problem "hiding" master server

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Wed Jun 27 00:16:14 UTC 2001 

> 
> My setup is as follows:
> 2 caching only name servers: dns.x.x. and dns2.x.x.
> 3 authoritative "reachable" slave name servers: ns.x.x., ns2.x.x. and
> ns3.x.x.
> 1 master authoritative which isn't reachable from outside: master.x.x.
> 
> The authoritative name servers are configured to run without root zone, this
> is done by:
>         recursion no;
>         fetch-glue no;
> 
> on the slave servers the zones are configured with:
> zone "x.x" in {
>   type slave;
>   file "x.x";
>   masters {x.x.x.x;  };
> };
> 
> 
> however I often get the error:
> 
> default: sysquery: nlookup error on ?
> 
> If I add the root zone the error seems to stop, isn't it possible to run
> without root zone, or do I then just have to ignore this error??
> 
> 
> All zone-editing is done on the "hidden" master server, all zones have the
> following SOA and NS records:
> @ 86400 in soa ns.x.x. hostmaster.x.x. ( 2001061403 28800 7200 604800
> 86400 )
> @ 86400 in ns ns.x.x.
> @ 86400 in ns ns2.x.x.
> @ 86400 in ns ns3.x.x.
> 
> 
> The problem is that ns.x.x isnt notified, and from what I understand from
> DNS and BIND its because that the master specified in the SOA which also has
> an NS record is assumed to be the master itself and should therefore not be
> notified! I guess a solution would be to specify master.x.x. as the master
> server in the SOA record and add an NS record for it, that way it doesnt
> notify itself but all the slaves....
> 
> However, the idea was to "hide" the master server so nobody can send queries
> to it from outside, and Im not sure the master specified in the SOA record
> can be unreachable, wouldnt that be a problem?´

	Just put the true master in the origin field.  All DNS
	operations are supposed to be directed at the listed
	nameservers.  This includes both queries and update requests.

	Apart from broken W2K beta boxes and only then when sending
	updates.  The only queries that will be directed directly
	at the master are from the slaves or humans trying to
	diagnose problems.

	Mark
> 
> A better solution might be to specify ns.x.x. as the master server and then
> use the "also-notify ns.x.x" on the master server, that way ns.x.x. should
> be notified even though the server believe its the master....
> 
> It seems there a number of solutions, but my idea was that the slave servers
> should only handle queries and not notifying/pulling zones from each other,
> this should instead be done by the master server which doesnt use CPU on
> answering queries.. Anyone have any comments/suggestions? Perhaps from a
> similar setup?
> 
> 
> Regards
> Christian Rasmussen
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list