[dns-operations] New subscribers
cra at WPI.EDU
Wed Dec 29 20:51:41 UTC 2010
On Wed, Dec 29, 2010 at 01:12:19PM -0700, wllarso wrote:
> A number of years ago (and I hate to admit HOW long ago) on the
> BIND-USERS list, the topic of what should also be allowed to run on a
> DNS server was brought up. The response was to allow the DNS server to
> also provide NTP services but nothing else. No web server, no database
> server, no user logins, etc.
I would add TFTP & DHCP to those. I consider those four to be the
most basic network infrastructure services: DHCP, DNS, NTP, and TFTP
(for boot images, config files, maybe PXE first-stage loaders, etc.)
> The idea was that hardware was cheap enough that having servers
> dedicated to only providing DNS services was very practical. Now days,
> this should even be a more compelling reason for having dedicated DNS
> servers and not piggy backing on every other service possible. If
> separate hardware is not available then at least separate virtual
> machines is still a possibility. (But don't get me on the topic of
> running a DNS server on a VM!)
I was thinking of separating out the authoritative DNS servers from
the recursive DNS resolvers on separate VMs on the same hardware.
> If you are worried about the hundreds, and apparently thousands, of
> possible packages installed on your DNS server, aren't you defeating the
> KISS principle for operating a critical infrastructure service?
> Wouldn't controlling your architecture of your DNS servers, i.e.,
> deploying DNS ***ONLY*** servers, make this issue of package
> dependencies much simpler?
If you have the budget for one physical server per network
More information about the dns-operations