FAQ
Hi folks,

As a breather from the
"thread-now-wider-than-my-headers-window-in-thunderbird" conversation
re: mixing repos, I have a question regarding a machine I'm about to put
online. :)

I run a web hosting company and my secondary (primary to the world) DNS
box died from a massive rootkit/hack last night. It was running an old
Slackware 9.1 installation and I will be completely cleaning those
drives sector-by-sector. After which I'll be installing CentOS 5 on
that hardware.

As it will be a production server and this is my first foray into
CentOS/SELinux in a production environment I was hoping to get a
recommended list of what to include and, more specifically, what *not*
to include from the distro CDs

I will be doing a text based install, hoping to avoid the installation
of X. Other than BIND and vsftpd, I don't think I need much. This
machine will be pulling zone files from my primary web server and
storing some archive files and backups for me.

I'm dilligently R`ingTFMs, and will continue to.... I'd sure be
appreciative of any jumpstart help and/or any pitfalls of which to be
cognizant.

TIA,
~Ray

Search Discussions

  • Pctech at Aug 2, 2007 at 3:07 pm
    Hi folks,

    As a breather from the
    "thread-now-wider-than-my-headers-window-in-thunderbird" conversation
    re: mixing repos, I have a question regarding a machine I'm about to put
    online. :)

    I run a web hosting company and my secondary (primary to the world) DNS
    box died from a massive rootkit/hack last night. It was running an old
    Slackware 9.1 installation and I will be completely cleaning those
    drives sector-by-sector. After which I'll be installing CentOS 5 on
    that hardware.

    As it will be a production server and this is my first foray into
    CentOS/SELinux in a production environment I was hoping to get a
    recommended list of what to include and, more specifically, what *not*
    to include from the distro CDs

    I will be doing a text based install, hoping to avoid the installation
    of X. Other than BIND and vsftpd, I don't think I need much. This
    machine will be pulling zone files from my primary web server and
    storing some archive files and backups for me.

    I'm dilligently R`ingTFMs, and will continue to.... I'd sure be
    appreciative of any jumpstart help and/or any pitfalls of which to be
    cognizant.

    -----------------------------------------------------------------

    Sorry for my broken ass webmail, but I don't have access to a real mail client at the moment.


    Personally I would recommend against installing any service that isn't absolutely necessary. Such as FTP. On a DNS server, if that's all it is going to be, there is no need for FTP services. If you need to upload things to the server, use scp, which is a part of SSH. The install is going to add alot of services that you probably won't need on the server, such as sendmail. Shut down any service that you don't need. The fewer services running the fewer attack vectors. You will never get it "hack proof". What you will get is something that "script kiddies" may not bother with in favor of easier targets. Like the old saying goes, "You don't have to run faster than the cheetah. You just have to run faster than the man running next to you."

    I would also, if possible, disallow root logins to the server via SSH. Configure it so that you have to log in as a normal restricted user and then su to root.

    ------------------------------------------------------------------

    TIA,
    ~Ray
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Robert Moskowitz at Aug 22, 2007 at 11:52 am
    I want to share my DNS experience.

    htt-consult.com
    labs.htt-consult.com

    and a couple test sub zones, are being served from this box.

    I installed EVERYTHING that bespoke of BIND, well almost everything. I
    wanted to make sure I had any file I might need.

    [log]#grep bind rpmpkgs

    bind-9.3.3-9.0.1.el5.i386.rpm
    bind-chroot-9.3.3-9.0.1.el5.i386.rpm
    bind-libs-9.3.3-9.0.1.el5.i386.rpm
    bind-utils-9.3.3-9.0.1.el5.i386.rpm
    system-config-bind-4.0.3-2.el5.centos.noarch.rpm

    {log]# grep bind yum.log
    Aug 03 18:00:20 Updated: bind-libs.i386 30:9.3.3-9.0.1.el5
    Aug 03 18:01:07 Updated: bind.i386 30:9.3.3-9.0.1.el5
    Aug 03 18:04:47 Updated: bind-utils.i386 30:9.3.3-9.0.1.el5
    Aug 03 18:04:48 Updated: bind-chroot.i386 30:9.3.3-9.0.1.el5

    Then I went to work in the following directories:

    /var/named/chroot/ etc and var/named

    I have determined that you can forget about any named.whatever file in
    /etc/ as the chroot is really what is run.

