Starting new server + needing some advice on BIND

Kevin Darcy kcd at daimlerchrysler.com
Thu Aug 8 01:55:43 UTC 2002 

Mantorok wrote:

> Hello,
>
> I just started a server and i'd like to know a few specific things because I
> want to run a nameserver myself... (not delegated by the registrar's) but
> I'm confused about a few things although I can very easily set up things
> within PLESK administrator:

So you just want to run a nameserver for your own clients, right? I assume
that's what you mean by "not delegated by the registrar's".

> So what I want to know is:
>
> - how do I make sure that my name server work (do I have to allow any ports
> open for others to allow for resolving?) because every port other than a few
> are closed by the firewall...

You'll need to open outbound destination port 53 for your nameserver's queries
and inbound source port 53 for the replies coming back. The source port for the
queries and the destination port for the replies will be a randomly-selected
port in the non-reserved range, unless it is explicitly locked by the
"query-source" option in the nameserver.

> - how do I verify that when I surf with my server or go on irc, my name
> doesnt resolve to any www.blah.be (because theres lots of anti spam measures
> against that, i'd rather want to resolve my main server to something like
> core.blah.be,  and be able to users to type in www.blah.be thats done with
> the Cname command, no?

Now you seem to be talking about hosting your own DNS information. How are you
going to do that without being "delegated by the registrar's".

In any case, if you have control over your reverse
(address-to-name) DNS namespace, you could have the reverse record for your
address map to core.blah.de, with www.blah.de being just an alias (CNAME) to
that.

> - I've heard that I have to set "recursion up" but i'm not clear what that
> means...

BIND does recursion by default, so unless you explicitly restrict it, it should
already work. You should not allow recursion for arbitrary Internet clients,
however, since that can lead to Denial-of-Service attacks and other nastiness.
In fact, you might want to restrict query access altogether to client in your
own address range (via "allow-query") or, on a multi-homed box, have your
nameserver listen only on the internal interface (using "listen-on").

> - If I have also a domain name  named like test.be do I have to set an IN NS
> to the main name server on ns.blah.be ?

I'm not sure I understand the question. You should only have NS records in your
zones for the zones themselves and any child zones that they delegate. Since
test.be is not a child zone of blah.be, I don't see any reason why you'd need
NS records...

> Maybe can I read a text 4 dummies on this subject  somewhere (like setting
> up your server in x steps for dummies) on the internet?

The "bible" for DNS and BIND is the _DNS_and_BIND_ book (4th Edition) from
O'Reilly. If you _really_ want to read this online, you can do so, for a
charge, via Safari (http://safari.oreilly.com).


- Kevin

More information about the bind-users mailing list