Bind traffic to root servers - too much?
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Wed May 9 23:30:32 UTC 2001
Or even use the real root zone. It's small.
Mark
>
> You could define your own root zone on those servers, turn off recursion and
> block queries from everything except your own zones (to avoid the bogus root
> zone data from leaking out). When a server is authoritative -- master or slav
> e
> -- for the root zone, it doesn't need to "prime".
>
>
> - Kevin
>
> Steven Cardinal wrote:
>
> > Thanks Mark - however, They don't seem to stop. Shouldn't they only poll
> > every, I don't know, 10 minutes or so (or more). It seems to be non-stop
> > chatter. If I read tcpdump correctly - buth source and dest ports are high
> ,
> > and each server has chosen a different one - I'd rather not open these port
> s
> > on the firewall unless necessary.
> >
> > -Steve
> > <Mark.Andrews at nominum.com> wrote in message
> > news:9d9v61$qt6 at pub3.rc.vix.com...
> > >
> > > > I have a pair of Bind 8.2.3 servers which are auth for my domains. That
> > is
> > > > all they do - answer external queries for my hosts. Our internal client
> s
> > use
> > > > our ISP's DNS Servers. Security is set so that the secondary is the
> > only
> > > > host that can transfer from the primary (I believe is is a pull, not a
> > push
> > > > scenario). Everything works fine - people looking for our external
> > systems
> > > > find them just fine (web site, ftp and email server)
> > > >
> > > > I brought up tcpdump however and see loads of traffic being generated b
> y
> > my
> > > > Bind servers querying the Root servers as follows (IPs changed to
> > protect
> > > > the innocent):
> > > >
> > > > 11:14:50.418712 111.222.33.44.27652 > m.root-servers.net.domain: 52755
> > NS? .
> > > > (17)
> > > > 11:14:52.825980 111.222.33.55.38798 > i.root-servers.net.domain: 20116
> > NS? .
> > > > (17)
> > > > 11:14:56.827148 111.222.33.55.38798 > c.root-servers.net.domain: 20116
> > NS? .
> > > > (17)
> > > > 11:14:58.420256 111.222.33.44.27652 > h.root-servers.net.domain: 52755
> > NS? .
> > > > (17)
> > > >
> > > > My DNS Servers are in a DMZ and I'm unsure if they keep querying becaus
> e
> > > > they can't get through the firewall (tcp 53 is open for inside and dmz
> > to
> > > > query out) or if the DNS servers are misconfigured.
> > > >
> > > > Any ideas?
> > > > Thanks
> > > > Steve
> > > >
> > > >
> > > >
> > > The servers are trying to prime themselves, i.e. find the current
> > > set of root servers. Even authoratative servers need to know the
> > > current set of root servers.
> > >
> > > Mark
> > > --
> > > Mark Andrews, Nominum Inc.
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
> > >
> > >
>
>
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list