In a bit of bind...
Ben.Matthew at timlradio.co.uk
Mon Jun 1 10:59:30 UTC 2009
Firstly... I apologise for the atrocious pun in the subject; just can't seem to help myself.
Anyway my company currently uses BIND for our DNS requirements (9.6.0). I'm always pretty keen on updating, when advised to, in order to patch vulnerabilities and so forth as we have a fairly popular website and I'm sure there's lots of nasty little tykes out there ready to try and take us down. I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave).
Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor.
Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that:
1) Creates a zone file for "mydomain.com" and fills in defaults; overrides with options from the web-app if needed.
2) Updates the existing named.conf file
3) Opens a secure connection to the master, and uploads new config files
4) Runs a remote process to restart BIND
5) Opens a secure connection to slave, updates named.conf
6) Runs a remote process to restart BIND
But I've had a play with "myDNS" (http://mydns.bboy.net) which is capable of serving DNS requests directly from a mySQL database. And it seems pretty good. All my web-app now needs to do is adjust some database records and everything else updates automatically. All very cool.
However, my question is this... Has anyone yet experienced any major problems with myDNS - either security or reliability? Frankly, I'm a little scared of daring to shift away from a well-established system.
Perhaps you've had the chance to poke about in the code... Is it based on the BIND codebase? Does it get security updates when exploits are revealed?
Finally I've managed to successfully configure BIND 9 as a slave to a myDNS server and the AXFR transfers seem to be working fine. This strikes me as being quite a nice balance of ease of use and reliability in case myDNS fails on me. Ok I appreciate it doesn't get around security concerns but hey ho.
Opinions much appreciated.
Ben Matthew, Senior Network Engineer
Absolute Radio, One Golden Square, London W1F 9DJ
Tel: 020 7432 3457 Mobile: 07817464623
Absolute Radio, winner of four Sony Radio Awards in 2009
This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies.
Whilst we take reasonable precautions to ensure that our emails are free from viruses, we cannot be responsible for any viruses transmitted with this e-mail and recommend that you subject any incoming e-mail to your own virus checking procedures. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these facilities.
TIML Radio Limited (trading as Absolute Radio)
Registered office: One Golden Square, London. W1F 9DJ
Registered in England No 02674136 VAT No 927 2572 11
More information about the NANOG