291642Re: Running namecache service on postfix server?
- Feb 27, 2013On 02/27/2013 10:43 AM, Viktor Dukhovni wrote:
> On Wed, Feb 27, 2013 at 10:20:50AM -0500, Wietse Venema wrote:On Centos 6.3 (bind 9.8.2 with security patches) I did:
>>>> I think it would be entirely reasonable to share a DNS cache among
>>>> multiple systems within the same trusted perimeter. One DNS server
>>>> per host in a farm of mail servers may not be practical.
>>> A local cache on each, forwarding to two or three resolvers that are
>>> nearby? Local for DNSSEC verification, nearby cache for performance
>>> reasons? Am I missing something that would make that impractical?
>> I think it would be helpful to give examples of how "secure DNS"
>> caches can be shared, instead of outright banning this. On non-trivial
>> deployments, DNS and MAIL are managed by different people.
> This was the intent of my original example, I guess I did not draw
> sufficient attention to the:
> name: "."
> forward-addr: 192.0.2.1
> stanza at the bottom of the unbound.conf example. We'll need to
> provide a similar configuration example for BIND, and explain the
> rationale for both, so other local nameservers could also be
> supported by an MTA administrator who understands the requirements.
yum install bind bind-chroot
In /etc/sysconfig/network-scripts/ifcfg-eth0 set:
ifdown eth0; ifup eth0
Add to /var/named/chroot/etc/named.conf options section:
'IPv4 addr of forwarded server';
'IPv6 addr of forwarded server';
service bind start
chkconfig bind on
You CAN use 'forward first' and then if your forward server is
unreachable, your caching server will go out on the net to the '.'
servers and walk down from there. Look at 'first' as opportunistic local
forwarding and 'only' as forced local forwarding.
- << Previous post in topic Next post in topic >>