how to hidden the salve

Kevin Darcy kcd at chrysler.com
Tue Feb 25 15:56:11 UTC 2014 

If you have zone-transfer permission, make a stealth slave. That, plus a 
static-stub definition on your "local" server, and you're set.

Or, to simplify things even further, make the "local" server the stealth 
slave (this makes some assumptions about your connectivity to the 
authoritative nameservers for the zone).

                             - Kevin

On 2/25/2014 9:49 AM, houguanghua wrote:
> Sorry.  My description isn't very clear.
>
> The local dns server isn't a stealth slave. I need a stealth slave and 
> the local dns server can query it when all public NSs are out of service.
>
> Thanks!
> Guanghua
>
>
> > Date: Mon, 24 Feb 2014 13:41:03 -0500
> > From: Kevin Darcy <kcd at chrysler.com>
> > To: bind-users at lists.isc.org
> > Subject: Re: how to hidden the salve
> > Message-ID: <530B923F.8070409 at chrysler.com>
> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
> >
> > I guess I'm still not understanding your requirements. In my thinking,
> > the local DNS server would *be* a stealth slave. Why are you 
> considering
> > these as 2 separate instances?
> >
> > - Kevin
> >
> > On 2/24/2014 9:56 AM, houguanghua wrote:
> > > Dan,
> > >
> > > Yes, also-notify can hide the slave name server. But local dns server
> > > can't know where is 'stealth' slave too.
> > >
> > > Thanks,
> > > Guanghua
> > >
> > > ------------------------------------
> > > Date: Fri, 21 Feb 2014 07:50:05 -0600
> > > From: Daniel McDonald <dan.mcdonald at austinenergy.com>
> > > To: Untitled <bind-users at lists.isc.org>
> > > Subject: Re: bind-users Digest, Vol 1769, Issue 1
> > > Message-ID: <CF2CB5AD.6AE8E%dan.mcdonald at austinenergy.com>
> > > Content-Type: text/plain; charset="US-ASCII"
> > >
> > > On 2/21/14 3:39 AM, "houguanghua" <houguanghua at hotmail.com> wrote:
> > >
> > > > kevin,
> > > >
> > > > How does the local name server learn where is the 'stealth' slave?
> > > For the
> > > > 'stealth' slave isn't in the NS records.
> > >
> > > Also-notify directive. Either in an options stanza or a zone stanza.
> > >
> > > >
> > > > thanks,
> > > > Guanghua
> > >
> > > --
> > > Daniel J McDonald, CISSP # 78281
> > >
> > >
> > >
> > > > Date: Thu, 20 Feb 2014 10:48:36 -0500
> > > > From: Kevin Darcy <kcd at chrysler.com>
> > > > To: bind-users at lists.isc.org
> > > > Subject: Re: how to hidden the salve
> > > > Message-ID: <530623D4.3000508 at chrysler.com>
> > > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
> > > >
> > > > A "stealth" slave has a full copy of the zone, is not published 
> in the
> > > > NS records, and can resolve names in the latest copy of the zone
> > > that it
> > > > transferred, even if all of the published NSes are down due to a 
> DDoS
> > > > attack.
> > > >
> > > > So, does that not meet the requirements?
> > > >
> > > > - Kevin
> > > >
> > > > On 2/20/2014 1:28 AM, houguanghua wrote:
> > > > > "Stealth" slave doesn't fully meet the requirement. It's just 
> part of
> > > > > the requirement to not publish the slave name server in the NS
> > > > > records. Further more, the 'stealth' slave is quired by local DNS
> > > > > server only when all name servers in the NS records are out of
> > > service
> > > > > ( maybe in case of ddos attack).
> > > > > Guanghua
> > > > > ------------------------------
> > > > > On 2/19/2014 11:54 AM, Kevin wrote:
> > > > > Date: Wed, 19 Feb 2014 11:54:44 -0500
> > > > > From: Kevin Darcy <kcd at chrysler.com>
> > > > > To: bind-users at lists.isc.org
> > > > > Subject: Re: how to modify the cache
> > > > > Message-ID: 5304E1D4.5000303 at chrysler.com
> > > > > <mailto:5304E1D4.5000303 at chrysler.com>
> > > > >
> > > > > Not a good solution. Even under "normal" circumstances, there 
> will be
> > > > > temporary bottlenecks, dropped packets, etc.. that will trigger
> > > failover