    Here is my /var/named/chroot/etc (I have 2 views, external and internal):

    named.rfc1912.zones (to find this and others, remember updatedb and
    locate are your friends)
    named.acl
    named.external
    named.root <- wget ftp://ftp.rs.internic.net/domain/named.root
    named.root.hints
    named.caching-nameserver.conf <- not used, but what the heck...
    named.internal
    named.conf
    rndc.key

    Here is some of my /var/named/chroot/var/named files:

    named.broadcast
    named.ip6.local
    named.local
    named.zero
    localdomain.zone
    localhost.zone
    Plus all of my specific zone and reverse files, both internal and
    external views.

    Once I got this all built, I have had no trouble maintaning this with
    webmin.

    I think this covers everything.

    Happy BINDings!
  • Feizhou at Aug 2, 2007 at 3:08 pm

    As it will be a production server and this is my first foray into
    CentOS/SELinux in a production environment I was hoping to get a
    recommended list of what to include and, more specifically, what *not*
    to include from the distro CDs

    I will be doing a text based install, hoping to avoid the installation
    of X. Other than BIND and vsftpd, I don't think I need much. This
    machine will be pulling zone files from my primary web server and
    storing some archive files and backups for me.
    Custom install and remove every package that you can except for bind,
    openssh-server, vsftpd and whatever you use for archiving and backups
    should do the trick.
  • Ray Leventhal at Aug 2, 2007 at 3:12 pm

    Feizhou wrote:
    As it will be a production server and this is my first foray into
    CentOS/SELinux in a production environment I was hoping to get a
    recommended list of what to include and, more specifically, what *not*
    to include from the distro CDs

    I will be doing a text based install, hoping to avoid the installation
    of X. Other than BIND and vsftpd, I don't think I need much. This
    machine will be pulling zone files from my primary web server and
    storing some archive files and backups for me.
    Custom install and remove every package that you can except for bind,
    openssh-server, vsftpd and whatever you use for archiving and backups
    should do the trick.
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
    Thank you Feizhou. I'm hoping it's exactly that easy.

    Regards,
    ~Ray
  • Feizhou at Aug 2, 2007 at 3:18 pm

    Ray Leventhal wrote:
    Feizhou wrote:
    As it will be a production server and this is my first foray into
    CentOS/SELinux in a production environment I was hoping to get a
    recommended list of what to include and, more specifically, what *not*
    to include from the distro CDs

    I will be doing a text based install, hoping to avoid the installation
    of X. Other than BIND and vsftpd, I don't think I need much. This
    machine will be pulling zone files from my primary web server and
    storing some archive files and backups for me.
    Custom install and remove every package that you can except for bind,
    openssh-server, vsftpd and whatever you use for archiving and backups
    should do the trick.
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
    Thank you Feizhou. I'm hoping it's exactly that easy.
    The installer will not let you remove packages that are in the 'Base'
    group. If you remove any package that bind, vsftpd or openssh-server
    needs, it will tell you later and ask you whether you want to ignore or
    install all dependencies and so you should safely get a working system.
  • Jim Perrin at Aug 2, 2007 at 3:16 pm

    On 8/2/07, Ray Leventhal wrote:

    I'm dilligently R`ingTFMs, and will continue to.... I'd sure be
    appreciative of any jumpstart help and/or any pitfalls of which to be
    cognizant.
    2 recent pitfalls for bind on RHEL5.
    1st being that upstream has removed the default configs for bind. This
    was apparently intentional. See
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id#4508 for more
    information

    also, the last bind update modified some file permissions such that
    ldap doesn't start correctly afterwards, so if you're running bind and
    ldap on the same box, beware.


    --
    During times of universal deceit, telling the truth becomes a revolutionary act.
    George Orwell
  • Ray Leventhal at Aug 2, 2007 at 3:20 pm

    Jim Perrin wrote:
    2 recent pitfalls for bind on RHEL5.
    1st being that upstream has removed the default configs for bind. This
    was apparently intentional. See
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id#4508 for more
    information

    also, the last bind update modified some file permissions such that
    ldap doesn't start correctly afterwards, so if you're running bind and
    ldap on the same box, beware.
    Thank you, Jim. I've got the bugzilla link onscreen now and am
    reading. Also, thanks for the ldap and bind warning. Good to know, but
    happily, it's not part of my schema.

