[OT] Reverse DNS
jdow at earthlink.net
Sat Jun 26 00:37:21 UTC 2004
From: "Mark Haney" <mark.haney at doctordirectory.com>
> On Fri, 25 Jun 2004 23:07:35 +0200, Alexander Dalloz
> <alexander.dalloz at uni-bielefeld.de> wrote:
> > What is the advantage for your / your company to have the nameserver
> > under own control? And having DNS administered by Network Solutions does
> > not prevent you from running a DNS server your own. Forward and reverse
> > resolution can be managed by different servers / service agents
> > (companies).
> > For running a mail server having a proper reverse resolution is no must
> > have. Of course it is recommended, because some providers started to
> > make that a requirement in the field of fighting nowadays SPAM.
> > Your argument is true when saying that if the whole line is down and no
> > server is reachable on your site, what would it help if DNS is still
> > acting because running at an outside provider. But said that, it is a
> > must to have at least 2 DNS servers responsible for a domain. This is
> > for fallback. So a fallback MX is up from a certain size a
> > recommendation too (not a must like with the DNS).
> > I would suggest: get the DNS and what else services like mail inhouse
> > and keep Network Solutions as secondary DNS service (you have master
> > zone control and they are slaves). This is for forward name resolution
> > as well for reverse. Maybe they offer a fallback MX too. You are then on
> > the safe side.
> > Alexander
> And I agree with all of that. The only issue here is that my boss is
> worse than paranoid. He's one of these 'know enough to be dangerous' geek
> wannabes and has all these fears and phobias over things. He doesn't like
> having DNS in house because he didn't have anyone to manage it (except for
> me now) and like I said earlier he was concerned about domain availability
> if the T1 went down and DNS was here.
> I fully intend on moving to the fedora DNS server here in house as soon as
> I feel comfortable enough with telling him that that box even exists.
> He's all M$, and linux makes him nauseous. It's just been a struggle to
> move forward when 'the man' wants to hold you back out of fear of the
Mark, I fully support your wanting to move certain functions over to
Linux. After reading the veritable blizzard of Fedora problems I must
question whether Fedora is optimal for "doctordirectory.com". Red Hat
9 has far fewer problem reports lodged against it. There are some
dedicated people maintaining security fixes for it. I'd even go so far
as to suggest one of the BSDs if going down in an attack is really
Your boss has a good point regarding DNS. If you do not make many changes
over a year then letting the ISP handle it places good discipline on the
change process and mitigates against frivolous changes. It also is one
less service that has to be managed in house.
Also keep in mind that sneaking around behind your boss' back in the
manner you have made it appear you are doing is a VERY BAD career move.
It has led to terminations for cause even if the change was "right".
Be aware that if you cannot make a very clear BUSINESS case for making
a change then it is inappropriate to make the change. Lay out in clear
language precisely what you hope to improve with the change. Lay out
the positive aspects of the change and the negative aspects of the
change. And be aware of your mortality. You might die in a water ski
accident or a freak miniature golf ball washer explosion. Where does
that leave your boss with regards to maintaining his DNS? This IS a
worry he has. Address it. Look for everything he might worry about and
address it. What risk exists now; and, what risk will exist? If you
can show him it saves money for no increase in risk you're in. If not
it may be better to find other fish to fry.
(And it may pay to shop around for a real 'NIX shop rather than one with
all it's eggs in the Windows basket. It's easy for me to maintain the
Windows PCs on this modest setup here (about 15 PCs with two users). The
downside of a bad MS patch is small, since we can patch the main machines
and retreat to backup (test) machines in a pinch. In a large corporate
setup this is not so easy, especially with Windows and its guaranteed
downtime when patching. For all their size I tend to regard shops that
use Windows based solutions as being far less professional than those
using 'NIX based solutions. Were I a serious sysadmin at heart I'd be
looking for 'NIX based shops for most of my training. Of course, the
experience with computer forensics on compromised machines you can get
at a Windows shop is in itself valuable.)
More information about the fedora-list