Bind DNS servers: can they coexist with httpd and mail servers?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Bind DNS servers: can they coexist with httpd and mail servers?

Tom Browder
I want to host my own DNS servers, but I need the master to share Bind with other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.

Is there any reason that is not possible?

If not, are there any problems or configuration issues I will need to address?

Thanks.

With warmest regards,

-Tom

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bind DNS servers: can they coexist with httpd and mail servers?

Reindl Harald


Am 19.07.2017 um 12:37 schrieb Tom Browder:
> I want to host my own DNS servers, but I need the master to share Bind
> with other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.
>
> Is there any reason that is not possible?
>
> If not, are there any problems or configuration issues I will need to
> address?

besides the typical security considerations (what if your webserver get
compromised since it's the greatest attack vector) - no - named don't
even know that there are other services nor is it relevant from the
outside - DNS is just port 53 UDP/TCP and that's it

written from a development machine running named with several
mysqld-instances, webservers, virtual machines and a ton of other
networkservices from routing to firewalls up to two hostapd-instances to
provide WLAN for smartphones
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bind DNS servers: can they coexist with httpd and mail servers?

Tom Browder
On Wed, Jul 19, 2017 at 05:42 Reindl Harald <[hidden email]> wrote:
Am 19.07.2017 um 12:37 schrieb Tom Browder:
> I want to host my own DNS servers, but I need the master to share Bind
> with other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.
....
besides the typical security considerations (what if your webserver get
compromised since it's the greatest attack vector) - no - named don't
even know that there are other services nor is it relevant from the
outside - DNS is just port 53 UDP/TCP and that's it

Thank you, Reindl.

Best regards,

-Tom

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bind DNS servers: can they coexist with httpd and mail servers?

Tony Finch
In reply to this post by Tom Browder
Tom Browder <[hidden email]> wrote:

> I want to host my own DNS servers, but I need the master to share Bind with
> other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.

It's how we did things in the 1990s :-)

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
South Biscay: Southwesterly 5 or 6, veering northwesterly 4 or 5. Moderate.
Showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bind DNS servers: can they coexist with httpd and mail servers?

Reindl Harald


Am 19.07.2017 um 12:53 schrieb Tony Finch:
> Tom Browder <[hidden email]> wrote:
>
>> I want to host my own DNS servers, but I need the master to share Bind with
>> other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.
>
> It's how we did things in the 1990s :-)

and thanks systemd we can do that these days too with a better security :-)

[root@rh:~]$ cat /usr/lib/systemd/system/httpd.service
[Unit]
Description=Apache Webserver
After=network.service systemd-networkd.service network-online.target
mysqld.service

[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/httpd
Environment="PATH=/usr/bin:/usr/sbin"
ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
Restart=always
RestartSec=1
UMask=006
TasksMax=1024

PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID
RestrictAddressFamilies=AF_INET AF_INET6 AF_LOCAL AF_UNIX
RestrictRealtime=yes
SystemCallArchitectures=x86-64
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount
@obsolete @raw-io @reboot @resources @swap acct modify_ldt add_key
adjtimex clock_adjtime delete_module fanotify_init finit_module
get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup
io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie mbind
migrate_pages mount move_pages open_by_handle_at perf_event_open
pivot_root process_vm_readv process_vm_writev ptrace remap_file_pages
request_key set_mempolicy swapoff swapon umount2 uselib vmsplice

ReadOnlyDirectories=/
ReadWriteDirectories=-/run
ReadWriteDirectories=-/tmp
ReadWriteDirectories=-/Volumes/dune/modsec-upload
ReadWriteDirectories=-/Volumes/dune/tmp
ReadWriteDirectories=-/Volumes/dune/www-servers
ReadWriteDirectories=-/data/www
ReadWriteDirectories=-/mnt/data/www
ReadWriteDirectories=-/data/xdebug
ReadWriteDirectories=-/mnt/data/xdebug
ReadWriteDirectories=-/var/cache/mailgraph
ReadWriteDirectories=-/var/lib/smokeping
ReadWriteDirectories=-/var/log
ReadWriteDirectories=-/var/www/sessiondata
ReadWriteDirectories=-/var/www/sessiondata-phpmyadmin
ReadWriteDirectories=-/var/www/uploadtemp
ReadWriteDirectories=-/var/www/uploadtemp-phpmyadmin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bind DNS servers: can they coexist with httpd and mail servers?

Ray Bellis
In reply to this post by Tony Finch
On 19/07/2017 11:53, Tony Finch wrote:

> It's how we did things in the 1990s :-)

Yup - in '96 I was running the entire set of customer-facing services
for a newly-formed ISP on a single Alpha workstation :)

Ray


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bind DNS servers: can they coexist with httpd and mail servers?

John Miller
In reply to this post by Tom Browder
In some cases, running BIND on a web server is exactly what you'd want
to be doing anyway for its caching function.  If you're doing reverse
lookups of IPs or something like that for your Apache logs (I'd
recommend against that, BTW), then you'll save yourself a whole lot of
DNS traffic by running a caching nameserver on the same machine as
Apache.

For a mail server, this is an even better idea: mail servers almost
always do reverse lookups on IP addresses to see if the PTR record
matches what the sender provides in their EHLO.  If you have 20k
e-mails coming from Gmail, for example, no sense in doing the DNS
lookup 20k times.

Of course, you don't have to use BIND to get the benefits of a caching
NS, but if you need to run BIND anyway....

John

On Wed, Jul 19, 2017 at 6:37 AM, Tom Browder <[hidden email]> wrote:

> I want to host my own DNS servers, but I need the master to share Bind with
> other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.
>
> Is there any reason that is not possible?
>
> If not, are there any problems or configuration issues I will need to
> address?
>
> Thanks.
>
> With warmest regards,
>
> -Tom
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users



--
John Miller
Systems Engineer
Brandeis University
[hidden email]
(781) 736-4619
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Bind DNS servers: can they coexist with httpd and mail servers?

Tom Browder
On Wed, Jul 19, 2017 at 9:34 AM, John Miller <[hidden email]> wrote:
> In some cases, running BIND on a web server is exactly what you'd want
> to be doing anyway for its caching function.  If you're doing reverse
...
> Of course, you don't have to use BIND to get the benefits of a caching
> NS, but if you need to run BIND anyway....

I meant to say I intend to run as an authoritative DNS server for my
personal domains.

I assume Reindl's answer is still valid.

BTW, anything special I need for the bind service file?

Thanks, John

-Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Loading...