    Again, my thanks,
    ~Ray
  • Jay Lee at Aug 2, 2007 at 5:16 pm

    Ray Leventhal wrote:
    As a breather from the
    "thread-now-wider-than-my-headers-window-in-thunderbird" conversation
    re: mixing repos, I have a question regarding a machine I'm about to put
    online. :)

    I run a web hosting company and my secondary (primary to the world) DNS
    box died from a massive rootkit/hack last night. It was running an old
    Slackware 9.1 installation and I will be completely cleaning those
    drives sector-by-sector. After which I'll be installing CentOS 5 on
    that hardware.
    CentOS 5 is a .0 release, you might be better served using CentOS 4.5
    which has had much more tme to prove itself as a DNS Server. 4.5 also
    has a good bit of time left on updates to (till Feb 29th, 2012) so you
    shouldn't worry to much about it becoming obsolete.
    As it will be a production server and this is my first foray into
    CentOS/SELinux in a production environment I was hoping to get a
    recommended list of what to include and, more specifically, what *not*
    to include from the distro CDs
    As others have said, start with a bare minimal install and add as you
    need to. Unless you do a custom kickstart, you'll certainly want to go
    through and remove some of the packages that are in the default install
    but aren't really necessary for a single task server (e.g. bluez-utils,
    NetworkManager, etc).
    I will be doing a text based install, hoping to avoid the installation
    of X. Other than BIND and vsftpd, I don't think I need much.
    Why do you need vsftpd? Plain text FTP could prove very dangerous.
    Maybe you should take this chance to switch over to something more
    secure like SFTP. The nice thing about sftp is it's up and running
    straight out of the box since SSH is enabled by default.
    This
    machine will be pulling zone files from my primary web server and
    storing some archive files and backups for me.

    I'm dilligently R`ingTFMs, and will continue to.... I'd sure be
    appreciative of any jumpstart help and/or any pitfalls of which to be
    cognizant.
    Good luck,

    Jay

    --
    Jay Lee <jlee@pbu.edu>
    Network/Systems Administrator
    Information Technology Department
    Philadelphia Biblical University
    --
  • Brian Mathis at Aug 2, 2007 at 5:35 pm
    On 8/2/07, Jay Lee wrote:
    [...]
    CentOS 5 is a .0 release, you might be better served using CentOS 4.5
    which has had much more tme to prove itself as a DNS Server. [...]
    Jay
    Please don't propagate this idea. That is very "Windows wait for
    service pack 1" way of thinking. Linuxes actually go through
    extensive pre-release public beta testing, the kind of stuff Microsoft
    does on its .0 releases. When a new CentOS release lands, it has
    landed.
  • Les Mikesell at Aug 2, 2007 at 5:52 pm

    Brian Mathis wrote:
    On 8/2/07, Jay Lee wrote:
    [...]
    CentOS 5 is a .0 release, you might be better served using CentOS 4.5
    which has had much more tme to prove itself as a DNS Server. [...]
    Jay
    Please don't propagate this idea. That is very "Windows wait for
    service pack 1" way of thinking.
    Actually it is an 'old' Red Hat way of thinking from the pre-fedora era
    and was very much true for RH versions up though 7.x.
    Linuxes actually go through
    extensive pre-release public beta testing, the kind of stuff Microsoft
    does on its .0 releases.
    I'd say "Enterprise Linux distributions" there. It's not true for all
    or even most Linux distributions.
    When a new CentOS release lands, it has
    landed.
    Yes, Centos qualifies as an enterprise version. Plus something like DNS
    will be fixed immediately if any problems are noticed - long before an
    x.1 update.

    --
    Les Mikesell
    lesmikesell@gmail.com
  • Ray Leventhal at Aug 2, 2007 at 5:44 pm
    Hi Jay, et al,

    <snip>
    CentOS 5 is a .0 release, you might be better served using CentOS 4.5
    which has had much more tme to prove itself as a DNS Server. 4.5 also
    has a good bit of time left on updates to (till Feb 29th, 2012) so you
    shouldn't worry to much about it becoming obsolete.
    My experience in both reading this list and working with other sysadmins
    is that even though CentOS 5 is a .0 release, it is not only robust, but
    a rock solid release. I've been running CentOS5 on my desktop at home
    for more than a few months without issue, so I'm comfortable with 5.0 in
    a production environment. Good point made, though.
    Why do you need vsftpd? Plain text FTP could prove very dangerous.
    Maybe you should take this chance to switch over to something more
    secure like SFTP. The nice thing about sftp is it's up and running
    straight out of the box since SSH is enabled by default.
    That is certainly something to consider. Myself and one other will be
    the only folks using this machine for storage that will require ftp
    access so your point is taken. SFTP is my likely choice after a bit of
    reading to ensure compatibility with our tasks.

