259 lines
12 KiB
HTML
259 lines
12 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Setting Up Your New Domain Mini-HOWTO.: Deciding Which Domain Services You Will Host</TITLE>
|
|
<LINK HREF="Domain-7.html" REL=next>
|
|
<LINK HREF="Domain-5.html" REL=previous>
|
|
<LINK HREF="Domain.html#toc6" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Domain-7.html">Next</A>
|
|
<A HREF="Domain-5.html">Previous</A>
|
|
<A HREF="Domain.html#toc6">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="which-servs"></A> <A NAME="s6">6. Deciding Which Domain Services You Will Host</A></H2>
|
|
|
|
<P>Most full-service ISPs will provide a variety of domain services for
|
|
their customers. This is largely because of the problems associated
|
|
with hosting these services under certain other, more popular desktop
|
|
and server operating systems. These services are much easier to
|
|
provide under Linux, and can be hosted on fairly inexpensive hardware,
|
|
so you should decide what services you want to take on for
|
|
yourself. Some of these services include:
|
|
<UL>
|
|
<LI>Primary DNS authority on your domain. See section
|
|
<A HREF="#serv-prim-dns">Primary DNS Authority</A>.</LI>
|
|
<LI>Electronic mail. See section
|
|
<A HREF="#serv-email">Electronic Mail</A>.</LI>
|
|
<LI>Web space hosting. See section
|
|
<A HREF="#serv-www">Web Space Hosting</A>.</LI>
|
|
<LI>FTP space hosting. See section
|
|
<A HREF="#serv-ftp">FTP Site Hosting</A>.</LI>
|
|
<LI>Packet filtering. See section
|
|
<A HREF="#serv-filtering">Packet Filtering</A>.</LI>
|
|
</UL>
|
|
<P>In each of these, you basically have to weigh convenience against
|
|
control. When your ISP performs one or more of these services, you can
|
|
usually be fairly sure that they have people with experience
|
|
maintaining the service, so you have less to learn, and less to worry
|
|
about. At the same time, you lose control over these services. Any
|
|
changes require that you go through the technical support of your ISP,
|
|
something which may sometimes be inconvenient or cause longer delays
|
|
than you would like. There's also a security issue involved, the ISP
|
|
is a much more tempting target to attackers than your own site. Since
|
|
an ISP's servers might host email and/or web space for the dozens of
|
|
companies which are their customers, an attacker who compromises one
|
|
of those servers gets a much higher return for his efforts than one
|
|
who attacks your personal servers, where only one company's data is
|
|
kept.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="serv-prim-dns"></A> <A NAME="ss6.1">6.1 Primary DNS Authority</A>
|
|
</H2>
|
|
|
|
<P>When a person somewhere in the outside world attempts to connect to a
|
|
machine in the new example.com domain, queries are sent between
|
|
various servers on the Internet, ultimately resulting in the IP number
|
|
of that machine being returned to the software of the person
|
|
attempting the connection. The details of this sequence are beyond the
|
|
scope of this document. Neglecting many details, when a request is
|
|
made for the machine fred.example.com, a centralized database is
|
|
consulted to determine what is the IP number of the machine which
|
|
holds primary DNS authority for the example.com domain. This IP number
|
|
is then queried for the IP number of the machine fred.example.com.
|
|
<P>
|
|
<P>There must be a primary and a secondary DNS server for every domain
|
|
name. The names and IP numbers of these two servers are stored in a
|
|
centralized database whose entries are controlled by domain
|
|
registration authorities such as
|
|
<A HREF="http://www.networksolutions.com/">Network Solutions</A>.
|
|
<P>
|
|
<P>If you elect to have primary DNS authority hosted by your ISP, these
|
|
two servers will probably both be machines controlled by the ISP. Any
|
|
time you want to add an externally visible machine to your network,
|
|
you will have to contact the ISP and ask them to put the new machine
|
|
in their database.
|
|
<P>
|
|
<P>If you elect to hold primary DNS authority on your own host, you will
|
|
still use another machine as your secondary. Technically, you should
|
|
use one on a redundant Internet connection, but it is very common that
|
|
the secondary is held on one of your ISP's machines. If you want to
|
|
add an externally visible machine to your network, you will have to
|
|
update your own database, and then wait for the change to propagate
|
|
(something which takes, typically, a small number of hours). This
|
|
allows you to add barney.example.com without having to go through your
|
|
ISP.
