[sdnog] DNS problem

Nishal Goburdhan nishal at controlfreak.co.za
Tue Jan 6 15:33:45 SAST 2015

On 30 Dec 2014, at 12:36, Manhal Mohammed <manhal_muhamed at hotmail.com> wrote:
> Hello SdNoggers 
> This is my first time on this mailing list , I am Manhal Mohammed from the National Data Center ,

hi manhal,  and happy 2015 ! 

> I have some questions in the DNS
> first one : 
> Our DNS design is stealth “split-horizon” , we have two NS , NS0 & NS1 each from different ISP for availability , But NS1 is unreachable due to networks problem, can I use the two name servers in the same ISP ?? is that an issue to consider ? because now we are working just with one NS and this is very bad 

yes, you can have two name-servers, running through the same ISP.  as mentioned, though, that does leave you with a single point of failure should you have an issue with the ISP....however, working with just one name-server from a single ISP, is worse than two working DNS servers.  right now, if you lose the single DNS server, you're in deep trouble.  if you lose the internet link, well, DNS is not the only problem you're going to have  ;-)

but - that should also give you an idea about how / where you place your DNS servers.  so i'm going to assume that both your DNS servers are at your data-centre.  have you considered locating one somewhere else?   geographic separation is a Good Thing if you have to worry about losing internet access / power / floods / etc.  and if your worry is that you want it to be in the capital, why don't you consider hosting it at one of the ISPs to give you off-site redundancy?  that way you don't have to worry about the server losing internet connectivity as ISP hosting environments are generally quite stable ! 

it should also give you a little hint about addressing, and design;  a good thing to do, if you have two ISPs, is to get your own IP addresses, and ASN from AfriNIC, and then multi-home using this BGP, and your "own" address space.  there are many people on this list that can help you do this  ;-)       then, it doesn't really matter if you temporarily lose a single internet link, since you can easily re-route via the other ISP.  if your network design today, has you using two ISPs, then this multihoming is definitely the path that i would suggest to you.  

it sounds to me like you have quite a bit of work to do: 
* sort out your internet connectivity
* get a second DNS server running asap
* figure out this multihoming stuff 
* ...

it would be great if you were willing to discuss some more of these issues here, to give everyone a chance to learn (and see how you're doing things!) 

> second : 
> how to apply or implement some sort of security for the DNS ? like chroot , now i am not using chroot , can i use it after installing the bind and working with it ? is that will affect the DNS server , is there any risks ??? 

in general, chroot'ing your DNS daemon is a good thing.  someone who knows this better than i do, has promised to respond to this  :-)

> third  and last one : 
> is flushing the DNS cache will affect it ?

from what i understand, you are describing your auth name-servers, right?   auth-servers don't keep a DNS cache, so flushing this won't make a difference.  unless you run your auth servers, and your DNS caches on the same server.   that's not really recommended, and something that you should change ASAP ! 

do you run both the auth + caches on the same servers ? 


More information about the sdnog mailing list