problem "hiding" master server
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Mon Jul 2 00:18:27 UTC 2001
Thanks for the report.
>
> Thanks for the answers! :)
>
> My reason for leaving out the root zone is that I would like it to
> only answer queries for which its autoritative so it wont ever have to
> send queries to anyone. well, I guess that with "recursion no" and
> "fetch-glue no" the server will not answer such queries.. ?
>
> okay, you mean that I should just put the master server in the SOA
> record but not in the NS records? well, I would like to hide the
> master server totally... We tried the also-notify option which seemed
> to do the trick... so I think I'll stick to that... but I guess its
> kind of the same as with the bind 9 notify option.. ?
>
>
> Regards
> Christian Rasmussen
>
>
> Mark.Andrews at nominum.com wrote in message news:<9hb9mn$mum at pub3.rc.vix.com>..
> .
> > >
> > > My setup is as follows:
> > > 2 caching only name servers: dns.x.x. and dns2.x.x.
> > > 3 authoritative "reachable" slave name servers: ns.x.x., ns2.x.x. and
> > > ns3.x.x.
> > > 1 master authoritative which isn't reachable from outside: master.x.x.
> > >
> > > The authoritative name servers are configured to run without root zone, t
> his
> > > is done by:
> > > recursion no;
> > > fetch-glue no;
> > >
> > > on the slave servers the zones are configured with:
> > > zone "x.x" in {
> > > type slave;
> > > file "x.x";
> > > masters {x.x.x.x; };
> > > };
> > >
> > >
> > > however I often get the error:
> > >
> > > default: sysquery: nlookup error on ?
> > >
> > > If I add the root zone the error seems to stop, isn't it possible to run
> > > without root zone, or do I then just have to ignore this error??
> > >
> > >
> > > All zone-editing is done on the "hidden" master server, all zones have th
> e
> > > following SOA and NS records:
> > > @ 86400 in soa ns.x.x. hostmaster.x.x. ( 2001061403 28800 7200 604800
> > > 86400 )
> > > @ 86400 in ns ns.x.x.
> > > @ 86400 in ns ns2.x.x.
> > > @ 86400 in ns ns3.x.x.
> > >
> > >
> > > The problem is that ns.x.x isnt notified, and from what I understand from
> > > DNS and BIND its because that the master specified in the SOA which also
> has
> > > an NS record is assumed to be the master itself and should therefore not
> be
> > > notified! I guess a solution would be to specify master.x.x. as the maste
> r
> > > server in the SOA record and add an NS record for it, that way it doesnt
> > > notify itself but all the slaves....
> > >
> > > However, the idea was to "hide" the master server so nobody can send quer
> ies
> > > to it from outside, and Im not sure the master specified in the SOA recor
> d
> > > can be unreachable, wouldnt that be a problem?´
> >
> > Just put the true master in the origin field. All DNS
> > operations are supposed to be directed at the listed
> > nameservers. This includes both queries and update requests.
> >
> > Apart from broken W2K beta boxes and only then when sending
> > updates. The only queries that will be directed directly
> > at the master are from the slaves or humans trying to
> > diagnose problems.
> >
> > Mark
> > >
> > > A better solution might be to specify ns.x.x. as the master server and th
> en
> > > use the "also-notify ns.x.x" on the master server, that way ns.x.x. shoul
> d
> > > be notified even though the server believe its the master....
> > >
> > > It seems there a number of solutions, but my idea was that the slave serv
> ers
> > > should only handle queries and not notifying/pulling zones from each othe
> r,
> > > this should instead be done by the master server which doesnt use CPU on
> > > answering queries.. Anyone have any comments/suggestions? Perhaps from a
> > > similar setup?
> > >
> > >
> > > Regards
> > > Christian Rasmussen
> > >
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list