[wplug] DNS Question

Christopher DeMarco cmd at alephant.net
Mon May 8 08:50:06 EDT 2006


On Sun, May 07, 2006 at 10:54:27PM -0400, Brandon Kuczenski wrote:

> setting up named and taking control of my own domain-name.  Up until now I 

Don't use BIND, use tinydns (http://cr.yp.to/djbdns.html). 


> problematic -- how could you have two different master domain name
> servers?  Which one does the user trust?

The registrar (the person to whom you pay $25 annually for
registration/renewal) creates a WHOIS record for your domain,
indicating that ns1.foo.com and ns2.foo.com are authoritative for your
domain.  They will usually also set up "glue" records resolving
ns1.foo.com and ns2.foo.com to IP addresses.

>From a resolver's point of view, ns1.foo.com and ns2.foo.com are
identical -- they're equally authoritative.  "Master" and "slave"
taxonomy are applicable only from an administrative standpoint,
e.g. where do you login to update the zone file, who propagates to
whom, etc.  


> mine.  What would be the effect of leaving my dns up, given that
> both services provide the same information, ultimately?

If the WHOIS record (``whois alephant.net'') doesn't list your
nameservers, nobody will use them.  Ever.


> Is it still desirable to run one's own domain name server? Or should

If you have applications which require finer-grain control than they
provide, then you should run your own NS.  If you think it might be
fun, you can feel free to run your own NS.  Otherwise, outsource it.
Personally, I like EasyDNS.


I will make one more unasked-for comment (c.f. "tinydns", above): Make
sure that you're clear on the difference between an *authoritative
nameserver* and a *resolving nameserver*.  BIND mixes the two without
distinction; their roles are totally different.

An authoritative nameserver is the one that use to find the addresses
of *your* servers.  A resolving (aka "recursive") nameserver is the
one that *you* use to find the addresses of other peoples' servers.
An earlier respondant recommended running a "caching" (aka recursive
aka resolving) nameserver locally, this is a good idea regardless of
whether you outsource authoritative DNS because:

  (a) you have much quicker lookups
  (b) you are less susceptible to cache poisoning attacks

dnscache (part of the djbdns package hyperlinked above) is an
excellent, easy-to-setup solution.  


-- 
Christopher DeMarco <cmd at alephant.net>
Alephant Systems (http://alephant.net)
PGP public key at http://pgp.alephant.net
+1-412-708-9660


More information about the wplug mailing list