    Good luck,

    Jay
    Thanks...your help is greatly appreciated!

    ~Ray
  • Jim Perrin at Aug 2, 2007 at 5:52 pm

    On 8/2/07, Ray Leventhal wrote:

    That is certainly something to consider. Myself and one other will be
    the only folks using this machine for storage that will require ftp
    access so your point is taken. SFTP is my likely choice after a bit of
    reading to ensure compatibility with our tasks.
    While it's also a prime example of not getting the help you asked for,
    instead of ftp, or in some cases sftp, you might look at webdav also
    depending on your needs.

    I use it because it doesn't require a local system account, can be
    permissioned via apache, and is very customizable.It helps us out
    locally because it's part of http 1.1, so there's no need for added
    firewall ports being open, no proxy adjustments, etc.


    --
    During times of universal deceit, telling the truth becomes a revolutionary act.
    George Orwell
  • Les Mikesell at Aug 2, 2007 at 6:20 pm

    Jim Perrin wrote:
    On 8/2/07, Ray Leventhal wrote:

    That is certainly something to consider. Myself and one other will be
    the only folks using this machine for storage that will require ftp
    access so your point is taken. SFTP is my likely choice after a bit of
    reading to ensure compatibility with our tasks.
    While it's also a prime example of not getting the help you asked for,
    instead of ftp, or in some cases sftp, you might look at webdav also
    depending on your needs.

    I use it because it doesn't require a local system account, can be
    permissioned via apache, and is very customizable.It helps us out
    locally because it's part of http 1.1, so there's no need for added
    firewall ports being open, no proxy adjustments, etc.
    My favorite way to move files is with rsync over ssh since it does the
    right thing about not replacing existing files until the copy is
    complete, is more efficient sometimes, and works with windows/cygwin
    too. Windows users sometimes prefer winscp, though.

    But back to DNS - I run a really old and ugly script after updating zone
    files that builds the reverse zones, commits the changes to a cvs
    repository, and restarts named to pick up the changes. Is there some
    modern equivalent for this operation?

    --
    Les Mikesell
    lesmikesell@gmail.com
  • Dan Pritts at Aug 10, 2007 at 1:45 am

    On Thu, Aug 02, 2007 at 01:20:04PM -0500, Les Mikesell wrote:
    But back to DNS - I run a really old and ugly script after updating zone
    files that builds the reverse zones, commits the changes to a cvs
    repository, and restarts named to pick up the changes. Is there some
    modern equivalent for this operation?
    i use a script called "mkrdns" that isn't especially ugly. it's out
    on the net, and its website mentions something called dnscvsutil that
    also apparently does CVS and incorporates mkrdns.

    it doesn't have v6/AAAA support though, so if you find something
    that does i'd appreciate hearing about it.

    tnx
    danno
    --
    Dan Pritts, System Administrator
    Internet2
    office: +1-734-352-4953 | mobile: +1-734-834-7224

    Internet2 Workshops:
    More fun than summer school
    http://www.internet2.edu/workshops
  • Tomasz Napierała at Aug 3, 2007 at 7:26 am

    On Thursday 02 August 2007 16:56:46 Ray Leventhal wrote:

    As it will be a production server and this is my first foray into
    CentOS/SELinux in a production environment I was hoping to get a
    recommended list of what to include and, more specifically, what *not*
    to include from the distro CDs

    I will be doing a text based install, hoping to avoid the installation
    of X. Other than BIND and vsftpd, I don't think I need much. This
    machine will be pulling zone files from my primary web server and
    storing some archive files and backups for me.

    I'm dilligently R`ingTFMs, and will continue to.... I'd sure be
    appreciative of any jumpstart help and/or any pitfalls of which to be
    cognizant.

