Subject: Re: Two masters for one zone - msg#00488

Previous Message by Date: click to view message preview

Re: Split roots (was: Can someone explain forwarders and why I don't need them?)

Herb Martin wrote: > "Kevin Darcy" <kcd@xxxxxxxxxxxxxxxxxxx> wrote in message > news:bgbuds$s9p$1@xxxxxxxxxxxxxx > > I guess I'm missing something here: what exactly is the purpose of > defining > > zones that return nothing but REFUSED or SERVFAIL? Either you have valid > > You have to look at the (typical) behavior of an internal > server -- and how we can "fiddle" that to solve the "two > separate (disjoint) namespaces" problem. > > An internal server forwards, our forwarder returns the NXDOMAIN > because it cannot find the answer, and the internal server STOPS > looking, considering the NXDOMAIN to be definitive. > > If we want our internal server to FORWARD and recurse and internal > namespace from the root down on it's own, we need to prevent the > NXDOMAIN. > > REFUSE and SERVERFAIL are two ways to accomplish that. Ah, so if I read you correctly, you're set up with "forward first", a private internal root, and you're deliberately scotching certain parts of the namespace in order to trigger named to go to iterative resolution... Kludge alert! You're basically exploiting a *failover* mechanism to get what you want. That's really bad news. What if your forwarders hiccup some day? Then your great failover mechanism might kick in accidentally, and suddenly your nameservers are giving *incorrect* responses (e.g. NXDOMAIN for www.msn.com/A instead of SERVFAIL or timeout). You're overloading something that was never intended to be used the way you are using it, and potentially sacrificing proper behavior as a result. > > "private" data for those zones, or you don't: if you have valid data, why > not > > return it? and if you don't, why not just fetch (via forwarding) whatever > is > > available on the Internet in that domain? Is a REFUSED or SERVFAIL > response > > somehow *better* than a response which yields addresses, albeit > unreachable > > ones? The point of the configuration you described apparently eludes me. > > In this case above it is better because the typical behavior of > OTHER (internal) DNS servers is to continue the search > recursively. > > Since the forwarder and the internal server have different > root hints, we have tricked them into efficiently searching > two namespaces. I usually prefer to configure things using well-understood -- or at least well-understandable -- methodologies instead of "trickery". Do you really expect your successor to understand or support this Rube Goldberg contraption you've created? > It's only an advantage if you have multiple zones internally > that require you to establish a private root and thereby a > private, disjoint namespace -- but you still want to resolve > Internet (or some other) namespace names. Okay, so how is it really a win to have to maintain all of those delegations in a private root zone (remembering of course that all delegations from a root zone require glue A records, so anytime the name or address of a delegated nameserver changes, so must your root zone),plus all of those so-called "synthetic" zone definitions, than it is to just maintain the equivalent number of stub-zone definitions and be done with it? I'm still not seeing the point of the configuration, other than as a Proof of Concept to show how egregiously you can abuse BIND's failover algorithms... - Kevin

Next Message by Date: click to view message preview

Re: Default/Wildcard Query Response

phn@xxxxxxxxxxxxxxxxxxxx wrote in message news:<bgacc9$2bjv$1@xxxxxxxxxxx>... > Shane Kinsch <shane.kinsch@xxxxxxxxxxxxx> wrote: > > phn@xxxxxxxxxxxxxxxxxxxx wrote in message news:<bg6dqi$1j0$1@xxxxxxxxxx= > g>... > >> Shane Kinsch <shane.kinsch@xxxxxxxxxxxxx> wrote: > >> > Does anyone happen to know a quick and dirty way of taking any traff= > ic > >> > being requested and give the person doing the query a default IP? > =20 > >> > For example... Let's say you were a hosting company or a domain name > >> > registration firm and you are registering (or allowing people to > >> > register) domain names using your DNS servers. > =20 > >> > I would like to direct traffic of the new domain to an IP address su= > ch > >> > that person X registers a domain xyz.com and uses our DNS servers fo= > r > >> > resolution. I would like to have a default statement somewhere that > >> > when queried, and the domain is not locally setup, it responds to a > >> > default IP address thus sending the traffic to a default "domain not > >> > setup" page. > =20 > >> > Any help is appreciated. Please respond to the e-mail address below > >> > and copy the newsgroup. > >>=20 > >> You ask in news and will receive answer with news ... > >>=20 > >>=20 > >> Try a DNS wildcard '*' : > >>=20 > >> * IN A <ip-of-wildcard> > >>=20 > >> This may be combined with other RR and the general rule is=20 > >> that "closest fit" will match. > >>=20 > > > Where would this go? In the root's cache? I'm not looking for domain > > specific as I don't know who is pointing to me. I want to take any > > and all generic traffic and redirect to a generic start page. > > In the zone's zonefile. This is "just another resource-record" among othe= > rs. I don't think you understand what I'm asking. There is no ZONE to put it in. It doesn't exist. I need a "wildcard" zone or some config change that will respond to anything if asked with an IP that I give. Again, let's say you point your domain to my servers... they won't respond because I am not the SOA for your domain... now let's say I make some magic change to my DNS servers to respond with an IP, even though I'm not the SOA. Is this possible?? > > Such that you register a domain name and use my name servers. I have > > no clue what your new domain is, but I want it to be activated > > immediately once you point to me. > > > Thanks. > > >>=20 > >>=20 > >> > Thanks, > =20 > >> > Shane Kinsch > >> > NetraCorp LLC > >> > shane.kinsch@xxxxxxxxxxxxxxxxxxx > > > --=20 > Peter H=E5kanson =20 > IPSec Sverige ( At Gothenburg Riverside ) > Sorry about my e-mail address, but i'm trying to keep spam out= > , > remove "icke-reklam" if you feel for mailing me. Thanx.

Previous Message by Thread: click to view message preview

Re: Two masters for one zone

Herb Martin wrote: > You could use a Win2000+ DNS server running > on a Domain Controller (perhaps a dedicated domain > just for this purpose) provide the two or more "Masters". > > It's not BIND but if you need it, there is is. BIND secondaries > are supported. > > Technically their called "Active Directory Integrated DNS > Servers" but as a 'set' they play the role of Primary DNS. > > How hard would it be to add multi-mastering to BIND9? Without ever having the possibility of a replication conflict? Impossibly hard. What Microsoft has reduced to a nice little marketing label -- "multi-master" -- is actually a violation of a fundamental design principle of DNS, namely the principle of zone coherence. -Kevin

Next Message by Thread: click to view message preview

DNS Ports

Hi, NG I am using BIND 9.2.1-16, the one that comes with RedHat 9 I am setting up Iptables and I am having difficulty in finding out exactly what ports Bind uses to send and receive queries and data. I know DNS uses UDP to send and get data. Does DNS always use the unprivileged ports to send queries ? Does DNS always receive answers and quesies on port 53 ? Does the resolver use different ports than the DNS server ? Any answers will be appreciated Dave Harman