[dns-operations] New subscribers

Chuck Anderson cra at WPI.EDU
Wed Dec 29 20:51:41 UTC 2010


On Wed, Dec 29, 2010 at 01:12:19PM -0700, wllarso wrote:
> A number of years ago (and I hate to admit HOW long ago) on the  
> BIND-USERS list, the topic of what should also be allowed to run on a  
> DNS server was brought up.  The response was to allow the DNS server to  
> also provide NTP services but nothing else.  No web server, no database  
> server, no user logins, etc.

I would add TFTP & DHCP to those.  I consider those four to be the 
most basic network infrastructure services: DHCP, DNS, NTP, and TFTP 
(for boot images, config files, maybe PXE first-stage loaders, etc.)

> The idea was that hardware was cheap enough that having servers  
> dedicated to only providing DNS services was very practical.  Now days,  
> this should even be a more compelling reason for having dedicated DNS  
> servers and not piggy backing on every other service possible.  If  
> separate hardware is not available then at least separate virtual  
> machines is still a possibility.  (But don't get me on the topic of  
> running a DNS server on a VM!)

I was thinking of separating out the authoritative DNS servers from 
the recursive DNS resolvers on separate VMs on the same hardware.

> If you are worried about the hundreds, and apparently thousands, of  
> possible packages installed on your DNS server, aren't you defeating the  
> KISS principle for operating a critical infrastructure service?   
> Wouldn't controlling your architecture of your DNS servers, i.e.,  
> deploying DNS ***ONLY*** servers, make this issue of package  
> dependencies much simpler?

If you have the budget for one physical server per network 
service...



More information about the dns-operations mailing list