    Apart from installation, I would suggest using PowerDNS as a secondary DNS.
    It's not only robust, fast and secure, but also has very interesting
    capability of automated zones depolying (espacially usefull for secondary
    NS). I'm using it on all my secondary nameservers, and that's saving me lot
    of time.

    Regards,
    --
    Tomasz Napierala
    System Administrator
    Allegro Team
    http://www.allegro.pl/
  • Ray Leventhal at Aug 3, 2007 at 12:55 pm
    Tomasz Napiera?a wrote:
    <snip>
    Apart from installation, I would suggest using PowerDNS as a secondary DNS.
    It's not only robust, fast and secure, but also has very interesting
    capability of automated zones depolying (espacially usefull for secondary
    NS). I'm using it on all my secondary nameservers, and that's saving me lot
    of time.

    Regards,
    Thank you Tomasz, I'll have a look at PowerDNS. Much appreciated.

    ~Ray
  • Feizhou at Aug 3, 2007 at 1:06 pm

    Ray Leventhal wrote:
    Tomasz Napiera?a wrote:
    <snip>
    Apart from installation, I would suggest using PowerDNS as a secondary DNS.
    It's not only robust, fast and secure, but also has very interesting
    capability of automated zones depolying (espacially usefull for secondary
    NS). I'm using it on all my secondary nameservers, and that's saving me lot
    of time.

    Regards,
    Thank you Tomasz, I'll have a look at PowerDNS. Much appreciated.
    Well, if you are willing to look into BIND alternatives, please take a
    look also at tinydns which is part of the djbdns package.

    Dead simple format for dns configuration and on-the-fly zone updating
    are some of its features.
  • Ray Leventhal at Aug 3, 2007 at 1:08 pm

    Feizhou wrote:
    Ray Leventhal wrote:
    Tomasz Napiera?a wrote:
    <snip>
    Apart from installation, I would suggest using PowerDNS as a
    secondary DNS. It's not only robust, fast and secure, but also has
    very interesting capability of automated zones depolying (espacially
    usefull for secondary NS). I'm using it on all my secondary
    nameservers, and that's saving me lot of time.

    Regards,
    Thank you Tomasz, I'll have a look at PowerDNS. Much appreciated.
    Well, if you are willing to look into BIND alternatives, please take a
    look also at tinydns which is part of the djbdns package.

    Dead simple format for dns configuration and on-the-fly zone updating
    are some of its features.
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
    Feizhou,

    I'm more than willing to look into alternatives, especially when
    recommended by those more knowledgeable than I (which is *most* of this
    list, I might add)

    So, thank you *very* much for that. The machine is slated to go live
    this weekend so i've clearly got some reading and evaluating to do (on
    my testbed machine, of course).

    Thanks again...and again,
    ~Ray
  • Ken Price at Aug 3, 2007 at 1:46 pm

    Well, if you are willing to look into BIND alternatives, please take a
    look also at tinydns which is part of the djbdns package.

    Dead simple format for dns configuration and on-the-fly zone updating
    are some of its features.
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
    Feizhou,

    I'm more than willing to look into alternatives, especially when
    recommended by those more knowledgeable than I (which is *most* of this
    list, I might add)

    So, thank you *very* much for that. The machine is slated to go live
    this weekend so i've clearly got some reading and evaluating to do (on
    my testbed machine, of course).

    Thanks again...and again,
    ~Ray

    I'm coming in late to this thread. We too are a hosting provider
    (small time), hosting approximately 1600 live domains.

    Not to say tinydns is a bad alternative, as it has it's strengths, but
    we moved away from [outgrew] it 2 years ago.

    If you were already running Bind, CentOS 5 is a great platform. I run
    a few multi-domain (3-10) slaves using a chrooted Bind for a couple
    offsite clients. Fine for small number of domains. Short term, I'd
    recommend just getting another Bind install up and running to fix your
    issue, THEN look at alternatives.

    I've personally used PowerDNS, TinyDNS, MyDNS, nsd, Bind 8/9, and MS
    DNS. PowerDNS is phenomenal. Look into the proprietary
    "supermaster/superslave" functionality. To manage the 1600+ domains,
    we have our primary server setup using a MySQL backend. This allows
    simple integration of our accounting and support systems. The slaves
    are using sqlite3 backends. One word of caution, while a "superslave"
    may automatically add a new domain, it will not remove domains deleted
    at the master. I've solved this by removing all non NS/SOA records
    from that domain and updating the serial on the master - so changes
    propagate to slaves. Then have a cronjob running that purges empty
    domains from the databases on the master and slaves.

