[Foosinho]

OK, I've got some questions I hope somebody else might have some insight into.

I'm currently engineering my home network for my next home. I would like to park guilfoos.com on my own server and serve it out over DSL to a) save money, and b) have even greater control. This presents some interesting side effects that removing it from my current hosting provider solves.

For example, now I need DNS control so I can create my own subdomains (www.guilfoos.com, mail.guilfoos.com, ftp.guilfoos.com, pbx.guilfoos.com, etc). I also need to provide my own POP3/SMTP/MX services (which is what really has me nervous). Clearly parking all of the PCs behind a NAT box won't really work all that well (which is what I do now).

So, given that I want a mail server, a DNS server, a web server, a FTP server, a PBX (private branch exchange - inhome telco network, VoIP, extensions, etc) server, a secure server (internal.guilfoos.com for remote TiVo access, home automation control, etc), and general services (spam filter, web filter, basicly proxy.guilfoos.com), how should I divide these up over machines, which ones should get the 5 static IPs, and which ones should end up behind the NAT router with the desktop machines? Any suggestions? I know I'd like the PBX machine to be on it's own Linux box (for phone system reliability), but other than that I'm at a loss.

BTW, once I get this up and running I'd be glad to resell hosting services to fellow BS members on the cheap.

[Own Goal Hat-Trick]

freakin techno nut.

i remember when i used to be all read up on that jazz, but alas, ive forgotten quite a bit of it. well, ok, most all of it.

good luck with all that though, should be wicked when you get it all set up.

[Foosinho]

Update! I've got a DNS server running on my LAN, after spending all of today upgrading an old PC to Win2K (and totally botching the bootloader in the process - that wasn't fun). Apache also up and running!

What does that mean? I can sit at my desktop and surf to www.guilfoos.lan to view a LAN "homepage" with links of interest to me. gateway.guilfoos.lan points to the router admin page. It's very cool - no more remembering LAN IP's! tivo.guilfoos.lan will eventually point at - gasp! - the TiVo. And it's all only visible to the LAN subnet! (I'll have to see if I can drop the "guilfoos" part and make it just www.lan or gateway.lan.)

Now I just need to set up an outside domain to point at the gateway IP, and I should be able to hit the server from the outside world via port forwarding.

Virtual hosts in Apache are cool.

[_chachi]

Quote:

Originally posted by Foosinho
Now I just need to set up an outside domain to point at the gateway IP, and I should be able to hit the server from the outside world via port forwarding.

iirc, all you need to do send an email to the company where you registered your domain name that says map xxx.whatever.com to 24.44.45.100. it ususally takes a day or two for it bounce to all the dns servers.

[Foosinho]

Quote:

Originally posted by _chachi
iirc, all you need to do send an email to the company where you registered your domain name that says map xxx.whatever.com to 24.44.45.100. it ususally takes a day or two for it bounce to all the dns servers.

Yeah. I was thinking of changing the DNS entry at the registry to be ns1.guilfoos.com and set the IP to my WAN address, so I can create my own subdomains. Added benefit - saves me the hosting costs I'm currently paying for that domain.

If I can get my own nameserver running without hickups, I can actually host other domains. The barn we board the horses at wants to build a website, so maybe I can trade hosting for lower board every month.

This was so much easier than I thought. I think I'll set up my own mail server tonight - I'll need that before I port guilfoos.com to my own server, or I'll lose my main email source. I'll need to find a secondary DNS server to mirror my DNS zones, tho.

[zpjohnstone]

Well, it looks like I'm a little late, but as someone who worked in an ISP's NOC a few years back, and currently designs & deploys business networks for a living, I might be of help.

One initial point of confusion. You said you can't park all yr boxes behind a NAT device- While dynamic NAT (many to one translation) wouldn't be appropriate, static NAT (one to one translation) would be highly preferable to sitting your boxes out there, unprotected, with public IP addresses on them. I'm thinking when you say 'NAT device' you're talking about your DSL modem, which your ISP may have lied to you and told you it couldn't handle static NAT, which it almost certainly can.

So basically, why don't you set up a nice FreeBSD firewall as your only machine that actually has a public IP, and let it do your firewalling and static NATing, and then put all your boxes behind it with private addresses?

And with all those servers/services, you should make room for IDS, especially if you are going to be hosting other people's sites.

So have you got split DNS working yet?

[zpjohnstone]

Quote:

Originally posted by Foosinho
I'll need to find a secondary DNS server to mirror my DNS zones, tho.

Your ISP should do that for you for free if it's not some mega provider.

[Foosinho]

Quote:

Originally posted by zpjohnstone
So basically, why don't you set up a nice FreeBSD firewall as your only machine that actually has a public IP, and let it do your firewalling and static NATing, and then put all your boxes behind it with private addresses?

