Selective forwarding?

[Grant Taylor]

On 1/22/19 10:06 PM, ObNox wrote:
> I'm not fully against this idea but I'm not comfortable with Site2/3 
> depending on Site1 for the updates.

Fair.

> If for some reason Site1 is unreachable and a host tries to update the 
> DHCP lease, the DNS update would fail and the said host wouldn't be 
> reachable by other direct neighbor hosts (same site) by DNS name just 
> because a remote service is not available. Yes, I could lower the DHCP 
> leases time to try again sooner but it looks inelegant to me.

I would expect that DHCP would operate independently.  Though the 
Dynamic DNS update may fail.

I tend to prefer for DHCP to offer the same addresses to clients if it 
can.  So even if one update did fail, chances are good that the last 
update was for the same IP and DNS still had correct data.

But your concern is legitimate.

I start to wonder if other BIND back ends might offer additional options 
via DLZ.

> This reminds me of an infamous issue few years ago where a WiFi router 
> brand cut the internet access to all hosts because their cloud service 
> was down. The idiotic router firmware believed that internet was "down". 
> Also like stupid Windows hosts displaying warning icons when they can't 
> access www.msftncsi.com, etc. etc. I hate these kind of dependencies and 
> I do whatever I can to avoid them.

See above.  I think clients would still work using old information.

> There would be no need to promote secondaries to primaries because Site1 
> is really the big one holding most of the information. Site2/3 are 
> "satellites" really where only minimal service is provided.

Fair.

> I thought of that too :-) A week would be far enough in my case.

;-)

> That's a nice idea, however I feel like it's starting to be a bit 
> complicated for my use case. 2 DNS servers per site, maintaining RPZ 
> zones, etc seems a bit overkill for my setup.

Ya.  I felt like it might be overkill for your situation.  But you asked 
a question, and I shared the (partial) answer that I was aware of.

> If I understand correctly, each site would have 2 DNS servers, one 
> "normal" and one forwarder. Would this kind of setup support dynDNS 
> without trouble?

I don't know how dynamic DNS would integrate.  I would think that you 
would want the updates to be sent to site 1 which would then replicate 
back to sites 2 & 3.  The other local DNS server would be for overrides, 
which I doubt would change very often.

> What I meant is that each site would work on its own for normal traffic. 
> Hosts and assets (printers, etc.) would boot up, DHCP, register DNS and 
> access internet the usual way. That's what I mean by "independent".

Yep.

> Only the DNS requests for "unknown records within the local example.com" 
> would be forwarded to the "master" (Site1)

Yep.  So I guess you would want the dynamic updates to the local DNS 
server.  I think you could direct updates there.

> Site1 would hold all the DNS records for its own hosts/assets (ie: 
> host1, printer1, etc.). Site2/3 would do the same on their own (ie: 
> host21,printer21, host31, printer31, etc.) but "app.example.com" and all 
> the others would be forwarded to Site1.

*nod*

> All of this to avoid duplicating the DNS records on each site (currently 
> 3 of them but could grow). At least, that's the current idea but I'm 
> open to other solutions if they fit the bill :-)

Ya.  Sometimes technical solutions are more of a problem than the lack 
of them is a problem.

> I wouldn't need to promote secondary servers to be primary as all of 
> this is purely internal to the company. Site2/3 people would to their 
> work normally, just being unable to reach the centralized app only 
> available at Site1.

ACK

> You assume correctly :)

:-)

> I think I'm now geared towards this solutions which seems to be the 
> simpler one to implement.

I think it's at least worth playing out to see if it fails or if it 
works well enough for your needs.

> I like out-of-the-comfort-zone ideas but in my current case, this seems 
> to be a bit overkill.

Agreed.

You asked a question, and I provided the only answer that I was aware 
of.  I'm sure there are others.  I'd like to see what other people 
suggest.  I selfishly want to learn from their efforts.  }:-)

> I think I'm a bit biased here because I thought about a multi-master DNS 
> service like I already have with OpenLDAP! The multi-master setup of 
> OpenLDAP works so magically well that I really wished it was possible 
> for my DNS use case :-) I can update any LDAP server in the chain and it 
> magically propagates everywhere in an instant.

:-)

Take a look at the BIND DLZ LDAP driver.  I suspect you can get BIND to 
use (what sounds like) your multi-master OpenLDAP configuration.

Link - BIND DLZ > Driver Docs > LDAP
  - http://bind-dlz.sourceforge.net/ldap_driver.html

> That's because I didn't find anything in the docs about the multi-master 
> setup that I came up with the idea of a "selective forwarding" thing :)

Sounds like you're trying to find a possible solution.  More than one 
would be nice so that you can evaluate the merits of them.

> Thank you for your feedback.

You're welcome.

Please share what you end up doing and why you chose it.  I'd like to 
learn from your efforts.  ():-)



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190122/bf8564d9/attachment.bin>