    Also, I've found the PowerDNS RPM's located at the EPEL repo to be
    completely stable. They even have the backends broken out separately.

    Lastly, I don't know about you, but I hate giving shell access where
    it's not needed ... especially to support staff under a Tier3 level.
    So I use Pure-FTPD running virtual users and an FTPS (not SFTP)
    client like lftp or filezilla for transfers. If I need a higher level
    of security then I use rsync over SSH.

    Forgive me for being so verbose. :-)

    -ken
  • Ray Leventhal at Aug 3, 2007 at 1:51 pm
    <snip>
    I'm coming in late to this thread. We too are a hosting provider
    (small time), hosting approximately 1600 live domains.

    Not to say tinydns is a bad alternative, as it has it's strengths, but
    we moved away from [outgrew] it 2 years ago.

    If you were already running Bind, CentOS 5 is a great platform. I run
    a few multi-domain (3-10) slaves using a chrooted Bind for a couple
    offsite clients. Fine for small number of domains. Short term, I'd
    recommend just getting another Bind install up and running to fix your
    issue, THEN look at alternatives.

    I've personally used PowerDNS, TinyDNS, MyDNS, nsd, Bind 8/9, and MS
    DNS. PowerDNS is phenomenal. Look into the proprietary
    "supermaster/superslave" functionality. To manage the 1600+ domains,
    we have our primary server setup using a MySQL backend. This allows
    simple integration of our accounting and support systems. The slaves
    are using sqlite3 backends. One word of caution, while a "superslave"
    may automatically add a new domain, it will not remove domains deleted
    at the master. I've solved this by removing all non NS/SOA records
    from that domain and updating the serial on the master - so changes
    propagate to slaves. Then have a cronjob running that purges empty
    domains from the databases on the master and slaves.

    Also, I've found the PowerDNS RPM's located at the EPEL repo to be
    completely stable. They even have the backends broken out separately.

    Lastly, I don't know about you, but I hate giving shell access where
    it's not needed ... especially to support staff under a Tier3 level.
    So I use Pure-FTPD running virtual users and an FTPS (not SFTP)
    client like lftp or filezilla for transfers. If I need a higher level
    of security then I use rsync over SSH.

    Forgive me for being so verbose. :-)

    -ken
    Overly Verbose? Not at all, Ken. I am thrilled to hear of your
    experiences and was, actually, intending to do a straight BIND install
    first as it's what I'm most familiar with at this time.

    I certainly have a lot of material to review before making the leap away
    from BIND proper, but that I now know what that material is, at least in
    part, is a blessing.

    Please be verbose as you'd like. I, for one, truly appreciate it.

    Thanks again,
    ~Ray
  • Feizhou at Aug 3, 2007 at 2:17 pm

    I'm coming in late to this thread. We too are a hosting provider (small
    time), hosting approximately 1600 live domains.

    Not to say tinydns is a bad alternative, as it has it's strengths, but
    we moved away from [outgrew] it 2 years ago.
    I used to work for a messaging service provider and they had two
    systems. The first system was the service provider offering its
    messaging platform for its own domains and a hundred or so domains for
    quite a lot of clients and these were managed with BIND by hand.

    The other system was used for solely one client and that client is a
    rather big Registrar, whom I shall not name, with thousands of domains
    of which a good portion (over 50k) were hosted by this messaging service
    provider since the registrar did not have its own messaging platform.
    All these domains were automatically managed with tinydns.

    So I do not know how you 'outgrew' tinydns. After all the only part that
    involves tinydns is 'generate the cdb file from a database for tinydns
    to chew' or in other words, generating the cdb file for tinydns is the
    least of your problems to tackle.

    The secondaries are handled just the same (actually, you do not need
    'secondaries' anymore...if IIRC, you just have to rsync the cdb file
    over so there is no real master/slave thing here)
  • Ken Price at Aug 3, 2007 at 4:58 pm

    I'm coming in late to this thread. We too are a hosting provider
    (small time), hosting approximately 1600 live domains.