I have a LinkSys router/NAT box. I may be able to get away with having one IP - but I've never served thru a webserver data from other machines. I suppose I could proxy-tunnel to the TiVo via SSL or some other secured method (don't want public access to the TiVo!), but I'm not completely convinced I could provide all of the services I want thru one webserver, even with virtual hosting. Yet.

Quote:

And with all those servers/services, you should make room for IDS, especially if you are going to be hosting other people's sites.

Currently I've got ZoneAlarm on the LinkSys box, and Norton AV on the desktop machine. The server box (still behind the NAT) doesn't have AV software, yet.

Quote:

So have you got split DNS working yet?

Split? (DNS serving is a new thing to me...) I've got DNS working on the LAN IPs, and the DNS server includes a record for a real domain, but it isn't authoritative yet (I haven't changed the records at the registry). What I am confused about is reverse DNS, which I understand I should have working if I want to have a MX server. I understand what it is, but how the records should look, and what cooperation I need upstream is what confuses me.

Quote:

Your ISP should do that for you for free if it's not some mega provider.

SBC Yahoo DSL. They are good about supporting servers over DSL, but I don't know if they are _that_ good.

Of course, one issue still to be resolved is the dynamic IP issue. I technically don't currently have a static IP, but I also never take down the router. I'm currently monitoring my IP to see if SBC/Yahoo force an expiration to the lease. If so, I'll need to upgrade to static IP service, if not, I may try it this way, and just update the registry entries for the NS record when the IP changes - since it should be very infrequent.

[-cman-]

Go Brian!

Reverse DNS. Check out the DNS and BIND Cookbook by O'Reilly. It will take you through from the simples to most complex (multi-domain) DNS hosting stuff.

Basically, a correctly configured reverse DNS system allows for quick translation between CNAMES and IP addresses. It's what turns a request for www.guilfoos.com into 216.218.254.226.

By the way, are you hosting through Hurricane Electric based in Freemont, CA? Cause that's what a whois -h magic www.guilfoos.com says owns that IP block.

So, when adding a host to your zone file, you also add a PTR record in the reverse lookup zone.

The main zone file will be your guilfoos.com DNS file and the reverse lookup file will be the 216.218.256.0.in-addr.arpa zone file (or whatever your IP schema is.)

To add a host to the reverse lookup table, say a mailserver at 227, just add

mail IN A 216.218.256.227

to the guilfoos.com zone, and

227 IN PTR mail.guilfoos.com

to the reverse lookup zone.

That's just for the external (public) IP zone. A lot of that can and probably should be handed off to your upstream provider. Later, as you get more comfortable, you can host the authoritative DNS server yourself and use the ISP's as a slave that will handle most of the queries and unload that bandwidth from your wire. You will need a second set of zone files for your NAT network, eg a www.guilfoos.lan zone and a 1.0.in-addr.arpa reverse zone (if you are using a 192.168.1.xxx private schema).

Anyway, get the O'Reilly book. If you are going to be hosting for multiple domains, the $34.00 will be money well spent.

[Foosinho]

Quote:

Originally posted by -cman-
Reverse DNS. Check out the DNS and BIND Cookbook by O'Reilly. It will take you through from the simples to most complex (multi-domain) DNS hosting stuff.

I had read this was a good book. I very well may buy it - online stuff on DNS is a bit sparser than I expected. DNS must not be sexy enough.

Quote:

By the way, are you hosting through Hurricane Electric based in Freemont, CA? Cause that's what a whois -h magic www.guilfoos.com says owns that IP block.

Yep. And until I'm convinced that a self-hosted setup will work - especially for email (backup MX server!) that domain will stay there. Must have at least one working email at all times!

BTW, there is a domain sitting on my home webserver now, and I think the DNS database has propagated the nameserver records now... www.wildwoodstables.net

Quote:

Later, as you get more comfortable, you can host the authoritative DNS server yourself and use the ISP's as a slave that will handle most of the queries and unload that bandwidth from your wire.

You mean I was supposed to wait? I like jumping into the deep end - ns1.wildwoodstables.net is the authoritative nameserver for wildwoodstables.net - if I set everything up right. dnsreport.com only complained about the SOA Refresh value. I'm currently setting up a slave DNS server offsite.

Quote:

You will need a second set of zone files for your NAT network, eg a www.guilfoos.lan zone and a 1.0.in-addr.arpa reverse zone (if you are using a 192.168.1.xxx private schema).

Already did this! Except the reverse zone stuff.

Unfortunately, with the exception of setting my DNS server up to allow the slave to mirror the appropriate zone file, I won't have time to play with this tonight. My 120GB hard drive is expected to arrive UPS today, and my DirecTiVo is begging to be upgraded.