DNS Hardware/Software Platform & Tools

Brad Knowles brad.knowles at skynet.be
Thu Sep 20 21:55:34 UTC 2001 

At 5:01 PM -0400 9/20/01, Gaines, Rhonda wrote:

>                      The external DNS is an IBM RS/6000 397 running AIX 4.3.2
>  (Sprint is the secondary for the external).  We're currently running bind
>  8.2.2-P5 on all 3 DNS servers.  I definitely would like to stay with Unix
>  although not necessarily IBM or AIX.

	You should upgrade, preferably to version 8.2.4-REL at the very 
least.  The version you have is subject to root exploits.  See 
<http://www.cert.org/advisories/CA-2001-02.html> for more info.

>  My questions for are:
>  1) what hardware/software platform are list members running DNS on?

	There's a difference between what we have, and what we would 
recommend.  Some of us are running software on machines & OSes that 
we consider to be very sub-optimal.


	Now, if you ask what I recommend, personally I would suggest 
taking a long and very hard look at FreeBSD on some type of x86 
hardware.  Of all the freely available versions of *nix, IMO this is 
the best and easiest with which to build a production-grade server. 
But of course, that's just a personal opinion.

	Failing that, if you want to stick with a commercial OS, AIX is 
not necessarily a bad choice -- some of the most heavily used 
nameservers in the world are running on AIX (I think 
a.root-servers.net runs on AIX, doesn't it?), and doing so quite 
nicely.  Generally speaking, my personal preference in a commercial 
OS would be for Solaris, but knowing what I know about AIX and how it 
can be configured to run as a high-speed authoritative server, I'd 
have to give it a hard look.  The same is true for HP-UX.

>  2) what version of BIND are you using?

	Same answer here.

	Again, what I'd recommend is using version 8.2.4-REL (if you tend 
to be more conservative and refuse to run anything that is not 
suitable for use on the root nameservers), or 9.1.3-REL (with 
9.2.0-REL soon to come out) if you are a bit more adventurous.

>  3) if you had a wish list, what hardware, software, and DNS software version
>  would you use and what troubleshooting tools, if any, would you buy?

	Hardware?  I hate to say it, but my personal experience is that 
Dell makes pretty solid machines.  I like their 2450 models, because 
they give you lots of RAM, two CPUs, and lots of disk drives in a 
small form factor (just two "rack units", or 2U).

	Software?  Well, what software do you need other than the 
nameserver?  If you're talking about tools to use in conjunction with 
the nameserver, perhaps to help you manage the DNS for a large 
network, I'd take a long and hard look at the tools listed at 
<http://www.isc.org/products/BIND/vendorware.html>, as well as 
QuickDNS Manager from Men & Mice (see 
<http://www.menandmice.com/2000/2200_quick_dns.html>).  Note that the 
previous QuickDNS product had its own integrated nameserver software, 
while QuickDNS Manager will work with a stock version of BIND.

	Name server software?  I most likely would not be looking at 
anything that wasn't either BIND 8.2.4-REL or 9.1.3-REL (or the 
latest release of the current version, whatever that may be at the 
time you are reading this), or based on these versions.  Of the 
commercial tools, if they weren't built around a modern core of BIND 
(e.g., 8.2.4-REL or 9.1.3-REL), then I'd have to think long and hard 
about the package before allowing it to go on my list.

	Debugging tools?  Well, for freeware, doc and dnswalk are pretty 
good (get the latest version of doc from my site at 
<ftp://ftp.shub-internet.org/pub/shub/brad/dns/>, and dnswalk from 
<http://sourceforge.net/projects/dnswalk/>).  The latest versions of 
these tools should hopefully be included in the latest releases of 
BIND.  BIND also includes other debugging tools, such as "host".

	For commercial debugging tools, I have not seen anything that 
comes anywhere remotely close to DNS Expert Professional, from Men & 
Mice (see <http://www.menandmice.com/2000/2100_dns_expert.html>). 
IMO, the only flaw in this tool is the fact that it is a commercial 
program.

	You didn't mention consulting or training, but these are areas 
you may also be interested in.  Both Nominum (the company that wrote 
BIND 9 under contract to the ISC) and Men & Mice offer both 
consulting and training, and I think very highly of both companies.

>  This may be a bit difficult without knowing the load of our DNS servers, but
>  at least give me a ball park idea of where to start.

	As the current maintainer of doc, please let me know if you have 
any other questions about this particular tool.

-- 
Brad Knowles, <brad.knowles at skynet.be>

H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA

More information about the bind-users mailing list