Welcome to the Community Site!

You've been redirected here from forum.linode.com. This is your new place to find answers, ask questions, and help others.

Join our Community
X

Should I run my own DNS service with BIND9?

I was/am running a multiple site Drupal install on a cheap shared host that has exceptionally bad performance. So, I have decided to move up a rung or three and picked up a Linode 360. I am using the Ubuntu 6.06 image and I hope to teach myself how to go beyond configuring the web application and dig into the configuration of a LAMP server AND what it is serving (I do have experience with building an Ubuntu LAMP server hosting a small intranet on a LAN).

I am looking for advice on the best options to configure the web server. The situation is that I have a few domain names registered with a registrar that allows me to add/edit sub-domains, A-Records, CNAMEs, and MX Records.

One question I have is should I set up and use my own DNS server on my Linode 360 account? Or should I continue on using the Linode name servers in place of the registrar's and forward the domains with a CNAME? What are the benefits and drawbacks of running my own DNS server?

Another question is security. As mentioned, I have set up a LAMP server before, but they are behind corporate firewalls, so there has not been any effort put into locking them down aside from changing default password settings for MySQL. Since the Ubuntu LAMP server comes with all ports shut down except those required to host a web site, I have read that there is no reason for any firewall. Is this correct?

Any other suggestions and or opinions greatly appreciated.

Thanks

6 Replies

@kpm:

I am looking for advice on the best options to configure the web server. The situation is that I have a few domain names registered with a registrar that allows me to add/edit sub-domains, A-Records, CNAMEs, and MX Records.

One question I have is should I set up and use my own DNS server on my Linode 360 account? Or should I continue on using the Linode name servers in place of the registrar's and forward the domains with a CNAME? What are the benefits and drawbacks of running my own DNS server?

I think the two biggest drawbacks of running your own DNS server are (a) the headache/outages when you have to change name server IPs and (b) BIND security.

When space opens up, I will be moving my Linode to a datacenter closer to my new home, which requires a new IP address. There is at least 1 - 2 days of confusion when a name server's IP is updated. This can mean lost or delayed email and an unreachable host. IMHO, you want to go through this pain as infrequently as possible.

On security, inevitably someone finds another remotely-exploitable security hole in BIND. If you eliminate a daemon, it's just one less thing to think about and maintain (and if you happen to be traveling in Tibet when the hole is discovered, you don't have to worry so much).

> When space opens up, I will be moving my Linode to a datacenter closer to my new home, which requires a new IP address. There is at least 1 - 2 days of confusion when a name server's IP is updated. This can mean lost or delayed email and an unreachable host.

This is why you have backup DNS servers, so long as those are running at the same addresses you won't have any DNS issues during the transition. If you have services that are only running on your Linode and you change IP addresses, yes, you will have some downtime.

To answer your question, the only reason I run my own DNS server is because I'm using features that aren't offered by the various DNS providers out there. This includes LOC, SRV, and AAAA (IPv6) records, along with dynamic DNS. The other advantage is this allows you to easily change your (backup) DNS provider without having to re-enter all of your DNS entries via a web interface. I guess this ties into the bulk updates argument as well.

Drawbacks, its ugly and more complex. BIND is not very user friendly when it comes to telling that you have a problem with your config files. And yes it has a history of security issues, but they will get fixed just like any other packages you have installed, be sure to get your updates. But you don't have to use BIND, there are other nameservers you can run on Linux that might not be as painful.

Zoneedit.com does all those things, free for the first 5 zones. But yeah, there's a certain point of complexity where it is easier to just run BIND9 yourself. But it's pretty far up the scale.

It's funny how everyone complains about how hard it is to run your own DNS server. I found configuring mail to be way more complicated / scary.

If you screw up your DNS it just doesn't work, if you screw up your mail server you become an open relay and a potential spammer. This terrified me more than a busted DNS server, yet no one seem to have an issue with setting up their own mail server.

I find this logic strange.

I would certainly agree that configuring DNS (BIND9, anyway) is a lot easier than running your own mail server. OTOH, there's very little value in running your own DNS; there's no poilcy issues, it's just lookups in a table, basically. There are several reliable, free DNS providers, not to mention most registers, these days. There are advantages to having DNS not be dependent on your own servers running. In the worst case, it's not too hard to move your DNS to another system/provider.

Mail, on the other hand, has huge policy and privacy issues. I'd guess a lot of us have been burned by ISP mail servers, and simply don't (or won't) trust anyone else to do it the way we want it done. So while it requires more knowledge and effort to run a mail server than a DNS server, the (perceived) benefit is also much higher.

To be honest, I am also planning to run Drupal multisite installation for my own.

But instead of running my own dns and smtp services, I chose not to do it. DNS is provided by the registrar and mail is handled by Google via Google Apps. This way I am only focusing on the http service, maintenance seems much easier from this point.

I can't tell if this is a reliable solution but I am giving it a shot and see if it works.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct