How to setup a backup NameServer?
houguanghua
houguanghua at hotmail.com
Wed Apr 30 01:50:28 UTC 2014
A lot of zones will be supported. All popular zones in the ISP.
Maybe the best solution is to hire some custom programming to develop private system.
Thanks all of you.
Guanghua
> From: bind-users-request at lists.isc.org
> Subject: bind-users Digest, Vol 1827, Issue 2
> To: bind-users at lists.isc.org
> Date: Tue, 29 Apr 2014 12:00:01 +0000
>
> Send bind-users mailing list submissions to
> bind-users at lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
> bind-users-request at lists.isc.org
>
> You can reach the person managing the list at
> bind-users-owner at lists.isc.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
>
>
> Today's Topics:
>
> 1. Re: How to setup a backup NameServer? (Steven Carr)
> 2. RE: How to setup a backup NameServer? (houguanghua)
> 3. Re: How to setup a backup NameServer? (Niall O'Reilly)
> 4. Re: How to setup a backup NameServer? (/dev/rob0)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 29 Apr 2014 08:19:34 +0100
> From: Steven Carr <sjcarr at gmail.com>
> To: houguanghua <houguanghua at hotmail.com>
> Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: Re: How to setup a backup NameServer?
> Message-ID:
> <CALMep04hqM95fdN3qCRc3xzypQprCGb8JaQYerJ7TgBkt-6oEA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On 29 April 2014 07:06, houguanghua <houguanghua at hotmail.com> wrote:
> > hi kevin,
> >
> > Stealth slaves can't be used as backup NS server. This backup server can't
> > be accessed by all internet users.
> > It can only be accessed by users from one ISP. It's used when all authority
> > NSs are down, especially in case of DDoS attack.
> >
> > Guanghua Hou
>
> That's not how DNS works, DNS is a distributed system for that precise reason.
>
> Why would you only want users of a single ISP to be able to resolve a
> domain if the primary nameservers are down? What happens if the
> primary nameservers are down for more than SOA Expire time? your
> secondaries will stop serving the zone anyway as they haven't been
> able to refresh it from the primary master.
>
> You asked this same question a few months ago without explaining why
> you are wanting to do this and got roughly the same answers.
>
> If you own the zone and know the IP address range used by the ISP then
> you can create a separate view that contains your additional
> nameserver that no one else will know about, though they still might
> not be able to access it if the primary nameserver is down and the
> additional nameserver isn't in the parent's glue records (clients
> wouldn't be able to find it). But if you don't own the zone then there
> is nothing you can do, it's not your zone to mess with.
>
> If you're trying to mitigate DDoS look at bigger boxes, faster
> bandwidth, packet filtering and DNS Anycast.
>
> Steve
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 29 Apr 2014 10:24:58 +0000
> From: houguanghua <houguanghua at hotmail.com>
> To: Steven Carr <sjcarr at gmail.com>
> Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: RE: How to setup a backup NameServer?
> Message-ID: <BAY173-W55903C2197C510BEBEBA6BB460 at phx.gbl>
> Content-Type: text/plain; charset="gb2312"
>
> steven,
>
> Yes, I had asked the same question months ago.
> I'm designing how to protect DNS for an ISP. The zones are not owned by the ISP. The ISP wants to proect the DNS query during attacking.
> So it's not standard DNS solution. During the attacking, the backup server will provide the DNS query and it works even if it can't refresh zones from primary NS. Backup server is configured the private IP of this ISP. All local DNS servers of this ISP knows where is the backup server.
>
> thanks,
> Guanghua
>
> > Date: Tue, 29 Apr 2014 08:19:34 +0100
> > Subject: Re: How to setup a backup NameServer?
> > From: sjcarr at gmail.com
> > To: houguanghua at hotmail.com
> > CC: bind-users at lists.isc.org
> >
> > On 29 April 2014 07:06, houguanghua <houguanghua at hotmail.com> wrote:
> > > hi kevin,
> > >
> > > Stealth slaves can't be used as backup NS server. This backup server can't
> > > be accessed by all internet users.
> > > It can only be accessed by users from one ISP. It's used when all authority
> > > NSs are down, especially in case of DDoS attack.
> > >
> > > Guanghua Hou
> >
> > That's not how DNS works, DNS is a distributed system for that precise reason.
> >
> > Why would you only want users of a single ISP to be able to resolve a
> > domain if the primary nameservers are down? What happens if the
> > primary nameservers are down for more than SOA Expire time? your
> > secondaries will stop serving the zone anyway as they haven't been
> > able to refresh it from the primary master.
> >
> > You asked this same question a few months ago without explaining why
> > you are wanting to do this and got roughly the same answers.
> >
> > If you own the zone and know the IP address range used by the ISP then
> > you can create a separate view that contains your additional
> > nameserver that no one else will know about, though they still might
> > not be able to access it if the primary nameserver is down and the
> > additional nameserver isn't in the parent's glue records (clients
> > wouldn't be able to find it). But if you don't own the zone then there
> > is nothing you can do, it's not your zone to mess with.
> >
> > If you're trying to mitigate DDoS look at bigger boxes, faster
> > bandwidth, packet filtering and DNS Anycast.
> >
> > Steve
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140429/008e076e/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 29 Apr 2014 11:49:49 +0100
> From: "Niall O'Reilly" <niall.oreilly at ucd.ie>
> To: houguanghua <houguanghua at hotmail.com>
> Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
> Subject: Re: How to setup a backup NameServer?
> Message-ID: <m24n1c1kc2.wl%Niall.oReilly at ucd.ie>
> Content-Type: text/plain; charset=US-ASCII
>
> At Tue, 29 Apr 2014 10:24:58 +0000,
> houguanghua wrote:
> >
> > Yes, I had asked the same question months ago.
> > I'm designing how to protect DNS for an ISP. The zones are not owned
> > by the ISP. The ISP wants to proect the DNS query during attacking.
> > So it's not standard DNS solution. During the attacking, the backup
> > server will provide the DNS query and it works even if it can't
> > refresh zones from primary NS.
>
> Which (or how many) zones do you expect your backup server to work
> for?
>
> /Niall
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 29 Apr 2014 06:48:52 -0500
> From: /dev/rob0 <rob0 at gmx.co.uk>
> To: bind-users at lists.isc.org
> Subject: Re: How to setup a backup NameServer?
> Message-ID: <20140429114852.GF32069 at harrier.slackbuilds.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Tue, Apr 29, 2014 at 11:49:49AM +0100, Niall O'Reilly wrote:
> > At Tue, 29 Apr 2014 10:24:58 +0000,
> > houguanghua wrote:
> > > Yes, I had asked the same question months ago.
> > > I'm designing how to protect DNS for an ISP. The zones are not
> > > owned by the ISP. The ISP wants to proect the DNS query during
> > > attacking. So it's not standard DNS solution. During the
> > > attacking, the backup server will provide the DNS query and it
> > > works even if it can't refresh zones from primary NS.
> >
> 1.
> > Which (or how many) zones do you expect your backup server
> > to work for?
> (and why these zones in particular?)
>
> 2. Do you have zone transfer access for these zones?
> 3. How will you detect the attack and switch over to this "backup
> server"?
>
> You're asking for features which do not exist, and are unlikely to be
> in high demand. You're probably going to have to do/hire some custom
> programming, or else rethink the solution. I suspect the latter is
> your best bet.
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140430/9f0ae923/attachment-0001.html>
More information about the bind-users
mailing list