Any suggestion on which DNS server to configure in ISP environment. Is it linux or windows based and in which role like caching, forwarding, authoritative. Want to use this DNS server for customers (surfing) instead of free DNS servers.
Thanks in advance.
Can’t really go wrong with bind.
I always used BIND.
One tip: Don’t put authoritative DNS on the same server(s) that you’re using as recursive resolving DNS servers. One server can do both jobs at the same time, but the two have different policy requirements for the job, and security / filtering / portability concerns come into play.
For instance, back when DNS-amp attacks were a new thing, I had a server that was allowing recursive queries from anyone on the Internet, so naturally it got into the botnets’ lists of servers to be used in these attacks. I fixed the configuration, but for weeks afterwards, the server was still sending out lots of traffic - it was a lot less than before because a “request denied” packet is much much much smaller than the RIPE.NET records that were being requested in the attack, but it was still a lot of traffic. The host was also an authoritative DNS server so I couldn’t just block inbound requests to this server’s IP in a firewall, and I couldn’t just change the host’s IP address and update the glue records pointing to it because there were lots of customers configured to use it as their DNS resolver. This was a hands-on lesson in why it’s best practice to run authoritative DNS on different servers than the recursive DNS resolvers. Splitting the functionality wasn’t hard though - because all that was necessary was to install a new authoritative server on a new IP address and then update the glue records to point to the new IP. Then the recursive resolver could just firewall-discard all DNS queries from non-customer IP addresses.
If you really want to go all-out, you can set up a pair of anycast IP addresses and install lots of caching recursive resolver hosts all over your network, each of which has a unique IP address and the anycast IPs. Then have your users configure the anycast IPs as their DNS server address.
short, short, short version of how to anycast: put a routing daemon on the host and announce each IP into your routing table as a /32 route, but only if the DNS process is alive.
Thanks ZeroByte for sharing your experience and information. I agree with you totally.
We have a separate authoritative DNS server. New DNS server will be caching only mode and will block access from outside our network to prevent it from DNS amplification attack.
Hope Bind will server my purpose.
We use powerdns which runs great for years. 2x recursive 2x authorative. Linux virtual using vmware. We selected powerdns due to its mysql integration which makes it easy to sync dns data from our customer database into the authorative servers.