Should I run my own DNS service with BIND9?
I am looking for advice on the best options to configure the web server. The situation is that I have a few domain names registered with a registrar that allows me to add/edit sub-domains, A-Records, CNAMEs, and MX Records.
One question I have is should I set up and use my own DNS server on my Linode 360 account? Or should I continue on using the Linode name servers in place of the registrar's and forward the domains with a CNAME? What are the benefits and drawbacks of running my own DNS server?
Another question is security. As mentioned, I have set up a LAMP server before, but they are behind corporate firewalls, so there has not been any effort put into locking them down aside from changing default password settings for MySQL. Since the Ubuntu LAMP server comes with all ports shut down except those required to host a web site, I have read that there is no reason for any firewall. Is this correct?
Any other suggestions and or opinions greatly appreciated.
Thanks
6 Replies
@kpm:
I am looking for advice on the best options to configure the web server. The situation is that I have a few domain names registered with a registrar that allows me to add/edit sub-domains, A-Records, CNAMEs, and MX Records.
One question I have is should I set up and use my own DNS server on my Linode 360 account? Or should I continue on using the Linode name servers in place of the registrar's and forward the domains with a CNAME? What are the benefits and drawbacks of running my own DNS server?
I think the two biggest drawbacks of running your own DNS server are (a) the headache/outages when you have to change name server IPs and (b) BIND security.
When space opens up, I will be moving my Linode to a datacenter closer to my new home, which requires a new IP address. There is at least 1 - 2 days of confusion when a name server's IP is updated. This can mean lost or delayed email and an unreachable host. IMHO, you want to go through this pain as infrequently as possible.
On security, inevitably someone finds another remotely-exploitable security hole in BIND. If you eliminate a daemon, it's just one less thing to think about and maintain (and if you happen to be traveling in Tibet when the hole is discovered, you don't have to worry so much).
> When space opens up, I will be moving my Linode to a datacenter closer to my new home, which requires a new IP address. There is at least 1 - 2 days of confusion when a name server's IP is updated. This can mean lost or delayed email and an unreachable host.
This is why you have backup DNS servers, so long as those are running at the same addresses you won't have any DNS issues during the transition. If you have services that are only running on your Linode and you change IP addresses, yes, you will have some downtime.
To answer your question, the only reason I run my own DNS server is because I'm using features that aren't offered by the various DNS providers out there. This includes LOC, SRV, and AAAA (IPv6) records, along with dynamic DNS. The other advantage is this allows you to easily change your (backup) DNS provider without having to re-enter all of your DNS entries via a web interface. I guess this ties into the bulk updates argument as well.
Drawbacks, its ugly and more complex. BIND is not very user friendly when it comes to telling that you have a problem with your config files. And yes it has a history of security issues, but they will get fixed just like any other packages you have installed, be sure to get your updates. But you don't have to use BIND, there are other nameservers you can run on Linux that might not be as painful.
If you screw up your DNS it just doesn't work, if you screw up your mail server you become an open relay and a potential spammer. This terrified me more than a busted DNS server, yet no one seem to have an issue with setting up their own mail server.
I find this logic strange.
Mail, on the other hand, has huge policy and privacy issues. I'd guess a lot of us have been burned by ISP mail servers, and simply don't (or won't) trust anyone else to do it the way we want it done. So while it requires more knowledge and effort to run a mail server than a DNS server, the (perceived) benefit is also much higher.
But instead of running my own dns and smtp services, I chose not to do it. DNS is provided by the registrar and mail is handled by Google via Google Apps. This way I am only focusing on the http service, maintenance seems much easier from this point.
I can't tell if this is a reliable solution but I am giving it a shot and see if it works.