|
|
<P>
|
|
<P>It is a good idea to set up secondary DNS on a geographically distant
|
|
host, so that a single cable cut near your ISP doesn't take both your
|
|
primary and secondary DNS servers off line. The domain registrar you
|
|
used to register your domain name may provide secondary DNS service.
|
|
There is also a free service,
|
|
<A HREF="http://www.granitecanyon.com/">Granite Canyon</A>, available to anybody who asks.
|
|
<P>
|
|
<P>Regardless of whether or not you choose to act as primary DNS
|
|
authority for your domain, see section
|
|
<A HREF="Domain-7.html#setup-nameres">Setting Up Name Resolution</A> for configuration help. You will
|
|
want some sort of name resolution system for your private network,
|
|
even if you delegate primary DNS authority to the ISP.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="serv-email"></A> <A NAME="ss6.2">6.2 Electronic Mail</A>
|
|
</H2>
|
|
|
|
<P>When you subscribe with your ISP, they will typically supply a number
|
|
of email boxes. You can elect to use this service exclusively, in
|
|
which case all incoming email is stored on the ISP's servers and your
|
|
users read their mail with POP3 clients which connect to the ISP's
|
|
servers. Alternately, you may decide to set up email on your own
|
|
machines. Once again, you should weigh the merits of the two
|
|
approaches, and choose the one which you prefer.
|
|
<P>
|
|
<P>Things to remember if you use the ISP for all email:
|
|
<UL>
|
|
<LI>It may be easier to access the email from home, or from other
|
|
locations when you're on a business trip, depending on the security
|
|
which you use to protect your domain.</LI>
|
|
<LI>Email is routinely stored on the ISP's servers, which may be a
|
|
problem if sensitive material is sent unencrypted.</LI>
|
|
<LI>You have a limited number of email accounts, and may have to pay
|
|
if you exceed this limit.</LI>
|
|
<LI>To create a new email address, you have to go through the ISP.</LI>
|
|
</UL>
|
|
<P>
|
|
<P>Things to remember if you provide your own email:
|
|
<UL>
|
|
<LI>Email is routinely stored on your own servers, with backup
|
|
storage on your ISP if your mail host goes down or its disk fills up.</LI>
|
|
<LI>You have an essentially unlimited number of email accounts,
|
|
which you can create and delete yourself.</LI>
|
|
<LI>You have to support the email clients used on your private
|
|
network, and possibly by people trying to read their email from home.</LI>
|
|
</UL>
|
|
<P>
|
|
<P>One possible approach is to host email yourself, but also use the
|
|
several email addresses provided by the ISP. People who need email
|
|
accessible from outside the private network can have an email address
|
|
in your domain which gets redirected to one of the ISP-supplied email
|
|
addresses. Others can have local email on the private network. This
|
|
requires a bit more coordination and configuration, but gives more
|
|
flexibility than either of the other approaches.
|
|
<P>
|
|
<P>Should you choose to host email for your domain, see
|
|
section
|
|
<A HREF="Domain-7.html#setup-email">Setting Up Email For Your Domain</A> for
|
|
configuration help.
|
|
<P>
|
|
<P>If you decide not to host email for your domain, refer to section
|
|
<A HREF="Domain-7.html#dns-no-email">DNS Configuration If You Are Not Hosting Email</A> for important notes on the name resolution configuration.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="serv-www"></A> <A NAME="ss6.3">6.3 Web Space Hosting</A>
|
|
</H2>
|
|
|
|
<P>Your ISP may allocate you a certain amount of space on their web
|
|
servers. You might decide to use that, or you might have a web hosting
|
|
machine which you put on your external network, in one of your
|
|
external IP numbers.
