How can I setup BIND for redundancy with efficient replication?

Michael E. Hanson MEHanson at GryphonsGate.com
Wed Nov 6 19:41:14 UTC 2002


I know this is a BIND list, and this may be a unpopular position here, but
in this case, why are you NOT using M$ DNS?  What you're describing sounds
like a perfect application of M$ Active Directory Integrated DNS.  If you
setup M$ DNS as AD-Integrated zones, your DNS configuration data is
maintained and replicated as part of the Active Directory.  Every DNS Server
(assuming M$ DNS AD-Integrated) is then a "master" in a multi-master
configuration.  If you lose a DNS server and it won't be back for a long
time, installing the DNS service on ANY AD-DC gives you an AD Integrated DNS
that picks up it configuration automatically from the AD database.  DNS
maintenance can be performed at any DNS server.

Alternately, set one (or two) DNS servers inside your well protected LAN as
AD-Integrated, and set all others up as M$ or BIND Secondary DNS's.  This
narrows the opening for "malicious maintenance", yet still keeps your DNS
config data in the AD, replicated to all DC's as part of the AD.  Again, if
you lose the Master DNS, install the service on a different DC and it will
pick up the data automatically.  Reconfigure the secondaries to point to the
new "master" and you should be set.
_______________
Michael E. Hanson
President, Gryphon Consulting  Services
(http://www.GryphonsGate.com)
P.O. Box 1151
Bellevue, NE  68005-1151
(402) 871-9622

MEHanson at GryphonsGate.com (primary)
Gryphons_Master at yahoo.com
----- Original Message -----
From: "Frederic" <fredericguigand at alamy.com>
Newsgroups: comp.protocols.dns.bind
To: <comp-protocols-dns-bind at isc.org>
Sent: Wednesday, November 06, 2002 9:23 AM
Subject: How can I setup BIND for redundancy with efficient replication?


>
> I am in the process of testing BIND before using it as public DNS
> servers for all our zones.
>
> BIND will be installed on standalone MS ISA server (firewall/proxy)
> boxes which are heavily locked down.
>
> The problem I have is the lack of multi-master replication; I do not
> feel comfortable with only have one master DNS servers and all other
> slaves. If the master goes I can foresee quite a lot of work
> reconfiguring all the slave servers, plus possibly some problems if
> this is not achieved before the zone TTL expires.
>
> What I am instead thinking of doing is having all my DNS servers as
> master with no slaves, and a central repository for the DNS
> configuration and zone files. When I need to do a change, I update the
> central files, test them on test DNS servers, and then push them to
> all masters. Additionally I could have this facility built into each
> DNS server in case I lose the central repository.
>
> One additional benefit of this approach is this would enable me to use
> a of load balanced DNS servers for added redundancy (ie: I only need
> to publish the load balanced IP address to the external world).
>
>
> -?-> What redundant server configurations are people using?
>
>
> If I go with the above approach, my problem is coming up with an
> efficient 'distribution' mechanism (and not replication anymore).
>
> I know in the unix world people use nscopy. In my case I cannot use
> file copy as my servers are so heavily locked down. The only solution
> I can think of is FTP, but I am concerned about the insecurity of FTP.
>
>
> -?-> Is there a simple and *secure* FTP server
> -?-> I could use on my Windows 2000 boxes?
>
> -?-> If not, what other secure file transfer
> -?-> mechanism could I use? One important aspect
> -?-> is the client has to be scriptable.
>
>
> Once the files are updated, I am planning on using rndc (with the
> appropriate port opened on the firewall) to activate the changes in
> BIND.
>
>
> -?-> Is there any problem in term of security with
> -?-> using rndc?
>
>



More information about the bind-users mailing list