old-www/HOWTO/Domain-6.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>Setting Up Your New Domain Mini-HOWTO.: Deciding Which Domain Services You Will Host</TITLE>
 <LINK HREF="Domain-7.html" REL=next>
 <LINK HREF="Domain-5.html" REL=previous>
 <LINK HREF="Domain.html#toc6" REL=contents>
</HEAD>
<BODY>
<A HREF="Domain-7.html">Next</A>
<A HREF="Domain-5.html">Previous</A>
<A HREF="Domain.html#toc6">Contents</A>
<HR>
<H2><A NAME="which-servs"></A> <A NAME="s6">6. Deciding Which Domain Services You Will Host</A></H2>

<P>Most full-service ISPs will provide a variety of domain services for
their customers. This is largely because of the problems associated
with hosting these services under certain other, more popular desktop
and server operating systems. These services are much easier to
provide under Linux, and can be hosted on fairly inexpensive hardware,
so you should decide what services you want to take on for
yourself. Some of these services include:
<UL>
<LI>Primary DNS authority on your domain. See section 
<A HREF="#serv-prim-dns">Primary DNS Authority</A>.</LI>
<LI>Electronic mail. See section 
<A HREF="#serv-email">Electronic Mail</A>.</LI>
<LI>Web space hosting. See section 
<A HREF="#serv-www">Web Space Hosting</A>.</LI>
<LI>FTP space hosting. See section 
<A HREF="#serv-ftp">FTP Site Hosting</A>.</LI>
<LI>Packet filtering. See section 
<A HREF="#serv-filtering">Packet Filtering</A>.</LI>
</UL>
<P>In each of these, you basically have to weigh convenience against
control. When your ISP performs one or more of these services, you can
usually be fairly sure that they have people with experience
maintaining the service, so you have less to learn, and less to worry
about. At the same time, you lose control over these services. Any
changes require that you go through the technical support of your ISP,
something which may sometimes be inconvenient or cause longer delays
than you would like. There's also a security issue involved, the ISP
is a much more tempting target to attackers than your own site. Since
an ISP's servers might host email and/or web space for the dozens of
companies which are their customers, an attacker who compromises one
of those servers gets a much higher return for his efforts than one
who attacks your personal servers, where only one company's data is
kept.
<P>
<P>
<H2><A NAME="serv-prim-dns"></A> <A NAME="ss6.1">6.1 Primary DNS Authority</A>
</H2>

<P>When a person somewhere in the outside world attempts to connect to a
machine in the new example.com domain, queries are sent between
various servers on the Internet, ultimately resulting in the IP number
of that machine being returned to the software of the person
attempting the connection. The details of this sequence are beyond the
scope of this document. Neglecting many details, when a request is
made for the machine fred.example.com, a centralized database is
consulted to determine what is the IP number of the machine which
holds primary DNS authority for the example.com domain. This IP number
is then queried for the IP number of the machine fred.example.com.
<P>
<P>There must be a primary and a secondary DNS server for every domain
name. The names and IP numbers of these two servers are stored in a
centralized database whose entries are controlled by domain
registration authorities such as 
<A HREF="http://www.networksolutions.com/">Network Solutions</A>.
<P>
<P>If you elect to have primary DNS authority hosted by your ISP, these
two servers will probably both be machines controlled by the ISP. Any
time you want to add an externally visible machine to your network,
you will have to contact the ISP and ask them to put the new machine
in their database.
<P>
<P>If you elect to hold primary DNS authority on your own host, you will
still use another machine as your secondary. Technically, you should
use one on a redundant Internet connection, but it is very common that
the secondary is held on one of your ISP's machines. If you want to
add an externally visible machine to your network, you will have to
update your own database, and then wait for the change to propagate
(something which takes, typically, a small number of hours). This
allows you to add barney.example.com without having to go through your
ISP.
<P>
<P>It is a good idea to set up secondary DNS on a geographically distant
host, so that a single cable cut near your ISP doesn't take both your
primary and secondary DNS servers off line. The domain registrar you
used to register your domain name may provide secondary DNS service.
There is also a free service, 
<A HREF="http://www.granitecanyon.com/">Granite Canyon</A>, available to anybody who asks.
<P>
<P>Regardless of whether or not you choose to act as primary DNS
authority for your domain, see section 
<A HREF="Domain-7.html#setup-nameres">Setting Up Name Resolution</A> for configuration help. You will
want some sort of name resolution system for your private network,
even if you delegate primary DNS authority to the ISP.
<P>
<P>
<H2><A NAME="serv-email"></A> <A NAME="ss6.2">6.2 Electronic Mail</A>
</H2>

