Question on query-source, transfer-source, notify-source

Barry Finkel b19141 at anl.gov
Tue Aug 3 19:46:31 UTC 2010 

On 7/28/10,  I wrote:
>> I have a BIND config question.  First some history.
>>
>> My initial two DNS servers (A and B) had three NICs and three IP
>> addresses.  Then I installed two additional servers (C and D),
>> each with one NIC; each server has one base address and one DNS address.
>> All four servers run Solaris.  When I installed C and D, I placed in
>> the config file
>>
>>      query-source address <dns-address>;
>>      transfer-source <dns-address>;
>>      notify-source <dns-address>;
>>
>> Then we changed servers A and B to new hardware, and we have in
>> addition to the three NICs each, a base, non-DNS address for each.
>> We made no config file changes, and no users have reported problems.
>> These "new" servers A and B have been running for a few years.
>>
>> Now, I am converting all four servers to an Ubuntu platform, and I am
>> revisiting the config file.  In looking through various firewall and
>> DNS query logs, I see that machines A and B are using the non-DNS
>> and queries to the hidden BIND master via the non-DNS addresses.
>> The Internet queries are being blocked at the firewall because we do
>> not allow non-registered DNS addresses to send DNS queries to the
>> Internet, and the non-DNS addresses have no firewall conduits.
>> I can add three options directives above, as I have done on servers
>> C and D, but the ARM seems to imply that I can list only one address
>> in each directive, and I have three DNS addresses for each server.
>>
>> The BIND is 9.7.x on all machines.  Does anyone have suggestions?
>> Thanks.


and Chris Buxton <chris.p.buxton at gmail.com> replied:
>Why do you need 3 DNS interfaces on one box? Why do you need the extra
>interface?
>
>Perhaps you could simplify, or split the three addresses across
>multiple hosts, or even run multiple instances of named on each box.

Historical.  The DNS servers serve three Class-B subnets, and it was
decided when the servers were placed in production many years ago
that they should have an address on each of the Class-B subnets.
One of the subnets had a /22 that was used for buildings on campus that
did not have IP connectivity; they got their IP via the phone
system copper and a device plugged in to the phone jack.  We had to
have a DNS server on that /22.

We have decided that since we can only place one address in the

      query-source address <dns-address>;
      transfer-source <dns-address>;
      notify-source <dns-address>;

statements, we will choose one of the three addresses on each server
and use it.  I believe that it makes no difference if we use the same
address in each of the three statements, or if we use a different
address in each.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8             Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list