DDNS Registration behind Load Balancer
Kevin Darcy
kcd at chrysler.com
Wed Jul 2 21:44:47 UTC 2008
Mark Andrews wrote:
>> Mark Andrews wrote:
>>
>>>> Mark Andrews wrote:
>>>>
>>>>
>>>>>> Mark Andrews wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> On Jun 26, 2008, at 4:05 PM, Kevin Darcy wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Chris Buxton wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On Jun 26, 2008, at 1:53 PM, Linux Addict wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Greeting!!
>>>>>>>>>>>
>>>>>>>>>>> I am configuring a DNS setup where its mix of Linux and Windows
>>>>>>>>>>> hosts.
>>>>>>>>>>> I decided to go with BIND rather than MS DNS Server. I have Windows
>>>>>>>>>>> hosts doing dynamic registration to the BIND Master Server.
>>>>>>>>>>>
>>>>>>>>>>> The next step on my project is add Load Balancer with 3 servers. I
>>>>>>>>>>>
>>
>>
>>>>>>>>>>> was
>>>>>>>>>>> thinking of one master and 2 slaves initially. Then it struck me
>>>>>>>>>>> that
>>>>>>>>>>> when a Windows Host does DDNS registration against the Load Balance
>>>>>>>>>>>
>> r
>>
>>>>>>>>>>> VIP, and when the Load Balancer redirects the traffic to one of the
>>>>>>>>>>> slave server, it will not accept the changes as its only secondary.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Not true. 'allow-update-forwarding { any; };'.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> That'll work as long as the OP only has masters and slaves, but
>>>>>>>>> doesn't
>>>>>>>>> allow the flexibility to add caching-only resolvers in the future.
>>>>>>>>>
>>>>>>>>> I still think the best approach is to have the DHCP server(s), rather
>>>>>>>>> than the clients themselves, register the client names in DNS. It als
>>>>>>>>>
>> o
>>
>>>>>>>>> raises less security issues.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> I completely agree. I was just pointing out to the OP that one of his
>>>>>>>>
>>
>>
>>>>>>>> assertions was untrue.
>>>>>>>>
>>>>>>>> Chris Buxton
>>>>>>>> Professional Services
>>>>>>>> Men & Mice
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Caching only name servers are a authorgonal issue. Your
>>>>>>> load balancer may be able to look at the DNS OPCODE and
>>>>>>> redirect all UPDATE requests to one machine.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> It's not orthogonal if there is a proliferation of caching-only
>>>>>> resolvers at remote sites, with no load-balancers in front of them, or
>>>>>> no load-balancers capable of the OPCODE-based redirection you describe.
>>>>>> We don't have a lot of information about the OP's network topology
>>>>>> and/or their plans for the future, so we can only speculate in that rega
>>>>>>
>> rd
>>
>>>>>>
>>>>>>
>>>> .
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> UPDATE requests are sent to authoritative servers. They
>>>>> are *not* sent to caches.
>>>>>
>>>>>
>>>> You sure about that? My understanding, and what I've been told by
>>>> numerous Microsoft "experts", is that Windows clients that are set to
>>>> automatically register themselves in DNS ignore NS, SOA.MNAME, etc. and
>>>> just use whatever is in their resolver list, which often includes
>>>> caches. RFC 2136 provides a nice loophole for this, of course, by saying
>>>> that "Requestors are expected to [...] know or be able to determine the
>>>> name servers for that zone" without putting any limits or restrictions
>>>> on how they determine this.
>>>>
>
> Which is not how Microsoft says the clients do it.
>
> http://support.microsoft.com/kb/317590 (Windows 2000)
> http://support.microsoft.com/kb/816592 (Windows 2003)
>
> The SOA query uses the local cache. The UPDATE goes direct.
> If the master is unreachable
> The NS query uses the local cache. The UPDATE goes direct to the
> listed nameservers.
>
> Now if yoiu can find documentation that says otherwise please
> post the URL.
>
I guess I'm going to have to talk to my Microsoft "experts" then, to get
some clarification/confirmation. We might even set this up in a test
lab, since we have a possible requirement to support automatic client
registration for a small subset of our clients, and need to know
how/whether it's going to work in our predominantly BIND-based environment.
Thanks for digging these KnowledgeBase articles up -- I looked all over
Microsoft's website(s) for a description of Dynamic Update client
internals, but I think I might have been using BIND-oriented or
DNS-standards-based search terms, rather than Microsoft-ese, so I didn't
find anything concrete.
- Kevin
More information about the bind-users
mailing list