How to setup a backup NameServer?
Ryan Novosielski
novosirj at ca.rutgers.edu
Wed Apr 30 05:23:48 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/29/2014 07:48 AM, /dev/rob0 wrote:
> On Tue, Apr 29, 2014 at 11:49:49AM +0100, Niall O'Reilly wrote:
>> At Tue, 29 Apr 2014 10:24:58 +0000, houguanghua wrote:
>>> Yes, I had asked the same question months ago. I'm designing
>>> how to protect DNS for an ISP. The zones are not owned by the
>>> ISP. The ISP wants to proect the DNS query during attacking. So
>>> it's not standard DNS solution. During the attacking, the
>>> backup server will provide the DNS query and it works even if
>>> it can't refresh zones from primary NS.
>>
> 1.
>> Which (or how many) zones do you expect your backup server to
>> work for?
> (and why these zones in particular?)
>
> 2. Do you have zone transfer access for these zones? 3. How will
> you detect the attack and switch over to this "backup server"?
>
> You're asking for features which do not exist, and are unlikely to
> be in high demand. You're probably going to have to do/hire some
> custom programming, or else rethink the solution. I suspect the
> latter is your best bet.
To add a little to that: if it's a feature that doesn't exist and no
one wants, that often (though not always) means it's not a good idea.
DNS has been around a long time; everyone else has solved this problem
some other way (a couple of which have already been mentioned here).
There are a lot of ugly things ISP's do to DNS; I loathe all of them.
I suspect many customers do to.
- --
____*Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
|| \\UTGERS |---------------------*O*---------------------
||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer
|| \\ and Health | novosirj at rutgers.edu - 973/972.0922 (2x0922)
|| \\ Sciences | OIT/Enterprise Infras. - ADMC 450, Newark
`'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNgiOAACgkQmb+gadEcsb65CwCgkeyVR6z4EP8T9GiU1kIK8J9a
dnwAoKA9OCNBMLcX5JK0f0hoQ/GskxAp
=0H9x
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list