacity, latency etc. You are just sharing the load.

Re: Anyone good with DNS stuff?

I have a router/firewall with multiple LAN ports. One of the ports is configured for my internal LAN, and two others are configured as DMZ networks which only have one server machine each. The servers can not see each other, but can both be reached from the internal LAN (but they are in a different private IP network than the internal LAN).

I have a single static IP address. Incoming connections that are allowed are translated to go to the appropriate server on the DMZ.

Re: Anyone good with DNS stuff?

Yup, thanks again for pointing that out to me.

I remember back in DCSI, I had tried setting up load balancing with the ethernet cards to help split the load a bit but was unsuccessful. I enabled it in the kernel and did a bunch of stuff. I followed some guide but things didn't work out, I can't remember why. I think in the end, nothing was getting through.

It was hard to test because I couldn't test on the production server but the test server wasn't the same. It ran a very old kernel and for some reason, we couldn't update it. We'd run stuff on the test server and if it seemed to work, we'd copy it over to the production server and this caused issues! It was such a mess!

I think the reason had to do with some really old hardware RAID card and the kernel drivers. For some reason, the newer kernels broke the RAID card module. It had something to do with firmware or something if I remember correctly. So anytime they tried putting a newer version of Linux on, the RAID cards would stop working.

Re: Anyone good with DNS stuff?

Isn't the single static IP address a bad idea though if you're sharing the IP address with stuff on the local area network? Aren't you afraid of someone finding a way through that router?

Is it a fancy router, like a Cisco router or something? I don't seem to remember being able to put multiple PCs in the demilitarized zone.

Re: Anyone good with DNS stuff?

I do not feel that there is any additional exposure from using NAT to support the internal LAN and DMZ using a single IP address, than if I was using multiple IP addresses. A bad NAT or firewall bug could kill you either way. The most important part is that the internal client machines are not exposed if one of the server machines is compromised, and that if an internal client machine is compromised it will take a script-kiddie some work to find access to the server machines.

Sonicwall

Re: Anyone good with DNS stuff?

Thanks! Not having to have a second or third IP address would be cheaper. I know someone's gotten into my wife's Windows machine before, I think she was running 7 at the time. Someone could have clicked something they weren't supposed to or maybe downloaded something they shouldn't have. She was looking for free video converter programs and maybe one was infected or something. I had just assumed if they could get into a machine on the local area network through the internet, they'd be able to see the machine in the DMZ and vice-versa.

I don't fully understand NAT even though I majored in network administration. We only had one teacher for the network stuff. It was a mess. The person in charge of the computer department had to come down one day and talk to all of us. He said there were a lot of complaints against this teacher but he had tenure so they were going to try and fix the issues and asked us what we felt was wrong.

I told him that were in our last semester and although we learned a good deal about Cisco routers, we've never learned the stuff that would allow us to go get a job. The teacher never stuck to his syllabus. We never learned about any server software. No active directory, no DNS servers, so webservers, nothing. We spent a full freaking semester learning how to calculate subnet masks. We have subnet mask calculators but we kept going off road (not following the syllabus and just going on these weird sub-paths). One time, I had to give a presentation and I gave a presentation on how to slipstream network drivers on an XP disc. I did some stuff with DOS and one of the students asked if I could explain DOS to the class. I told him I felt that was beyond the scope of my presentation and that DOS should be taught in another class. The professor disagreed and spent the rest of the semester teaching DOS to everything. Not working in DOS, but actual MS-DOS. Something that should have been taught in one of the PC repair classes, not the networking class, if you ask me.

For our CCNA (Cisco) classes, because we couldn't possible pass the on-line tests, he taught us how to google for the answers. If we didn't score at least a 90, he'd rest the test for us and make us take it again and again and just had us google the questions to get the answers. Then, for the CCNA handbooks and lab exercises, he just gave us a digital copy of the freaking teacher edition!!! I think I still got all four semesters. Not one of us could sit down and tell you the difference between a routing protocol and a routed protocol. It was such a waste of time and money.

The guy in charge of the computer department said they just couldn't find any other networking teachers. They had been looking but they couldn't find anyone qualified. I think the idea was even though our professor had tenure if they had someone else, we could at least pick the professor or maybe the bad professor could teach the easier stuff and the other professor teacher the more advanced stuff.