userguide:dns:dnsmanager
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
userguide:dns:dnsmanager [2014/07/22 05:45] chris@virtbiz.com |
userguide:dns:dnsmanager [2014/07/24 05:33] (current) chris@virtbiz.com |
||
|---|---|---|---|
| Line 11: | Line 11: | ||
| * [[#Zone Format|Zone Format]] | * [[#Zone Format|Zone Format]] | ||
| * [[#Auto DNS|Auto DNS]] | * [[#Auto DNS|Auto DNS]] | ||
| + | |||
| ---- | ---- | ||
| - | ===Edit Primary Services=== | + | |
| + | **[[userguide:dns:primarydns|Edit Primary Services]]**: | ||
| Click this button to manage DNS records for domains and networks that this server is registered to serve. Primary DNS service is also called Master DNS service. | Click this button to manage DNS records for domains and networks that this server is registered to serve. Primary DNS service is also called Master DNS service. | ||
| - | ===Edit Secondary Services=== | + | **[[userguide:dns:secondarydns|Edit Secondary Services]]**: |
| Click this button to manage secondary DNS service for domains and networks. Secondary service is that which is "slaved" from another DNS server. | Click this button to manage secondary DNS service for domains and networks. Secondary service is that which is "slaved" from another DNS server. | ||
| ---- | ---- | ||
| Line 35: | Line 37: | ||
| * **Allow Queries from these Networks**: Specify which IP address ranges are allowed to query your DNS server. By default only localhost is allowed. If you tick the checkbox for "Allow Queries from Everyone", then it will override whatever extra address ranges you put here and will allow anyone query access. | * **Allow Queries from these Networks**: Specify which IP address ranges are allowed to query your DNS server. By default only localhost is allowed. If you tick the checkbox for "Allow Queries from Everyone", then it will override whatever extra address ranges you put here and will allow anyone query access. | ||
| * **Allow DNS Cache Access**: Enabling caching, also called recursion, allows resolution of domains and network zones that other name servers are authoritative for. However, running such an open DNS server exposes yourself and others to the risks of DDoS attacks. So if you need a DNS server to resolve domains which you are not authoritative for, then you should either use the DNS server of your provider, or (if you still want to use your own DNS server for that!) you should only allow query access for localhost (127.0.0.1/32) on this DNS server, or selected and trustworthy network address ranges. | * **Allow DNS Cache Access**: Enabling caching, also called recursion, allows resolution of domains and network zones that other name servers are authoritative for. However, running such an open DNS server exposes yourself and others to the risks of DDoS attacks. So if you need a DNS server to resolve domains which you are not authoritative for, then you should either use the DNS server of your provider, or (if you still want to use your own DNS server for that!) you should only allow query access for localhost (127.0.0.1/32) on this DNS server, or selected and trustworthy network address ranges. | ||
| - | * **Open DNS Server**: __NOT RECOMMENDED!__If you tick this box, your DNS server will be entirely open and will resolve DNS for anyone and everyone. That is a really bad idea. This exposes yourself and others to the risks of DDoS attacks. So if you need a DNS server to resolve domains which you are not authoritative for, then you should either use the DNS server of your provider, or (if you still want to use your own DNS server for that!) you should only allow query access for localhost (127.0.0.1/32) on this DNS server, or selected and trustworthy network address ranges. | + | * **Open DNS Server**: __NOT RECOMMENDED!__ If you tick this box, your DNS server will be entirely open and will resolve DNS for anyone and everyone. //That is a really bad idea.// This exposes yourself and others to the risks of DDoS attacks. So if you need a DNS server to resolve domains which you are not authoritative for, then you should either use the DNS server of your provider, or (if you still want to use your own DNS server for that!) you should only allow query access for localhost (127.0.0.1/32) on this DNS server, or selected and trustworthy network address ranges. |
| * **Allow Cache access from these Networks**: You can limit which address ranges can query your server to specific IP addresses or ranges, but doing so will prevent other servers than those that are included in the IP range(s) you provide from accessing your DNS. | * **Allow Cache access from these Networks**: You can limit which address ranges can query your server to specific IP addresses or ranges, but doing so will prevent other servers than those that are included in the IP range(s) you provide from accessing your DNS. | ||
