Well, I told someone I would, so here it is.
My boss installed a server for a client on our grid and told me to replicate another bind9 host. Short version is I scp'd all the .hosts files over from the original server to the new one and bounced named. It seems to be doing the job. Those details are
here...
and now for the good stuff...
Bosses answers are in red.
The
only reply I personally have for "why x or y or z" is "because he's the Boss", so don't go there.
Security above all else.
He understands and shares my concerns so if Security deems a change, things
could be different.
Q: Any particular reason for choosing Ubuntu LTS?
A: Because it's an LTS
Q: Did you make it a minimal OS installation?
A: It's a standard install.
Q: Any particular reason for choosing ISC BIND (PowerDNS, MaraDNS, Unbound, etc.)?
A: Because it's Bind and it's well known and it's free and it's stable
Q: Why for deities sake are your NS running Webmin? (You saw that question coming, right? ;-p) Of course
A: Because it's Webmin and it's well known and it's free and it's stable
Q: Do these machines have multiple Ethernet devices?
A: Yes. Two. eth0 is the public IP. eth1 is the non-routable IP and is used by our grid infrastructure. It should never be involved in any DNS for the domain.com.
Q: What tuning have you done so far? (Running iperf / Jperf is easy.)
A: I haven't done any myself.
Q: Same for hardening?
A: ssh-keys only!!!
Q: Are your NSes a mix of AWS instances and physical machines?
A: (You lost me on this one and I suppose some context is needed (by me) to understand the Q.) There is just the one physical machine on the new grid. ns1.dom.com is another physical host on another one of our grids. There are no AWS instances involved.
I suppose this new host to be a alternate ns
N.domain.com for future use. I am guessing now that this host will become an Authoritative name server in the future...?
/etc/bind/named.conf.options:
Code:
options {
directory "/var/cache/bind";
version NONE;
recursion no;
allow-transfer{none;};
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
check-names master ignore;
check-names slave ignore;
check-names response ignore;
};
/etc/bind/named.conf:
Code:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key rndc-key {
algorithm hmac-md5;
secret "ou812ic";
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
};
The only obvious difference I see on the "old" dns host is
Code:
forwarders {
4.2.2.2;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
forward first;
This is NOT present on the new host.
I started with
this... (getting started/recipe-type/howto...)
My references are:
BIND9ServerHowto
Secure-and-Reliable-Authoritative-DNS-with-BIND
Name_server (wikipedia)
and I signed up at
https://kb.isc.org
If any further information is needed, fire away.
Thank you for your time.
JJ