[ale] Infrastructure services on same host?

DJ-Pfulio DJPfulio at jdpfu.com
Tue Jun 23 13:12:56 EDT 2015


On 06/23/2015 12:36 PM, leam hall wrote:
> I've seen large companies take the "Winderz Way" and put every single
> service on a separate host. This adds cost and resource consumption and I'm
> not sure there's a good reason for it.
> 
> Am I off base here? Is there any reason not to have internal only DNS, NTP,
> and Mail Relaying on the same hosts?

Security and risk mitigation.
Also, patch management risks.  Systems running lots of services "have all your
eggs in one basket."  Mom was right - don't do that.

NTP is central to network and systems security - don't put it anywhere near the
internet. Same goes for internal DNS.  I could see putting both of those on the
same box, for internal use only. Internet-facing DNS is definitely a high risk
proposal and needs to be on a dedicated VM/box. Mike wrote up a DNS best
practices and posted it here last year or the year before.

email relays ... that depends on what you mean by that. All my servers push
email to a central email server, but only 1 accepts email from the internet.
This box has a failover - clone. Just point the router to the other box before
doing maintenance.  My email gateway has just email things on it - nothing else.
 I can rebuild it into a VM in about 16 min from any backup in the last 120
days. Not accepting email for the time needed to reboot isn't any issue. SMTP
standards are fault tolerant.

BTW - SMTP servers stop working whenever the system load goes above 90%. They
are designed that way. I haven't verified this recently, but sendmail and
postfix both worked this way in the mid-1990s - by design.

If you are worried about costs - stop using commercial software unless it is
really needed.  VMware - stop - just stop - especially for Linux infrastructure
things.  The case can be made to use ESXi for Windows VMs still.

If you use "infrastructure as code" techniques (also called DevOps), moving
these "roles" to different systems isn't too hard.


Of course, this is all IMHO.


More information about the Ale mailing list