To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
Highering a consultant to do your initial configuration is highly recommended. We took this route when we originally configured BGP and it allowed me to learn from and study a known 'good' configuration.
- Dan
Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
BCP 38:
- http://www.ietf.org/rfc/rfc3704.txt
ISP Essentials:
- Cisco ISP Essentials | Cisco Press
Securing IP Network Traffic Planes:
- Router Security Strategies: Securing IP Network Traffic Planes | Cisco Press
- anything and everything regarding IPv6.
...would be a VERY good start (I've read Securing IP Traffic Planes
which is also great reference, and am just finishing up ISP Essentials,
which is dated, but the principles still apply).
Steve
In regards to DNS there is a great secure BIND template here
http://www.cymru.com/Documents/secure-bind-template.html which will help
stop your server from being an unneeded open resolver, or sending out root
hints which are used all the time to amplify DDOS attacks often without you
realising.
Bradley
A few minutes with google would probably find sample BGP multihoming configs. The big things to avoid are unnecessary deaggregation and announcing routes received from one provider to the other.
i.e. If you have a /22 of IP space, you may use/see that as 4 /24's or a larger number of smaller subnets, but where eBGP is concerned, you should announce just the /22 route and keep your subnetting to yourself.
If you have competent providers, they won't accept routes from you that they're not expecting, which will stop you from offering transit to them by announcing routes received from your other provider. Still, it's better to get your config done right than rely on your providers to ignore what you shouldn't be advertising.
This is the Nanog list . . .
How about some Nanog resources . . .
http://www.nanog.org/resources/tutorials/
And, yes, hiring a consultant is a good idea. But, being an informed
consumer is also a good idea. Read lots! Ask lots of questions!
Cheers!
bbc
I can't recommend this book enough - it's the current canonical reference on opsec-related BCPs for network infrastructure, IMHO (full disclosure: I was fortunate enough to have the opportunity to provide some feedback to the authors as they worked on this tome, but have no financial interest whatsoever in its publication or sales thereof).
The problem with ISP essentials is it was published in 2002. Same goes
for some of the other good Cisco books. A lot has changed in the ISP world
since. Sure it has good information but I wouldn¹t spend the $ for a new
copy. Find it on half.com or somewhere.
Justin
The African Network Operators Group has quite a good set of workshop
materials for both isp routing (including v6) and DNS (seperate workshops)
weeklong course materials for the routing track are here:
http://www.ws.afnog.org/afnog2009/sie/detail.html
Bryan Campbell wrote:
Jon Lewis wrote:
Still, it's
better to get your config done right than rely on your providers to
ignore what you shouldn't be advertising.
I have to agree completely with Jon here.
As a small SP, it is prudent to do everything you can to be a good 'netizen.
Apply your outbound prefix lists *before* you turn up your BGP
session(s). You should also ensure that you have a good grasp on BCP 38
prior to connecting yourself. This should be done no matter who your
upstreams are, large or small.
There is nothing more frustrating than seeing RFC 1918, BOGON and/or
your own IP space coming back at you eating your bandwidth from your
upstreams, so ensure you are not responsible for doing it to them.
Steve
Check out www.powerdns.com as an alternative to bind. Its faster, more secure, does IPV6 and easier to maintain.
Curtis
Philip Lavine wrote:
While BGP can become a rather complex protocol to implement as a network
grows, basic BGP peering between two providers isn't really that
complex...probably talking 10 config lines at most (excluding
bogon/filtering). The first thing you want to make sure is that you're
upstream providers are implementing filtering, which most of the serious
providers do. That way all you can do is hurt yourself while keeping the
rest of us on the list here happy :).
It's best to get your own IP address space from ARIN if possible,
because if you use IP space from your upstream provider, it's becomes a
nightmare to change over at a later date...IP renumbering is not fun!
That was the one mistake we made when we first started.
Personally I'm a fan of the "do it yourself" club...yeah you'll make
mistakes, but the hands-on approach is by far the best way too learn.
Bret
I've deployed PowerDNS before, along with PowerAdmin
(https://www.poweradmin.org/trac/). Very easy to set up and manage.
Ben
For system or network support, please email support@hns.net
Curtis Maurand wrote:
Have to agree on PowerDNS and PowerAdmin.
Very easy to setup, Pretty secure out of the box and management is a
breeze!
./cwa
Check out www.powerdns.com as an alternative to bind. Its
faster, more secure, does IPV6 and easier to maintain.
This is purely opinion.
BIND has warts, just as any large piece of code in wide spread use and
with lots of features will have. However, that's also one of its
advantages. Lots of folks run it and know it and fix it when it breaks.
Works for root & gtld servers, must not totally suck.
BIND does ipV6, has since BIND8.
It is also fully DNSSEC compliant. Is powerdns yet?
Yes. Do check out all the alternatives for DNS. But if you're looking at
ipV6 support because you want to be able to support upcoming protocols,
make sure your DNS can do DNSSEC correctly too.
If you want to go down the BIND route, I'd recommend using xname as a
frontend (http://source.xname.org/).
Paul E wrote:
I have heard lots of good things about PowerDNS, and I'm quite prepared to believe that it's a natural choice for a DNS hosting service where the database back-end makes for far simpler provisioning and control than managing a pile of config files.
However, you're not necessarily doing anybody any favours in making statements like "faster", "more secure" and "does IPv6". DNS servers are complicated beasts, and simplistic comparisons are not useful for much (it'd be trivial to give you examples where PowerDNS is slower and less secure, for example, and BIND9 has done IPv6 for the better part of a decade).
Joe
However, you're not necessarily doing anybody any favours in making
statements like "faster", "more secure" and "does IPv6". DNS servers
are complicated beasts, and simplistic comparisons are not useful for
much (it'd be trivial to give you examples where PowerDNS is slower
and less secure, for example, and BIND9 has done IPv6 for the better
part of a decade).
...done IPv6 for the better part of a decade...
well yeah, for some very loose definition of "doing IPv6"....
You no doubt have greater expectations than I in that regard 
Joe
You're correct on the blanket statement. apologies.
--C
Joe Abley wrote: