Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    What tasks need to be done when setting up your own NS servers?
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    What tasks need to be done when setting up your own NS servers?

    jeromezajeromeza Member
    edited August 2015 in Help

    I'm busy with this now but I assume the order would be as follows:

    * Procure 2x VPS's (or more) and setup a DNS cluster with replication. e.g. PowerDNS, MaraDNS or Cpanel DNS.
    -
    * Add your domains and create DNS records on said cluster SOA / MX / A / CNAME etc
    -
    * Set GLUE records are DOMAIN REGISTRAR and point them to your IP's. e.g. ns1.yourdomain.com = your_ip_here and ns2.yourdomain.com = your_ip_here
    -
    * Set A records on your NS server to reflect the NS name choices above (is this necessary or does the glue record do this for you? e.g. do I need "ns1.yourdomain.com A your_ip_here" to be set on my DNS cluster or is that made redundant by the GLUE records at registrar level?
    -
    * Set reverse rDNS / PTR records on your VPS hosts where IP = ns1.yourdomain.com or IP = ns2.yourdomain.com (Is this done on the VPS host or do you set on your own DNS cluster?)
    

    Comments

    • I did it like this:

      1. setup MaraDNS on both VPS
      2. configure it and write zonefiles
      3. write a little script for ns2 which syncs the data from ns1 via scp
      4. execute this script whenever I made a change to ns1
      5. set ns's of domains to my ns servers

      Don't know why it should be required to set rDNS for DNS server. I made it as well, but just because it would've been something I don't have anything to do with else.

      ¦ x64Dash ¦

    • jeromezajeromeza Member
      edited August 2015

      I've got both working in a cluster with MySQL replication in between.

      The next issue I want to look at is hardening. My guess would be:

      • Disable recursion - Currently my servers are serving records for THEIR domains and EVERYTHING else. I could see how this could be a big problem and result in them being used in amplification attacks. What would be the best way to limit this?

      • Change the version details in your config to obscure your software version / product for TXT requests for your version.bind

      Any other tips?

    • wychwych Member

      jeromeza said: Disable recursion

      Do that now, hosts have enough open resolvers to deal with already without a few more being open.

      Taking a hiatus.

    • Yep, disable recursivity right now. Otherwise your helping DDoSers in no time with reflection attacks.

      You don't have to "limit" anything, just tell your DNS servers they're authoritative only.

      ¦ x64Dash ¦

    Sign In or Register to comment.