Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What tasks need to be done when setting up your own NS servers?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What tasks need to be done when setting up your own NS servers?

jeromezajeromeza Member
edited August 2015 in Help

I'm busy with this now but I assume the order would be as follows:

* Procure 2x VPS's (or more) and setup a DNS cluster with replication. e.g. PowerDNS, MaraDNS or Cpanel DNS.
-
* Add your domains and create DNS records on said cluster SOA / MX / A / CNAME etc
-
* Set GLUE records are DOMAIN REGISTRAR and point them to your IP's. e.g. ns1.yourdomain.com = your_ip_here and ns2.yourdomain.com = your_ip_here
-
* Set A records on your NS server to reflect the NS name choices above (is this necessary or does the glue record do this for you? e.g. do I need "ns1.yourdomain.com A your_ip_here" to be set on my DNS cluster or is that made redundant by the GLUE records at registrar level?
-
* Set reverse rDNS / PTR records on your VPS hosts where IP = ns1.yourdomain.com or IP = ns2.yourdomain.com (Is this done on the VPS host or do you set on your own DNS cluster?)

Comments

  • I did it like this:

    1. setup MaraDNS on both VPS
    2. configure it and write zonefiles
    3. write a little script for ns2 which syncs the data from ns1 via scp
    4. execute this script whenever I made a change to ns1
    5. set ns's of domains to my ns servers

    Don't know why it should be required to set rDNS for DNS server. I made it as well, but just because it would've been something I don't have anything to do with else.

  • jeromezajeromeza Member
    edited August 2015

    I've got both working in a cluster with MySQL replication in between.

    The next issue I want to look at is hardening. My guess would be:

    • Disable recursion - Currently my servers are serving records for THEIR domains and EVERYTHING else. I could see how this could be a big problem and result in them being used in amplification attacks. What would be the best way to limit this?

    • Change the version details in your config to obscure your software version / product for TXT requests for your version.bind

    Any other tips?

  • wychwych Member

    jeromeza said: Disable recursion

    Do that now, hosts have enough open resolvers to deal with already without a few more being open.

  • Yep, disable recursivity right now. Otherwise your helping DDoSers in no time with reflection attacks.

    You don't have to "limit" anything, just tell your DNS servers they're authoritative only.

Sign In or Register to comment.