Nicolas Kovacs
2017-Apr-11 17:48 UTC
[CentOS] Primary DNS server with BIND on a public machine running CentOS 7
Le 11/04/2017 ? 19:34, Gordon Messmer a ?crit :> 1: Change the "listen-on" settings to bind to network interfaces: > > - listen-on port 53 { 127.0.0.1; }; > - listen-on-v6 port 53 { ::1; }; > + listen-on port 53 { any; }; > + listen-on-v6 port 53 { any; }; > > 2: Allow external queries by removing the allow-query setting entirely: > > - allow-query { localhost; }; > > 3: Disallow recursion by removing recursion setting: > > - recursion yes; > > 4: Add your zones. > > DNSSEC is slightly more involved, but basic setup should be basically > the same as what you've been doing.I'll give this a try with a clear head tomorrow. Thanks very much! -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Chris Adams
2017-Apr-11 18:05 UTC
[CentOS] Primary DNS server with BIND on a public machine running CentOS 7
One additional DNS server note: you should disable firewalld for any DNS server, caching or authoritative. If you need firewalling, use straight iptables. The reason is that firewalld always enables connection state tracking (at least as far as I can tell), and that should never be used in front of a DNS server. A public authoritative server or any caching server can get a high rate of requests, and having the kernel firewalling trying to track connection states is a bottleneck (one that will be reached before DNS software's limits). If you must firewall a DNS server, use straight iptables and do not use connection state tracking. -- Chris Adams <linux at cmadams.net>
Alice Wonder
2017-Apr-11 23:16 UTC
[CentOS] connection state tracking with DNS [was Primary DNS...]
Hi, I would like to see this addressed. I found more information on the issue at https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html Is there a firewalld solution to this issue? On 04/11/2017 11:05 AM, Chris Adams wrote:> One additional DNS server note: you should disable firewalld for any DNS > server, caching or authoritative. If you need firewalling, use straight > iptables. > > The reason is that firewalld always enables connection state tracking > (at least as far as I can tell), and that should never be used in front > of a DNS server. A public authoritative server or any caching server > can get a high rate of requests, and having the kernel firewalling > trying to track connection states is a bottleneck (one that will be > reached before DNS software's limits). > > If you must firewall a DNS server, use straight iptables and do not use > connection state tracking. >