How can I launch a private Internet DNS server?
ca at nodns4.us
Fri Oct 16 15:59:05 UTC 2020
On 2020-10-16 04:34, Michael De Roover wrote:
> Interesting article, thanks for sharing this! I'm slightly confused
> about some things in it though. Does this mean that any traffic will be
> put on the connection tracker and be treated as stateful unless we use
> CT --notrack, or can the kernel make a heuristic based on what's in the
> iptables rule (i.e. if it only covers a port or a network range, it
> must be stateless)?
Everything is kept in the kernel's conntrack table unless connection
tracking is disabled for any given packet. Conntrack table lifetimes
vary per L4 protocol and can be tweaked by kernel sysctl(8) settings.
I'm not sure what the defaults are nor precisely where they are
documented, but they are probably in the kernel source tree's
> What constitutes a busy server? For a recursor it'd be easy to achieve
> high throughput, but does an authoritative name server for a single
> website need it?
This was an ISC customer site, a major ISP. They provisioned a new
RHEL server for DNS and it was failing miserably with all the dmesg
about "Conntrack table full; dropping packet". It has been a lot of
years since then, so I am not sure if it was an authoritative or
recursive server, but the possibility of conntrack table overflow
exists for either.
Of course only a big site (or a foolish one with 53/udp open to the
world) is likely to have a recursive server busy enough for this.
If you're just a small operator, you're mostly unlikely to be bitten
in this way. But then you never know when you could be "slashdotted",
so it's better to be safe than to be surprised by a DoS.
> On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote:
>> Absolutely right; I wrote this Linux-centric article about it:
>> It has not been updated to cover nftables.
>> Note also that this is a good reason NOT to use the NAT that
>> other posters have encouraged.
More information about the bind-users