Switching Host

Barry Margolin barmar at alum.mit.edu
Wed Jul 7 23:51:37 UTC 2004 

In article <cchsoc$24th$1 at sf1.isc.org>,
 joshknepfle at gmail.com (Josh Knepfle) wrote:
> The issue that I'm currently having is that one of the DNS servers
> from the ISP in our office is still using the old DNS server from our
> domain name registration to get the IP for our domain.  The other is
> fine.  I can fix that for myself, no problem.  The issue I'm facing
> is, what if other ISPs are doing the same, even though it would seem
> that they shouldn't?  I called our ISP and they said that as long as
> the old hosting facility's DNS servers are claiming to be the
> authority for our DNS, their DNS servers are going to continue to look
> to them for our IP address.  That doesn't seem to make logical sense
> to me.  I can think of a case where a company wished to switch
> providers, but where the old provider never removed the entries in
> their DNS servers, so that some segment of the population continued to
> look to their DNS servers for the IP addresses.  In that case, a
> malicious provider could force a client to never be allowed to leave.
> 
> Ok...assuming that that IS the case, and the rules of "what should be"
> have been broken...what can I do?  My thinking is that the ISP in my
> office has their DNS servers set up improperly since one of the DNS
> servers I'm using here in the office is correct and the other is not. 
> Any thoughts?

What happens is that every time a server queries the old ISP's servers, 
the response includes the domain's NS records in the Authority section, 
and these update the TTLs of those records.  As long as it queries the 
old servers more often than the old TTL, the old NS records will never 
expire from the cache, and the server will never have to go to the TLD 
server to get new NS records.

What you should do is tell the old ISP to configure their servers as 
slaves to the new ISP (if your new ISP blocks zone transfers by default, 
you need to have them add the old ISP's servers to the ACL).  That way, 
they'll give out the *new* NS records, and the old ones will soon expire 
from caches.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

More information about the bind-users mailing list