New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What tasks need to be done when setting up your own NS servers?
I'm busy with this now but I assume the order would be as follows:
* Procure 2x VPS's (or more) and setup a DNS cluster with replication. e.g. PowerDNS, MaraDNS or Cpanel DNS. - * Add your domains and create DNS records on said cluster SOA / MX / A / CNAME etc - * Set GLUE records are DOMAIN REGISTRAR and point them to your IP's. e.g. ns1.yourdomain.com = your_ip_here and ns2.yourdomain.com = your_ip_here - * Set A records on your NS server to reflect the NS name choices above (is this necessary or does the glue record do this for you? e.g. do I need "ns1.yourdomain.com A your_ip_here" to be set on my DNS cluster or is that made redundant by the GLUE records at registrar level? - * Set reverse rDNS / PTR records on your VPS hosts where IP = ns1.yourdomain.com or IP = ns2.yourdomain.com (Is this done on the VPS host or do you set on your own DNS cluster?)
Comments
I did it like this:
Don't know why it should be required to set rDNS for DNS server. I made it as well, but just because it would've been something I don't have anything to do with else.
I've got both working in a cluster with MySQL replication in between.
The next issue I want to look at is hardening. My guess would be:
Disable recursion - Currently my servers are serving records for THEIR domains and EVERYTHING else. I could see how this could be a big problem and result in them being used in amplification attacks. What would be the best way to limit this?
Change the version details in your config to obscure your software version / product for TXT requests for your version.bind
Any other tips?
Do that now, hosts have enough open resolvers to deal with already without a few more being open.
Yep, disable recursivity right now. Otherwise your helping DDoSers in no time with reflection attacks.
You don't have to "limit" anything, just tell your DNS servers they're authoritative only.