Distributing DNS servers

Barry Margolin barmar at bbnplanet.com
Fri Aug 27 19:01:52 UTC 1999 

In article <Pine.BSF.4.01.9908270950530.19335-100000 at phoenix.aye.net>,
Barrett Richardson  <barrett at phoenix.aye.net> wrote:
>
>I want to distribute my primary across a network topology for
>various reasons. I intend to have an ip address for the primary
>attached to a loopback interface on multiple machines at
>multiple points in my network (and use OSPF or BGP to establish
>reachability to various nameservers in various locations thru out
>the network).

We're doing a similar thing.  If you traceroute to 4.2.2.1 from different
parts of the country you'll get a different machine.  We're not doing it
with a looback interface, but with a virtual address on the ethernet
interface.

>Issue 1
>
>  With this scheme IP packets leaving the boxen must not
>  have the IP address of the primary (which is on the loopback
>  and not unique in the network) but the IP address of the
>  ethernet (which is unique). The idea is to have answers
>  to queries to go the box that sent the query.
>
>  Doable?

BIND 4.9 and newer forces the source address of a response to match the
destination address of the query.

Why do you think it's wrong for these packets to have the loopback address
as their source?  So it's not unique, who cares?

>Issue 2
>
>   I have this fear that an undesirable side effect will result
>   from the cacheing behaviour of remote servers that query my
>   nameservers. For one, the reply is going to come from an IP
>   for which it has no NS record for my domain, will this be
>   a problem?

It doesn't matter that it doesn't match an NS record.  However, most
resolvers and caching servers will ignore a response if its source address
doesn't match the address to which the query was sent, on the assumption
that someone is spoofing the response.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list