comments on speciel DNS setup?

Wed Aug 30 18:13:22 UTC 2000

Unless you can guarantee that *every* response you ever give -- even to
ANY queries -- fits in 512 bytes, then you need to permit TCP, since
that's what's used by clients when they get a truncated UDP query.

You need to define a root zone in _some_ fashion on all BIND nameservers,
since they always want to "prime" their cache with good, current
root-zone information. At the very least, then, you'd need a "hints" file
on those authoritative servers, even if all it's used for is the
"priming" query named does on startup.

External CNAMEs should work fine, as long as only other servers are
querying the authoritative ones, and those other servers are capable of
fetching the missing data themselves.

Overall, I think this is a reasonable architecture. Caches on
non-recursive servers tend to not grow, and if they're only being queried
by other servers, then their volume shouldn't be very high, since
presumably those other servers are caching responses. This means the
footprint of the authoritative servers should be quite small and you
could probably put them on multifunction machines if you want, e.g. mail
servers, web servers or whatever. Or you could just buy a smaller box for
the purpose.

You should, however, ask yourself "is there enough redundancy?". Sure, 3
authoritative servers is probably enough to cover *machine* failures, but
if all of those servers are on the same subnet, how protected are you
against *network* failure? I make all of my client-serving nameservers
slaves for *every* zone I control. This is because most of them are in
remote locations and I want nameservice to work even if the WAN link is
down. But then, we lose thousands of $$$'s every minute a production line
is down due to a system problem (far more than the disk and RAM cost of
providing full slave capability, in other words); maybe your requirements
aren't quite so stringent...

- Kevin

christiantdk at my-deja.com wrote:

> Im running DNS servers for an ISP. We have 2 servers which are both
> authoritative for our domains and also the servers our customers sends
> their queries to.
>
> We have talked about splitting it up so we have 2 caching-only
> nameservers, and 3 authoritative nameservers which can only accept
> queries on the domains for which they are autoritative.
>
> The caching-only servers which probably will be the most expost ones,
> only need to have udp port 53 permitted and not tcp since clients use
> udp, this would increase security quite a bit. The question is just if
> this has any disadvantages??
>
> As I see it, the 3 autoritative name servers doesnt need the root zone
> since they should not answer queries about domains other than those
> which they are autoritative for. But Im not sure about CNAME records
> pointing to domains other than mine? But that would only be a problem
> if the server accepts recursive queries, which I guess it doesnt need
> to since it should only be servers which sends queries to those
> servers?..
>
> Anyone have experience with such a setup? Any other ISPs?
>
> Regards
> Christiantdk
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.