Firstly... I apologise for the atrocious pun in the subject; just can't seem to help myself. Anyway my company currently uses BIND for our DNS requirements (9.6.0). I'm always pretty keen on updating, when advised to, in order to patch vulnerabilities and so forth as we have a fairly popular website and I'm sure there's lots of nasty little tykes out there ready to try and take us down. I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave). Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor. Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that: 1) Creates a zone file for "mydomain.com" and fills in defaults; overrides with options from the web-app if needed. 2) Updates the existing named.conf file 3) Opens a secure connection to the master, and uploads new config files 4) Runs a remote process to restart BIND 5) Opens a secure connection to slave, updates named.conf 6) Runs a remote process to restart BIND But I've had a play with "myDNS" (http://mydns.bboy.net) which is capable of serving DNS requests directly from a mySQL database. And it seems pretty good. All my web-app now needs to do is adjust some database records and everything else updates automatically. All very cool. However, my question is this... Has anyone yet experienced any major problems with myDNS - either security or reliability? Frankly, I'm a little scared of daring to shift away from a well-established system. Perhaps you've had the chance to poke about in the code... Is it based on the BIND codebase? Does it get security updates when exploits are revealed? Finally I've managed to successfully configure BIND 9 as a slave to a myDNS server and the AXFR transfers seem to be working fine. This strikes me as being quite a nice balance of ease of use and reliability in case myDNS fails on me. Ok I appreciate it doesn't get around security concerns but hey ho. Opinions much appreciated. Cheers, Ben -- Ben Matthew, Senior Network Engineer Absolute Radio, One Golden Square, London W1F 9DJ Tel: 020 7432 3457 Mobile: 07817464623 http://www.absoluteradio.co.uk Absolute Radio, winner of four Sony Radio Awards in 2009 ________________________________________________ DISCLAIMER This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies. Whilst we take reasonable precautions to ensure that our emails are free from viruses, we cannot be responsible for any viruses transmitted with this e-mail and recommend that you subject any incoming e-mail to your own virus checking procedures. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these facilities. ________________________________________________ TIML Radio Limited (trading as Absolute Radio) Registered office: One Golden Square, London. W1F 9DJ Registered in England No 02674136 VAT No 927 2572 11
May seem a little simplistic, but how about Webmin. :) Runs on most linux-type systems over SSL/https and allows you to administer your DNS (and other services) without issues and provide the things you listed below. Oh, and it's free. And it's already done. Scott Ben Matthew wrote:
Firstly... I apologise for the atrocious pun in the subject; just can't seem to help myself.
Anyway my company currently uses BIND for our DNS requirements (9.6.0). I'm always pretty keen on updating, when advised to, in order to patch vulnerabilities and so forth as we have a fairly popular website and I'm sure there's lots of nasty little tykes out there ready to try and take us down. I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave).
Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor.
Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that:
1) Creates a zone file for "mydomain.com" and fills in defaults; overrides with options from the web-app if needed.
2) Updates the existing named.conf file
3) Opens a secure connection to the master, and uploads new config files
4) Runs a remote process to restart BIND
5) Opens a secure connection to slave, updates named.conf
6) Runs a remote process to restart BIND
But I've had a play with "myDNS" (http://mydns.bboy.net) which is capable of serving DNS requests directly from a mySQL database. And it seems pretty good. All my web-app now needs to do is adjust some database records and everything else updates automatically. All very cool.
However, my question is this... Has anyone yet experienced any major problems with myDNS - either security or reliability? Frankly, I'm a little scared of daring to shift away from a well-established system.
Perhaps you've had the chance to poke about in the code... Is it based on the BIND codebase? Does it get security updates when exploits are revealed?
Finally I've managed to successfully configure BIND 9 as a slave to a myDNS server and the AXFR transfers seem to be working fine. This strikes me as being quite a nice balance of ease of use and reliability in case myDNS fails on me. Ok I appreciate it doesn't get around security concerns but hey ho.
Opinions much appreciated.
Cheers,
Ben
-- Ben Matthew, Senior Network Engineer Absolute Radio, One Golden Square, London W1F 9DJ Tel: 020 7432 3457 Mobile: 07817464623 http://www.absoluteradio.co.uk
Absolute Radio, winner of four Sony Radio Awards in 2009
________________________________________________ DISCLAIMER This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies. Whilst we take reasonable precautions to ensure that our emails are free from viruses, we cannot be responsible for any viruses transmitted with this e-mail and recommend that you subject any incoming e-mail to your own virus checking procedures. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these facilities. ________________________________________________ TIML Radio Limited (trading as Absolute Radio) Registered office: One Golden Square, London. W1F 9DJ Registered in England No 02674136 VAT No 927 2572 11
On 01.06.2009, at 12:59, Ben Matthew wrote:
Finally I've managed to successfully configure BIND 9 as a slave to a myDNS server and the AXFR transfers seem to be working fine. This strikes me as being quite a nice balance of ease of use and reliability in case myDNS fails on me. Ok I appreciate it doesn't get around security concerns but hey ho.
As far as as security, why have myDNS world-reachable at all? You can have bind feed off of myDNS without having anyone on the outside ever talk to the myDNS backend. Chris
On Mon, Jun 1, 2009 at 12:59 PM, Ben Matthew <Ben.Matthew@timlradio.co.uk>wrote:
Anyway my company currently uses BIND for our DNS requirements (9.6.0). I'm always pretty keen on updating, when advised to, in order to patch vulnerabilities and so forth as we have a fairly popular website and I'm sure there's lots of nasty little tykes out there ready to try and take us down. I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave).
Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor.
You don't necessarily need to move away from Bind but what you do need is a better backend. Certainly you should avoid Webmin and trying to automate changes to BIND zone files as this gets really messy and unmaintainable very quickly. You can use Bind9 DLZ and MySQL or LDAP. I didn't find this all that easy to package or manage though. Personally, for scalable authoritative DNS I think PowerDNS is far better especially with an LDAP backend as LDAP is trivial to replicate over large numbers of slaves. An interface to LDAP for DNS was also a trivial project for us. If you don't need so much scalability there are existing web interfaces for PowerDNS using the MySQL backend. https://webdns.bountysource.com/ https://www.poweradmin.org/trac/
participants (4)
-
Ben Matthew -
Chris Meidinger -
Colin Alston -
Scott Morris