> > > > > and users will get different answers at different times. Not 
> good for
> > > > > support, maintainability, user experience/satisfaction, etc.
> > > > >
> > > > > If all you want is resilience, and you own/control the domain in
> > > > > question, why not just slave it ("stealth" slave, i.e. you don't
> > > need to
> > > > > publish it in the NS records)?
> > > > >
> > > > > If you *don't* own/control the domain in question, what business
> > > do you
> > > > > have standing up a "fake" version of it in your own
> > > infrastructure? Not
> > > > > a best practice.
> > > > >
> > > > > - Kevin
> > > > >
> > > > > On 2/19/2014 4:51 AM, houguanghua wrote:
> > > > > > Steven,
> > > > > >
> > > > > > Your solution is very good. It can forward the queries to
> > > > > > the specified name servers first.
> > > > > >
> > > > > > But if the specified name server is enabled only when normal 
> dns
> > > query
> > > > > > process is down. How to configure the local DNS server? The 
> detailed
> > > > > > scenario is descibed in below figure:
> > > > > >
> > > > > >
> > > > >
> > > > > --------------
> > > > > | Root |
> > > > > | nameServer |
> > > > > / -------------
> > > > > (2)/
> > > > > /
> > > > > ---------- ----------- -------------
> > > > > | Client | __(1)____\ | Local | ___(3)_____\ |
> > > > > Authority |
> > > > > | Resolver | / | DNS Server | X / | DNS
> > > > > Server |
> > > > > ---------- ------------ -------------
> > > > > \
> > > > > \(4)
> > > > > \
> > > > > \ ------------
> > > > > | Hidden |
> > > > > | DNS Server |
> > > > > ------------
> > > > >
> > > > > > Normally,
> > > > > > 1) A internet user wants to access www.abc.com 
> <http://www.abc.com
> > > > > <http://www.abc.com/>>,
> > > > > > a DNS request is sent to local DNS server
> > > > > > 2) Local DNS server queries the root name server, the .com name
> > > > > > server to get the Authority Name Server of abc.com
> > > > > > 3) local DNS server queries the Authority name server, and gets
> > > the IP
> > > > > >
> > > > > > But when the Authority name server is down, the internet 
> user won't
> > > > > > get the IP address. My solution is as follows:
> > > > > > a) A hidden name server with low performance is deployed. When
> > > > > > authority name server can't be accessed, local dns server will
> > > access
> > > > > > the hidden server.
> > > > > > b)The hidden server is never used in normal situation. It act as
> > > > > > a cold backup for authority name server.
> > > > > > c) The zone file in the hidden server is the same as that
> > > > > > configuration in the authority name server
> > > > > > d) The hidden name server doesn't appear in the NS records
> > > > > > of authority name server
> > > > > >
> > > > > > Btw, all above doesn't consider the cache in the local dns 
> server.
> > > > > >
> > > > > >
> > > > > > Best Regards,
> > > > > > Guanghua
> > > > > >
> > > > > >
> > > > > > > Date: Mon, 17 Feb 2014 09:09:13 +0000
> > > > > > > Subject: Re: how to modify the cache
> > > > > > > From: sjcarr at gmail.com
> > > > > > > To: houguanghua at hotmail.com
> > > > > > > CC: bind-users at lists.isc.org
> > > > > > >
> > > > > > > On 17 February 2014 01:17, houguanghua 
> <houguanghua at hotmail.com>
> > > > > wrote:
> > > > > > > > I want to override the IP address of NS, for I want to 
> use other
> > > > > > authority
> > > > > > > > DNS which isn't registered.
> > > > > > >
> > > > > > > For that you use forwarding. Create a zone statement for the
> > > zone in
> > > > > > > question and forward the queries to a different name server.
> > > You don't
> > > > > > > need to mess with the cache.
> > > > > > >
> > > > > > > 
> https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/
> > > > > >
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140225/e71ee1a6/attachment-0001.html>

More information about the bind-users mailing list