Bind Configuration
Keith Smith
techlists at phpcoderusa.com
Mon Dec 8 12:05:34 MST 2014
Nice, thanks!!
On 2014-12-08 13:02, Amit Nepal wrote:
> Check out the iredmail for easy installation and management of Postfix
> with mysql and some extras .It is basically a script , that downloads
> necessary files, configure the database and everything for you and
> also installs a front end web interface. I usually replace the
> frontend with postfix admin , but iredadmin is not bad either.
>
> http://www.iredmail.org/ [3]
>
> Thanks
>
> Amit K Nepal
> Chief Information Officer
> (RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)
> omNovia Technologies Inc. On 12/8/2014 11:53 AM, Keith Smith wrote:
>
>> Hi Austin,
>>
>> Bind and mail are new to me. I can do the LAMP part. I've
>> looked at webmin and would like to stay away from it. I think
>> webmin is a great resource, however I really want to do this from
>> the command line.
>>
>> Between the docs, Google, YouTube, and you guys so graciously
>> helping me, I should be able to learn this at the command line.
>>
>> Thank!
>> Keith
>>
>> On 2014-12-08 12:09, JD Austin wrote:
>> If all of this is new to you install webmin (but don't allow it
>> outside of your firewall):http://www.webmin.com/ [1] [1]
>>
>> -- JD Austin
>> Voice: 480.269.4335 (480 2MY Geek)
>> jd at twingeckos.com
>>
>> On Mon, Dec 8, 2014 at 10:11 AM, Keith Smith
>> <techlists at phpcoderusa.com> wrote:
>>
>> Sorry guys. I should have given more info.
>>
>> I'm a LAMP developer. I am increasingly doing more sys admin
>> stuff. I home office. I have a Cox business account that allows
>>
>> me to run a server. I bought a Dell i5 / 8GB RAM for this
>> project. I have never configured BIND or any email server. It is
>> my goal to do so. One LAMP+Dind+Mail server in my home office.
>>
>> I installed CentOS 7 on the Dell and am hoping to use this project
>> to learn how to mange a server from top to bottom. I have no
>> problem
>> configuring a LAMP server. It is Bind and
>> Postfix+Dovecott+Spamassassin+MySql that I need help with.
>>
>> I figure by running my own server I will learn a lot and round out
>> my skills.
>>
>> So that is my project......
>>
>> Thank you so much for your help!! I'm sure I will have lots of
>> questions along the way.
>>
>> Keith
>>
>> On 2014-12-08 10:40, der.hans wrote:
>>
>> Am 08. Dez, 2014 schwätzte Michael Butash so:
>>
>> moin moin,
>>
>> On 12/07/2014 10:42 PM, der.hans wrote:
>> Am 07. Dez, 2014 schwätzte Michael Butash so:
>>
>> You'll want to allow tcp/53 if doing any sort of public dns -
>> anything greater than 1500 bytes (ie most domain-keys//spf
>> records),
>> and also any
>>
>> True, if you're doing those things, you might have large dns
>> payloads and
>> need tcp. If you think they cause problems rather than fixing them,
>>
>> then
>> ...
>> "Normal" use of these yes, but imho better just to leave it be
>> serviced anyways, especially if any sort of provider for others.
>>
>> Yeah, I suppose I pre-optimized and presumed this would be home,
>> non
>> 3rd
>> party use for Keith.
>>
>> anomaly mitigation gear (the things that keep 400gb DDoS at bay)
>> use that to
>>
>> What would anomaly mitigation gear be doing to cause large dns
>> payloads?
>> That's a serious question as I don't even know what anomaly
>> mitigation
>> gear is.
>> It's not a large payload issue, it's a method of them validating
>> who
>> is a script opening a raw udp socket to spew junk, etc vs. a "real"
>>
>> RFC-compliant client by sending that truncate bit back to the
>> client,
>> making them request via tcp, and thus doing something more than
>> legit
>> aiming a cannon.
>>
>> Hmm, this isn't making sense to me. Are you saying a client makes
>> a
>> request to your dns service and you force the client over to tcp
>> lookups?
>> If so, does that cause the rest of the recursive lookup to other
>> servers
>> to be tcp as well?
>>
>> Having worked for one of those large hosting companies that gets
>> those 300gb ddos attacks you read about (not to mention being
>> responsible for dealing with them), you need something to do
>> mitigate botnet blasts automagically,
>>
>> Most of our protocols could use some updates.
>>
>> and luckily some smart people figure out protocol challenge
>> behavioral hacks to do that. I remember back in 2003 needing to
>> open firewalls to allow tcp for our dns just for that alone when
>> ddos became vogue among warring customers, but became more common
>> at
>> various other businesses to have to address allowing tcp as well
>> for
>> spf and others.
>>
>> It also broke some remote providers that blocked tcp/53 as well for
>>
>> some reason when our devices couldn't "validate" them, adding them
>> to a drop list vs. whitelisting them as "valid" clients.
>>
>> Did those remote providers block tcp/53 for client or just for
>> server
>> (
>> only incoming syn blocks )?
>>
>> Not that big a deal running a server at your house, and never using
>>
>> dkim/spf. I think most default cisco asa firewall configs still
>> filter udp dns protocol traffic by default over 512 too.
>>
>> figure our if you're real or not. Blocking tcp for dns is not a
>> good idea as a whole, it's just RFC-compliant behavior things
>> expect.
>>
>> As I recall, the RFC only specifies tcp for large payloads. Don't
>> allow
>> them and tcp isn't necessary.
>> Less is more I suppose when talking firewalls, just know when you
>>
>> *do* need things like tcp-based dns.
>>
>> Yeah, good thing for Keith that you're pointing out that a
>> service
>> provider probably has to leave tcp/53 exposed, especially when
>> using
>> newer
>> dns record 'features'.
>>
>> ciao,
>>
>> der.hans
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2] [2]
>>
>> --
>> Keith Smith
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2] [2]
>>
>> Links:
>> ------
>> [1] http://www.webmin.com/ [1]
>> [2] http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2]
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [2]
>
>
>
> Links:
> ------
> [1] http://www.webmin.com/
> [2] http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> [3] http://www.iredmail.org/
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
--
Keith Smith
More information about the PLUG-discuss
mailing list