In a bit of bind...

Ben_Matthew · June 1, 2009, 10:59am

Firstly... I apologise for the atrocious pun in the subject; just can't seem to help myself.

Anyway my company currently uses BIND for our DNS requirements (9.6.0). I'm always pretty keen on updating, when advised to, in order to patch vulnerabilities and so forth as we have a fairly popular website and I'm sure there's lots of nasty little tykes out there ready to try and take us down. I have six servers in total, two multi-homed servers for ordinary DNS and four servers running an Anycast network (2 x master and slave).

Anyway I've recently been investigating other options for DNS as, like many companies currently, we've laid off a bunch of staff and the overhead for maintaining BIND is quite high if done, like us, unassisted and you are editing zone files in a text editor.

Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to create a web-app to do this for me, probably in PHP. I could create something that:

1) Creates a zone file for "mydomain.com" and fills in defaults; overrides with options from the web-app if needed.

2) Updates the existing named.conf file

3) Opens a secure connection to the master, and uploads new config files

4) Runs a remote process to restart BIND

5) Opens a secure connection to slave, updates named.conf

6) Runs a remote process to restart BIND

But I've had a play with "myDNS" (http://mydns.bboy.net) which is capable of serving DNS requests directly from a mySQL database. And it seems pretty good. All my web-app now needs to do is adjust some database records and everything else updates automatically. All very cool.

However, my question is this... Has anyone yet experienced any major problems with myDNS - either security or reliability? Frankly, I'm a little scared of daring to shift away from a well-established system.

Perhaps you've had the chance to poke about in the code... Is it based on the BIND codebase? Does it get security updates when exploits are revealed?

Finally I've managed to successfully configure BIND 9 as a slave to a myDNS server and the AXFR transfers seem to be working fine. This strikes me as being quite a nice balance of ease of use and reliability in case myDNS fails on me. Ok I appreciate it doesn't get around security concerns but hey ho.

Opinions much appreciated.

Cheers,

Ben

Scott_Morris · June 1, 2009, 11:17am

May seem a little simplistic, but how about Webmin. Runs on most linux-type systems over SSL/https and allows you to administer your DNS (and other services) without issues and provide the things you listed below.

Oh, and it's free. And it's already done.

Scott

Ben Matthew wrote:

Chris_Meidinger · June 1, 2009, 11:27am

As far as as security, why have myDNS world-reachable at all? You can have bind feed off of myDNS without having anyone on the outside ever talk to the myDNS backend.

Chris

Colin · June 1, 2009, 11:31am

You don't necessarily need to move away from Bind but what you do need is a
better backend. Certainly you should avoid Webmin and trying to automate
changes to BIND zone files as this gets really messy and unmaintainable very
quickly.

You can use Bind9 DLZ and MySQL or LDAP. I didn't find this all that easy to
package or manage though. Personally, for scalable authoritative DNS I think
PowerDNS is far better especially with an LDAP backend as LDAP is trivial to
replicate over large numbers of slaves. An interface to LDAP for DNS was
also a trivial project for us.

If you don't need so much scalability there are existing web interfaces for
PowerDNS using the MySQL backend.
https://webdns.bountysource.com/
https://www.poweradmin.org/trac/

Ben_Matthew · June 1, 2009, 1:58pm

Thanks very much for the various responses to my question; both on and off-list.

I'm very much liking the idea of only letting the outside world see bind and then AXFR'ing the data from an easier-to-manage internal database backed solution. Whether that be myDNS, Microsoft or whatever. Bit of initial config work and then, in theory, an easy job to administer.

Actually feel a bit dumb for not considering that in the first place.

Cheers again,

Ben

Curtis_Maurand1 · June 1, 2009, 6:37pm

I've been using powerdns for quite a while and I've found it to be solid and stable. It'll use quite a few different backends includeing BIND zone files, but its claim to fame is that it uses mysql.

a list of different backends can be found at: http://en.wikipedia.org/wiki/PowerDNS#Backends

I saw bind and bind2, db2, geo, gmysql, gpgsql, goracle, gsqlite, ldap, odbc, opendbx, pipe and xdb. Pipe is interesting because you can write a backend in anything that talks to anything. There is documentation and examples on the website. The "g" stands for generic.

I've been using poweradmin for management.

register.com and tucows both use it.

Cheers,
Curtis

Ben Matthew wrote:

Daryl_G_Jurbala · June 1, 2009, 9:43pm

We've been using it as well in what I would consider a very small setup: 150 domains, most with almost no traffic to speak of, but 3 or 4 with decent traffic (the high traffic ones serving over 50k end-user CPE for VoIP traffic with very short TTLs ). The MySQL back-end really is a claim to fame - it makes administration really easy to integrate into whatever you want.

We have also been using poweradmin for basic management for things not under programmatic MySQL management. It's basic and a bit kludgy, but definitely adequate, and easy enough to hack into your own idea of what it should be.

Daryl

Graeme_Fowler · June 2, 2009, 9:37am

Once upon a time, whilst working for a fairly well-known UK domain
registration company, I put together a system built on an early version
of the BIND-DLZ patchset against BIND 9.2.5 (If I recall correctly).

It used MySQL as the backend database (because that's what the
registration system used for CRM purposes) and worked very nicely,
thankyou, for well in excess of a million zones and a query rate which I
forget but was of the order of several thousand per second, maybe higher
at times.

We had a custom-written web management toolbox, part of which was
exposed to customers through their control panel so they could manage
their zones by themselves.

The "frontend" nameservers - those actually answering queries - had a
"read only" one-way replicated copy of the tables being managed by the
CRM system, so all changes were near instantaneous. Copious caching
options and indexing in MySQL gave the DB pretty good performance. The
frontend servers themselves were load balanced and fault-tolerant and in
theory at least a single machine could handle the overall system load.

Unfortunately, after I moved on from that job the system broke in some
spectacular way (I don't know why) and has since been significantly
changed from the original spec, but I couldn't say how...

DLZ worked for us - but the DB and management tools were built "in
house"; I don't think there's an ideal off-the-shelf solution built
around it (yet).

Graeme