comments on speciel DNS setup?

Nate Duehr nate at natetech.com
Wed Aug 30 23:05:52 UTC 2000 

Agreed with Kevin, make sure to put your nameservers on different
networks with different Internet connectivity if possible.

My four hosting nameservers I maintain are located in three cities and
have at least two BGP peering routes out of each location onto a grand
total of five different backbone carriers.

Makes me sleep well at night. :)

On Wed, Aug 30, 2000 at 11:15:02AM +0000, christiantdk at my-deja.com wrote:
> Im running DNS servers for an ISP. We have 2 servers which are both
> authoritative for our domains and also the servers our customers sends
> their queries to.
> 
> We have talked about splitting it up so we have 2 caching-only
> nameservers, and 3 authoritative nameservers which can only accept
> queries on the domains for which they are autoritative.
> 
> The caching-only servers which probably will be the most expost ones,
> only need to have udp port 53 permitted and not tcp since clients use
> udp, this would increase security quite a bit. The question is just if
> this has any disadvantages??
> 
> As I see it, the 3 autoritative name servers doesnt need the root zone
> since they should not answer queries about domains other than those
> which they are autoritative for. But Im not sure about CNAME records
> pointing to domains other than mine? But that would only be a problem
> if the server accepts recursive queries, which I guess it doesnt need
> to since it should only be servers which sends queries to those
> servers?..
> 
> Anyone have experience with such a setup? Any other ISPs?
> 
> 
> Regards
> Christiantdk
> 
> 
> Sent via Deja.com http://www.deja.com/
> Before you buy.
> 
> 

-- 
Nate Duehr <nate at natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.

-- Attached file included as plaintext by Listar --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5rZNQLWF3xX7OwdIRAth4AJ9jqmzygzZ52pehqd+zgW4L+wvaYgCaA04k
PAVyTsCtrweGJZoxZkk+j7I=
=23s6
-----END PGP SIGNATURE-----

More information about the bind-users mailing list