Architecture opinions

Peter Dambier peter at
Sat Sep 30 09:26:32 UTC 2006

Steven Hajducko wrote:
> Hi,
> I've been given the task of completely redesigning our DNS for all of
> our environments and I'd like some opinions or advice on how to do this.
> First, a little background.
> Each environment we have is split into 3 tiers ( typical web-app-db ).
> Each tier is firewalled off from each other.  Each tier is also
> firewalled off from our corporate environment.  We have 5 of these
> environments.  Our security team does not allow UDP packets to traverse
> firewalls.  We're also only allowed to perform single direction tcp
> initiation, meaning that I can initiate connections from the corporate
> network into one of the tiers of an enviroment, but that tier is not
> allowed to initiate a connection the other way.
> Also, each tier is only allowed to initiate a connection one way to the
> next tier within it's own environment. ( web to app, app to db. )
> The main goals of the project are:
> 1) One centrally located server to manage all records for all
> environments.

Have a look at

Normally I should prefer Bind, I do even use BIND 9.4.0b2 but your
needs are somewhat outside the normal behaviour of bind.

Use Bernsteins tools to build your central database und use uucp to
distribute it. uucp is well documented. You can configure it to your

> 2) Cut down as much as possible on how many DNS servers are needed.

Each environment and every tier needs its own tinydns + axfrdns.

These two cannot communicate outside either environment or tier.

Side note:
You must run tinydns and axfr as rootservers. You dont run resolvers.
All your answers are authoritative.

You cannot communicate outside your own little kingdom because you
cannot query the rootservers or any authoritative servers for domains.

If you need any ip-address outside your own little kingdom then you
have to add it to your central file.

> There are some further complications, but I don't want to make this
> impossible yet. :)
> I'm not too concerned with the centrally managed server.  If needed, we
> can write our own application/database to generate zone files from the
> database.  I'm more worried about how to cut down on the amount of DNS
> servers in each tier.  At the first look, it seems as if we would need 2
> per tier ( for HA purposes ), one to be the master for that tier's zones
> and a slave server for purposes of redundancy.  Because of some other 1
> off tiers and environments, this ends up being about 66 DNS servers.
> Not exactly a system admin's dream to manage.

The good thing about djbdns is it does not need zone file. A single
database file does the job and you do not need to restart the servers
after you have changed the file. Much easier to manage (no management
at all)

As tinydns does not do garbadge collection you might get done with a
single server.

> At this point, I'm somewhat at a loss on how to accomplish this.  I was
> thinking of creating some type of persistent tunnel through the
> firewalls to jump back through to the db tier and using views to figure
> out which zones to serve which requests, but I'm not sure if that'd work
> too well.  That or I'm just going back to host files. ;P

No need for tunnels all you need is uucp to distribute the files.
And the thing is robust. Nobody except the admin reading the logs will
ever notice when communication is lost or the update does not work.

> Anyway, any advice or perhaps a finger pointing at something to look at
> as a possible solution would be extremely welcomed. :)
> Thanks.
> sh

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(6252)750-308 (VoIP:
mail: peter at
mail: peter at

More information about the bind-users mailing list