Good morning and happy New Year to all I have been studying NIS2 for a while now, and I have an interesting observation, that I would like to hear your view on. According to NIS2, all DNS providers are now considered essential services and as such are subject to strict control. Security is required to be very strict. One of the things that come up all the time, is that you should have DNS servers on separate machines from your main services, and if possible on different datacenters. What do you guys think?
That's what any 'larger' ISPConfig setup should have anyway. And with larger, I would refer to any more than a single server setup in this case. You can have two or more ISPConfig DNS nodes in an ISPConfig multiserver setup, and having them in different data centers is no problem as well. See e.g. here: https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/ Regarding NIS2 requirements, I can't give you any recommendations. But yes, security standards are pretty strict, mainly organizational and operational security standards that are needed. I think it also differs a lot between different EU countries.
Thanks Till. Right now the plan is to create two VPS, one in Germany and one in Finland with Hetzner, and only have them do DNS, nothing else. That will, from what I have ben able to gather, do the trick. If anyone ells have suggestions or views on this, do post. Maybe it can help others, who are in the same situation
I think that's a good solution. You should try to set up an internal network between them and the master in the Hetzner cloud if your master is in the Hetzner cloud, too.
That is a good idea actually. Will get that done so that the servers only communicate on a private network.
ooh.. sorry to hijack the thread.. but it is somewhat related.. can you set up an internal network between different datacentres in hetzner? similar to what it looks like @felan is trying to setup, most of our VPS servers are in hetzner's nuremberg datacentre, but i also have our second dns server in helsinki.. all the vps's in nuremberg also have an internal network for local comms between themselves.. but everything between the helsinki vps and the nuremberg vps's is all over the public internet at the moment, i thought there was no option to connect helsinki and nuremberg to the same private network. only for servers in the same location.
Hmm, not sure. I thought it was possible, but I might be wrong, I have not tried that. If it's not possible, you should consider setting up a VPN or network tunnel or at least configure SSL for the mysql connection manually to protect it. I hope I will be able to replace MySQL connections with REST API connections in the future. So that the master node provides a REST API endpoint and the slave node connects to that via HTTPS.
It should be possible then. Take a look here: https://docs.hetzner.com/cloud/general/locations/ As long as the two servers are located at the same region e.g. eu-central it should be possible to use internal network between them. Just tested and it is possible within the same region