| + | * Enabling caching, also called recursion, allows resolution of domains and network zones that other name servers are authoritative for. Disabling caching is useful when operating this server on a private network. | ||
| * **Forwarding Servers**: Forwarding domain name servers are used when Allow DNS Cache Access is enabled and when root domain name servers are not directly accessible due to a limited or restricted Internet connection. Please enter a series of four numbers between 0 and 255 separated by periods. For example, 192.168.1.1 is a valid entry. | * **Forwarding Servers**: Forwarding domain name servers are used when Allow DNS Cache Access is enabled and when root domain name servers are not directly accessible due to a limited or restricted Internet connection. Please enter a series of four numbers between 0 and 255 separated by periods. For example, 192.168.1.1 is a valid entry. | ||
| - | * **Zone Transfer Access by IP Address**: Enter the IP addresses that are allowed to download all records maintained by this domain name server through zone transfers. Zone transfers are used by secondary domain name servers to synchronize their records with primary domain name servers. The default value is to leave this field empty to refuse zone transfer requests. | + | * If the BlueOnyx server is being used on a private network or in conjunction with a restrictive firewall, you can specify a forwarding DNS server(s) by IP address. If a DNS server cannot answer a DNS query, it forwards the query to the forwarding DNS server to get the needed response, then answers back to the client. |
| - | ==DNS Rate Limits-- | + | * **Zone Transfer Access by IP Address**: Enter the IP addresses that are allowed to download all records maintained by this domain name server through zone transfers. |
| + | * A zone transfer allows another DNS server to download the complete list of hosts maintained by your DNS server. Zone transfers are used by secondary domain name servers to synchronize their records with primary domain name servers. | ||
| + | By default, zone transfers are not allowed to any domain. You must explicitly enter any domain names that are allowed to perform zone transfers, or no domain will be able to perform zone transfers. | ||
| + | ==DNS Rate Limits== | ||
| + | DNS Response Rate Limiting (DNS RRL) is an experimental protection feature for domain name servers. This mechanism keeps BIND 9 from being used in amplifying reflection denial of service attacks as well as partially protecting BIND 9 itself from some denial of service attacks. By default it should be enabled. | ||
| + | * **Rate Limits Enabled**: Tick this box to enable rate limiting (recommended!) | ||
| + | * **Responses per Second**: Responses-per-second is a limit on identical responses instead of a limit on all responses or even all responses to a single client. 10 identical responses per second is a generous limit except perhaps when many clients are using a single IP address via network address translation (NAT). The default limit of zero specifies an unbounded limit to turn off rate-limiting in a view or to only rate-limit NXDOMAIN or other errors. | ||
| + | * **Window**: Rate limiting uses a credit or token bucket scheme. Each identical response has a conceptual account that is given RESPONSES-PER-SECOND and ERRORS-PER-SECOND credits every second. A DNS request triggering some desired response debits the account by one. Responses are not sent while the account is negative. The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. A DNS client that sends requests that are not answered can therefore penalized for up to window seconds even after the abusive query flow stops. | ||
| ==Extended DNS logging== | ==Extended DNS logging== | ||
| + | WARNING: This should only be used for debugging, as it will log any query to your DNS server to /var/log/messages. Even on a lightly used DNS server this creates a lot of log entries. But you might want to //briefly// enable extended DNS logging to see if your DNS Rate Limits are working correctly. | ||
| ---- | ---- | ||
| ===Zone Format=== | ===Zone Format=== | ||
| + | Choose a zone file format for subnetting on a non-octet boundary which is compatible with your local reverse delegation method. RFC2317 is the standard format. DION and OCN-JT are much less commonly used. | ||
| ---- | ---- | ||
| ===Auto DNS=== | ===Auto DNS=== | ||
| + | Add additional host names for Auto DNS. This will allow you to setup domains in a snap. | ||
| + | * **Host Names**: Enter the default hostnames that you wish to be added to a domain's DNS configuration. All of the hostnames entered here will generate A records pointing to the configured IP address of the site. | ||
| + | * **Mail Server Host Name**: Enter the default hostname of the mailserver for the domain. As new sites are added, an MX record will be added for the domain based on this entry. | ||
| + | |||
userguide/dns/dnsmanager.1405971927.txt.gz · Last modified: 2014/07/22 05:45 by chris@virtbiz.com
Page Tools