|
|
<P>
|
|
<P>Points to remember if you choose to use the ISP's web space hosting:
|
|
<UL>
|
|
<LI>You have a certain disk space allocation which you should not
|
|
exceed. This will include not only web space contents, but also data
|
|
collected from people visiting the site.</LI>
|
|
<LI>The bandwidth between your web server and the outside world will
|
|
almost certainly be higher than it would be if you hosted it on your
|
|
own hardware. In any case, it will not be slower.</LI>
|
|
<LI>It may be difficult to install custom CGI scripts or commercial
|
|
packages on your web site.</LI>
|
|
<LI>Your bandwidth between your network and your web server will
|
|
almost certainly be lower than it would be if you hosted it on your
|
|
own network.</LI>
|
|
</UL>
|
|
<P>
|
|
<P>Points to remember if you choose to host your own web space:
|
|
<UL>
|
|
<LI>You have much more control over the hosting machine. You can
|
|
tailor your security more precisely for your application.</LI>
|
|
<LI>Potentially sensitive data, such as credit card numbers or
|
|
mailing addresses, remains on machines which you control.</LI>
|
|
<LI>Your backup strategy is probably not as comprehensive as your
|
|
ISP's.</LI>
|
|
</UL>
|
|
<P>
|
|
<P>Notice that I do not mention anything about the ISP having more
|
|
powerful hardware, higher peak data rates, and so on. By the time these
|
|
things become important, you're talking about very high data rate
|
|
network connections, and, quite frankly, you had better be delegating
|
|
these decisions to a skilled consultant, not looking in a Linux
|
|
HOWTO.
|
|
<P>
|
|
<P>Should you choose to host web space for your domain on your own
|
|
server(s), refer to other documents, such as the
|
|
<A HREF="ftp://metalab.unc.edu/pub/Linux/docs/HOWTO/WWW-HOWTO">WWW-HOWTO</A>, for configuration help. I strongly recommend that
|
|
this service be run on a different machine from the private network
|
|
gateway machine, for security reasons.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="serv-ftp"></A> <A NAME="ss6.4">6.4 FTP Site Hosting</A>
|
|
</H2>
|
|
|
|
<P>Basically, the same arguments apply to FTP hosting as apply to WWW
|
|
hosting, with the exception that active content is not an issue for
|
|
FTP, and CGI scripts don't appear. Most of the recent ftpd exploits
|
|
have come from buffer overruns resulting from the creation of large
|
|
directory names in anonymously-writable upload directories, so if
|
|
your ISP allows uploads and is lax in keeping up with security updates
|
|
on the FTP daemon, you might be better off hosting this service
|
|
yourself.
|
|
<P>
|
|
<P>Should you choose to host FTP for your domain on your own server(s),
|
|
make sure to get the latest version of your FTP daemon, and consult
|
|
the configuration instructions there. Once more, I strongly recommend
|
|
that this service be run on a different machine from the private
|
|
network gateway machine, for security reasons.
|
|
<P>
|
|
<P>For <EM>wu-ftpd</EM>, I would recommend the following configuration options:
|
|
<UL>
|
|
<LI>--disable-upload - unless you need anonymous uploads</LI>
|
|
<LI>--enable-anononly - encourage your local users to use
|
|
<EM>scp</EM> to transfer files between machines.</LI>
|
|
<LI>--enable-paranoid - disable whatever features of the current
|
|
release might be considered questionable.</LI>
|
|
</UL>
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="serv-filtering"></A> <A NAME="ss6.5">6.5 Packet Filtering</A>
|
|
</H2>
|
|
|
|
<P>Some ISPs will put packet filters on their network, to protect the
|
|
users of the system from each other, or from external attackers. Cable
|
|
modem networks and similar broadcast networks have had embarrassing
|
|
problems when users of Windows 95 or 98 inadvertently set up disk
|
|
shares, exporting the full contents of their hard drives to anybody on
|
|
the network segment who cared to browse for active servers in the
|
|
neighbourhood. In some cases, the solution has been to tell the users
|
|
not to do that, but some providers have put filtering into the access
|
|
hardware to prevent people from exporting their data by accident.
|
|
<P>
|
|
<P>Packet filtering is really something which you ought to do yourself.
|
|
It fits in easily into the kernel running on your private network
|
|
gateway machine and gives you a better idea of what's happening around
|
|
you. You often will find that you have to make small tweaks to the
|
|
firewall to optimize it during the initial setup, and this is much
|
|
easier to do in real time than through a technical support contact.
|
|
<P>
|
|
<P>Should you choose to do packet filtering for your domain, see section
|
|
<A HREF="Domain-7.html#setup-filtering">Setting Up Packet Filtering</A> for
|
|
configuration help.
|
|
<P>
|
|
<P>
|
|
<P>
|
|
<HR>
|
|
<A HREF="Domain-7.html">Next</A>
|
|
<A HREF="Domain-5.html">Previous</A>
|
|
<A HREF="Domain.html#toc6">Contents</A>
|
|
</BODY>
|
|
</HTML>
|