<P>When you subscribe with your ISP, they will typically supply a number
of email boxes. You can elect to use this service exclusively, in
which case all incoming email is stored on the ISP's servers and your
users read their mail with POP3 clients which connect to the ISP's
servers. Alternately, you may decide to set up email on your own
machines. Once again, you should weigh the merits of the two
approaches, and choose the one which you prefer.
<P>
<P>Things to remember if you use the ISP for all email:
<UL>
<LI>It may be easier to access the email from home, or from other
locations when you're on a business trip, depending on the security
which you use to protect your domain.</LI>
<LI>Email is routinely stored on the ISP's servers, which may be a
problem if sensitive material is sent unencrypted.</LI>
<LI>You have a limited number of email accounts, and may have to pay
if you exceed this limit.</LI>
<LI>To create a new email address, you have to go through the ISP.</LI>
</UL>
<P>
<P>Things to remember if you provide your own email:
<UL>
<LI>Email is routinely stored on your own servers, with backup
storage on your ISP if your mail host goes down or its disk fills up.</LI>
<LI>You have an essentially unlimited number of email accounts,
which you can create and delete yourself.</LI>
<LI>You have to support the email clients used on your private
network, and possibly by people trying to read their email from home.</LI>
</UL>
<P>
<P>One possible approach is to host email yourself, but also use the
several email addresses provided by the ISP. People who need email
accessible from outside the private network can have an email address
in your domain which gets redirected to one of the ISP-supplied email
addresses. Others can have local email on the private network. This
requires a bit more coordination and configuration, but gives more
flexibility than either of the other approaches.
<P>
<P>Should you choose to host email for your domain, see
section 
<A HREF="Domain-7.html#setup-email">Setting Up Email For Your Domain</A> for
configuration help.
<P>
<P>If you decide not to host email for your domain, refer to section 
<A HREF="Domain-7.html#dns-no-email">DNS Configuration If You Are Not Hosting Email</A> for important notes on the name resolution configuration.
<P>
<P>
<H2><A NAME="serv-www"></A> <A NAME="ss6.3">6.3 Web Space Hosting</A>
</H2>

<P>Your ISP may allocate you a certain amount of space on their web
servers. You might decide to use that, or you might have a web hosting
machine which you put on your external network, in one of your
external IP numbers.
<P>
<P>Points to remember if you choose to use the ISP's web space hosting:
<UL>
<LI>You have a certain disk space allocation which you should not
exceed. This will include not only web space contents, but also data
collected from people visiting the site.</LI>
<LI>The bandwidth between your web server and the outside world will
almost certainly be higher than it would be if you hosted it on your
own hardware. In any case, it will not be slower.</LI>
<LI>It may be difficult to install custom CGI scripts or commercial
packages on your web site.</LI>
<LI>Your bandwidth between your network and your web server will
almost certainly be lower than it would be if you hosted it on your
own network.</LI>
</UL>
<P>
<P>Points to remember if you choose to host your own web space:
<UL>
<LI>You have much more control over the hosting machine. You can
tailor your security more precisely for your application.</LI>
<LI>Potentially sensitive data, such as credit card numbers or
mailing addresses, remains on machines which you control.</LI>
<LI>Your backup strategy is probably not as comprehensive as your
ISP's.</LI>
</UL>
<P>
<P>Notice that I do not mention anything about the ISP having more
powerful hardware, higher peak data rates, and so on. By the time these
things become important, you're talking about very high data rate
network connections, and, quite frankly, you had better be delegating
these decisions to a skilled consultant, not looking in a Linux
HOWTO.
<P>
<P>Should you choose to host web space for your domain on your own
server(s), refer to other documents, such as the 
<A HREF="ftp://metalab.unc.edu/pub/Linux/docs/HOWTO/WWW-HOWTO">WWW-HOWTO</A>, for configuration help. I strongly recommend that
this service be run on a different machine from the private network
gateway machine, for security reasons.
<P>
<P>
<H2><A NAME="serv-ftp"></A> <A NAME="ss6.4">6.4 FTP Site Hosting</A>
</H2>

<P>Basically, the same arguments apply to FTP hosting as apply to WWW
hosting, with the exception that active content is not an issue for
FTP, and CGI scripts don't appear. Most of the recent ftpd exploits
have come from buffer overruns resulting from the creation of large
directory names in anonymously-writable upload directories, so if
your ISP allows uploads and is lax in keeping up with security updates
on the FTP daemon, you might be better off hosting this service
yourself.
<P>
<P>Should you choose to host FTP for your domain on your own server(s),
make sure to get the latest version of your FTP daemon, and consult
the configuration instructions there. Once more, I strongly recommend
that this service be run on a different machine from the private
network gateway machine, for security reasons.
<P>
<P>For <EM>wu-ftpd</EM>, I would recommend the following configuration options:
<UL>
<LI>--disable-upload - unless you need anonymous uploads</LI>
<LI>--enable-anononly - encourage your local users to use 
<EM>scp</EM> to transfer files between machines.</LI>
<LI>--enable-paranoid - disable whatever features of the current
release might be considered questionable.</LI>
</UL>
<P>
<P>
<H2><A NAME="serv-filtering"></A> <A NAME="ss6.5">6.5 Packet Filtering</A>
</H2>

<P>Some ISPs will put packet filters on their network, to protect the
users of the system from each other, or from external attackers. Cable
modem networks and similar broadcast networks have had embarrassing
problems when users of Windows 95 or 98 inadvertently set up disk
shares, exporting the full contents of their hard drives to anybody on
the network segment who cared to browse for active servers in the
neighbourhood.  In some cases, the solution has been to tell the users
not to do that, but some providers have put filtering into the access
hardware to prevent people from exporting their data by accident.
<P>
<P>Packet filtering is really something which you ought to do yourself.
It fits in easily into the kernel running on your private network
gateway machine and gives you a better idea of what's happening around
you. You often will find that you have to make small tweaks to the
firewall to optimize it during the initial setup, and this is much
easier to do in real time than through a technical support contact.
<P>
<P>Should you choose to do packet filtering for your domain, see section
<A HREF="Domain-7.html#setup-filtering">Setting Up Packet Filtering</A> for
configuration help.
<P>
<P>
<P>
<HR>
<A HREF="Domain-7.html">Next</A>
<A HREF="Domain-5.html">Previous</A>
<A HREF="Domain.html#toc6">Contents</A>
</BODY>
</HTML>