Bind traffic to root servers - too much?

Kevin Darcy kcd at daimlerchrysler.com
Wed May 9 20:51:04 UTC 2001 

You could define your own root zone on those servers, turn off recursion and
block queries from everything except your own zones (to avoid the bogus root
zone data from leaking out). When a server is authoritative -- master or slave
-- for the root zone, it doesn't need to "prime".


- Kevin

Steven Cardinal wrote:

> Thanks Mark - however, They don't seem to stop.  Shouldn't they only poll
> every, I don't know, 10 minutes or so (or more).  It seems to be non-stop
> chatter.  If I read tcpdump correctly - buth source and dest ports are high,
> and each server has chosen a different one - I'd rather not open these ports
> on the firewall unless necessary.
>
> -Steve
> <Mark.Andrews at nominum.com> wrote in message
> news:9d9v61$qt6 at pub3.rc.vix.com...
> >
> > > I have a pair of Bind 8.2.3 servers which are auth for my domains. That
> is
> > > all they do - answer external queries for my hosts. Our internal clients
> use
> > > our ISP's DNS Servers.  Security is set so that the secondary is the
> only
> > > host that can transfer from the primary (I believe is is a pull, not a
> push
> > > scenario).  Everything works fine - people looking for our external
> systems
> > > find them just fine (web site, ftp and email server)
> > >
> > > I brought up tcpdump however and see loads of traffic being generated by
> my
> > > Bind servers querying the Root servers as follows (IPs changed to
> protect
> > > the innocent):
> > >
> > > 11:14:50.418712 111.222.33.44.27652 > m.root-servers.net.domain: 52755
> NS? .
> > > (17)
> > > 11:14:52.825980 111.222.33.55.38798 > i.root-servers.net.domain: 20116
> NS? .
> > > (17)
> > > 11:14:56.827148 111.222.33.55.38798 > c.root-servers.net.domain: 20116
> NS? .
> > > (17)
> > > 11:14:58.420256 111.222.33.44.27652 > h.root-servers.net.domain: 52755
> NS? .
> > > (17)
> > >
> > > My DNS Servers are in a DMZ and I'm unsure if they keep querying because
> > > they can't get through the firewall (tcp 53 is open for inside and dmz
> to
> > > query out) or if the DNS servers are misconfigured.
> > >
> > > Any ideas?
> > > Thanks
> > > Steve
> > >
> > >
> > >
> > The servers are trying to prime themselves, i.e. find the current
> > set of root servers.  Even authoratative servers need to know the
> > current set of root servers.
> >
> > Mark
> > --
> > Mark Andrews, Nominum Inc.
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com
> >
> >

More information about the bind-users mailing list