Ubuntu Server DNS, Public or Private IP's?

Asked by Gestalt Worldwide, LLC on 2011-01-23

I've worked with cPanel/WHM for the past two years. Just a few days ago I installed Ubuntu 10. I'm relatively familiar with Linux' general OS configuration, however not so much the command line, and not manually editing the various different service_conf files.

Under cPanel/WHM it was relatively easy set up my DNS and Zone(s) within the UI.
As well, I assigned public IP's to both of the (ns) servers.

My question is: Is it a major security risk for me to run my own DNS on public IP's?

I'm asking because the Ubuntu Server User Guide instructions explain only how to set up DNS running on a private network.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu bind9 Edit question
Assignee:
No assignee Edit question
Last query:
2011-01-23
Last reply:
2011-01-23

# The domain is --gestaltworldwide.net
# The (primary) server host name is --usmi-gestaltworldwide.net
# Domain Registrar: Network Solutions

# Registrar Domain Host (A) Record: --usmi.gestaltworldwide.net A 184.154.115.202
# Registrar Domain Host (A) Record: --ns1.gestaltworldwide.net A 184.154.115.203
# Registrar Domain Host (A) Record: --ns2.gestaltworldwide.net A 184.154.115.204

# Dedicated Server ISP Provider: --singlehop.com
# Dedicated Server ISP (D)NS IP: --216.104.43.102
# Dedicated Server ISP (D)NS IP: --216.104.43.86

# Server DNS Service: Bind9

# Server Files (respective directories; /etc /etc/bind)
!! NOTE - I've commented out each line below, however the actual files are (of course) not commented out

  >> FILE: db.gestaltworldwide.net

// ; BIND data file for local loopback interface
// ;
// $TTL 14400
// @ IN SOA ns1.gestaltworldwide.net. admin.gestaltworldwide.net. (
// 20110123 ; Serial
// 14400 ; Refresh
// 7200 ; Retry
// 2419200 ; Expire
// 14400 ) ; Negative Cache TTL
//;
// @ IN NS ns1.gestaltworldwide.net.
// @ IN A 127.0.0.1
// @ IN AAAA ::1
// ns1 IN A 184.154.115.203
// ns2 IN A 184.154.115.204

     >> FILE: db.local

// ;
// ; BIND data file for local loopback interface
// ;
// $TTL 14400
// @ IN SOA ns1.gestaltworldwide.net. admin.gestaltworldwide.net. (
// 20110123 ; Serial
// 14400 ; Refresh
// 7200 ; Retry
// 2419200 ; Expire
// 14400 ) ; Negative Cache TTL
// ;
// @ IN NS ns1.gestaltworldwide.net.
// @ IN A 127.0.0.1
// @ IN AAAA ::1
// ns1 IN A 184.154.115.203
// ns2 IN A 184.154.115.204

  >> FILE: named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

  ################################################## named.conf.default-zones

// prime the server with knowledge of the root servers
// zone "." {
// type hint;
// file "/etc/bind/db.root";
// };

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

// zone "gestaltworldwide.net" {
// type master;
// file "/etc/bind/db.local";
// };

// zone "127.in-addr.arpa" {
// type master;
// file "/etc/bind/db.127";
// };

// zone "0.in-addr.arpa" {
// type master;
// file "/etc/bind/db.0";
// };

// zone "255.in-addr.arpa" {
// type master;
// file "/etc/bind/db.255";
// };

    FILE: named.conf.local

// Do any local configuration here

// zone "gestaltworldwide.net" {
// type master;
// file "/etc/bind/db.gestaltworldwide.net";
// };

//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

 FILE: named.conf.options

// options {
// directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk. See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable
 // nameservers, you probably want to use them as forwarders.
 // Uncomment the following block, and insert the addresses replacing
 // the all-0's placeholder.

 // forwarders {
// 216.104.43.102
// 216.104.43.86
// };

// auth-nxdomain no; # conform to RFC1035
// listen-on-v6 { any; };
// };

Presently - one or more of the above file(s)/configuration(s) causes Bind9 to FAIL upon sudo /etc/init.d/bind9 restart
  Error Message: rndc: connect failed: 127.0.0.1#953 connection refused

Can someone please review my file(s)/configuration(s) above and explain what I need to change so bind9 does not fail?
Sorry!! Thanks!!!

Please try from terminal:

sudo -i
rndc-confgen -a
exit

sudo /etc/init.d/bind9 restart

I just decided to entirely remove/purge bind9 - and then reinstalled, and then restarted.
Now all of the bind configuration files have been restored to their original default settings in /etc, and /etc/bind.

I'll keep looking around for more information.

Can you help with this problem?

Provide an answer of your own, or ask Gestalt Worldwide, LLC for more information if necessary.

To post a message you must log in.