[TriLUG] DNS providers: why bother? was Re: Email Problems

Aaron Joyner aaron at joyner.ws
Fri Feb 15 17:08:40 EST 2013


On Fri, Feb 15, 2013 at 4:11 AM, Greg Cox <glcox at pobox.com> wrote:
> On Thu, Feb 14, 2013 at 8:51 PM, Aaron Joyner <aaron at joyner.ws> wrote:
>
>> * - A surprise awaits any diligent reader who can explain where the
>> dig +trace command above gets it's list of the root nameserver
>> addresses from.  :)
>
>
> Tangential: for my home BIND I have a couple of weekly-to-monthly
> maintenance tasks that have come up and prevented boring cacher dns from
> being set-and-forget.
> 1) go 'offsite' and construct a new root hints file from the live data,
> since they do change now and then*.

Keep your OS up to date, and your package maintainer will effectively
do that for you:
asjoyner at bob:~$ dpkg -S /etc/bind/db.root
bind9: /etc/bind/db.root

You could also make the argument that you don't need to do that at
all.  BIND only reads that file at start up to query every entry until
it gets a current copy of the NS records for root from one of them.
It uses the retrieved data for subsequent queries.  So all 13 roots
would have to change their IPv4 addresses (and if you have IPv6
connectivity, another 8 IPv6 addresses would have to change) before
the maintainer updates his copy and you fetch a new BIND package.  I
feel very confident in saying you'll have re-installed from scratch
before that many roots change their IPs; it's quite likely both you
and I will die of old age first.

I did some spelunking for fun.  I pulled a named.cache file from
1995*, and compared it with the current version published by the
roots.  In 1995 there were only roots up to i.root-servers.net, so
ignoring the newer J through M... only B and D have changed their IPs
in the last 18 years.  This supports my theory that even a zone file
from the mid 1990s is likely to outlive us.  :)


> 2) go out and download/construct a 'bogon' list ** which then gets slurped
> in for security.

I'm not sure in what way you're applying a bogon list to your BIND
configuration?  Creating a special view for them?  Denying incoming
connections?  Wouldn't this level of paranoia be better-suited to the
firewall (iptables) level?  I'm eager to here what you've got going on
there.

Aaron S. Joyner

* - Can anyone find one older than 1995?



More information about the TriLUG mailing list