    Not to say tinydns is a bad alternative, as it has it's strengths,
    but we moved away from [outgrew] it 2 years ago.
    I used to work for a messaging service provider and they had two
    systems. The first system was the service provider offering its
    messaging platform for its own domains and a hundred or so domains for
    quite a lot of clients and these were managed with BIND by hand.
    eek. i can imagine that was a pain.
    So I do not know how you 'outgrew' tinydns. After all the only part
    that involves tinydns is 'generate the cdb file from a database for
    tinydns to chew' or in other words, generating the cdb file for tinydns
    is the least of your problems to tackle.
    Look, in no way was i bashing TinyDNS or starting a flamewar. This is
    why i prefaced my comment with "Not to say tinydns is a bad
    alternative, as it has it's strengths". By "outgrew" i mean we
    required more of our DNS server. We weren't a top level domain
    provider. Our clients required authoritative and sometimes secondary
    service. As a result, we required better RFC compliance and a broader
    range of features then TinyDNS provided. That's all. Our business
    simply required greater flexibility.

    Generally, your business needs should determine the solution. Not the
    other way around.

    Cheers.
  • Feizhou at Aug 3, 2007 at 11:20 pm

    Ken Price wrote:
    I'm coming in late to this thread. We too are a hosting provider
    (small time), hosting approximately 1600 live domains.

    Not to say tinydns is a bad alternative, as it has it's strengths,
    but we moved away from [outgrew] it 2 years ago.
    I used to work for a messaging service provider and they had two
    systems. The first system was the service provider offering its
    messaging platform for its own domains and a hundred or so domains for
    quite a lot of clients and these were managed with BIND by hand.
    eek. i can imagine that was a pain.
    In the beginning it sure was.

    Good thing BIND has this $INCLUDE thing. That reduced the amount of work
    after I cleaned up the mess from the previous configuration maintainer.
    So I do not know how you 'outgrew' tinydns. After all the only part
    that involves tinydns is 'generate the cdb file from a database for
    tinydns to chew' or in other words, generating the cdb file for tinydns
    is the least of your problems to tackle.
    Look, in no way was i bashing TinyDNS or starting a flamewar. This is
    why i prefaced my comment with "Not to say tinydns is a bad alternative,
    as it has it's strengths". By "outgrew" i mean we required more of our
    DNS server. We weren't a top level domain provider. Our clients
    required authoritative and sometimes secondary service. As a result, we
    required better RFC compliance and a broader range of features then
    TinyDNS provided. That's all. Our business simply required greater
    flexibility.
    You should have come out with this in the first place. Stating 1600
    domains as a hosting provider and then not clearly stating the technical
    reasons on why you had to switch away from tinydns looks like a veiled
    snipe at djbdns.

    If anybody dares insinuate ease of use, performance or security reasons
    for not using djbdns, I am going to grill them because 'I' have tried to
    find something to replace dnscache, which has this knack of not caching
    CNAME records and hammering the authoritative servers of a zone when it
    receives multiple new requests for records in that zone before it gets
    an answer, and I have yet to find anything that is as scalable as
    dnscache despite its annoying shortcomings.
    Generally, your business needs should determine the solution. Not the
    other way around.
    Agreed.
  • Tomasz Napierała at Aug 3, 2007 at 2:24 pm

    On Friday 03 August 2007 15:46:49 Ken Price wrote:

    I've personally used PowerDNS, TinyDNS, MyDNS, nsd, Bind 8/9, and MS
    DNS. PowerDNS is phenomenal. Look into the proprietary
    "supermaster/superslave" functionality. To manage the 1600+ domains,
    we have our primary server setup using a MySQL backend. This allows
    simple integration of our accounting and support systems. The slaves
    are using sqlite3 backends. One word of caution, while a "superslave"
    may automatically add a new domain, it will not remove domains deleted
    at the master. I've solved this by removing all non NS/SOA records
    from that domain and updating the serial on the master - so changes
    propagate to slaves. Then have a cronjob running that purges empty
    domains from the databases on the master and slaves.
    Just to add one comment, PowerDNS is also easy migration path from BIND as it
    can use existing BIND configuration files as a backend in addition to MySQL
    (or other dbms)

    Regards,
    --
    Tomasz Napierala
    System Administrator
    Allegro Team
    http://www.allegro.pl/

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedAug 2, '07 at 2:56p
activeAug 22, '07 at 11:52a
posts25
users11
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase