[330] in athena10
Caching DNS for Athena 10
daemon@ATHENA.MIT.EDU (ghudson@MIT.EDU)
Mon Jul 28 15:52:21 2008
Date: Mon, 28 Jul 2008 15:52:05 -0400 (EDT)
From: ghudson@MIT.EDU
Message-Id: <200807281952.m6SJq5Ms008332@outgoing.mit.edu>
To: athena10@mit.edu
Athena 10 machines should probably run a caching named, to reduce the
load on the central caching name servers and for slightly better
security against DNS forgery. Here are the DNS configuration changes
we might want to make as part of a debathena-clients installation:
1. (Required) Run a caching resolver of some sort
2. (Required) Configure resolv.conf to use the caching resolver
3. (Optional) Configure the caching resolver to listen only to 127.0.0.1
4. (Optional) Configure the caching named to forward to MIT name servers
5. (Optional) Configure the search path to mit.edu
(1) is as simple as installing dnsmasq or bind9. Both configure
themselves as caching resolvers; dnsmasq will forward queries to the
servers listed in resolv.conf while bind9 will be a full recursive
resolver.
(2) is best accomplished using the resolvconf package, since there are
already hooks in other packages to use it. Simply installing
resolvconf along with dnsmasq or bind9 will result in the machine
using its own caching name server. Unfortunately, there are some
install-time setup races between resolvconf and dnsmasq (or bind9,
presumably, but I didn't test that) which might lead us to recommend a
reboot after people install debathena-clients.
(3) is a simple configuration tweak to either package; the question is
whether we want to do it. If the cache is accessible from the
outside, it is perhaps easier to compromise since you can force the
cache to perform a DNS query on demand; on the other hand, that's
often not difficult to do through other means. Having the cache
accessible from the outside does make it easier to scan for
vulnerability.
(4) is an easy configuration tweak to dnsmasq, and a slightly harder
one to bind9.
(5) is actually a bit tough if we want to override the search path
from DHCP or elsewhere. If we simply want to add to it, I think we
can do so.
I'll wait for comments before I finalize a design.
