DDNS Registration behind Load Balancer

Kevin Darcy kcd at chrysler.com
Wed Jul 2 21:44:47 UTC 2008 

Mark Andrews wrote:
>> Mark Andrews wrote:
>>     
>>>> Mark Andrews wrote:
>>>>     
>>>>         
>>>>>> Mark Andrews wrote:
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>>>> On Jun 26, 2008, at 4:05 PM, Kevin Darcy wrote:
>>>>>>>>     
>>>>>>>>         
>>>>>>>>             
>>>>>>>>                 
>>>>>>>>> Chris Buxton wrote:
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>               
>>>>>>>>>                   
>>>>>>>>>> On Jun 26, 2008, at 1:53 PM, Linux Addict wrote:
>>>>>>>>>>
>>>>>>>>>>         
>>>>>>>>>>             
>>>>>>>>>>                 
>>>>>>>>>>                     
>>>>>>>>>>> Greeting!!
>>>>>>>>>>>
>>>>>>>>>>> I am configuring a DNS setup where its mix of Linux and Windows  
>>>>>>>>>>> hosts.
>>>>>>>>>>> I decided to go with BIND rather than MS DNS Server. I have Windows
>>>>>>>>>>> hosts doing dynamic registration to the BIND Master Server.
>>>>>>>>>>>
>>>>>>>>>>> The next step on my project is add Load Balancer with 3 servers. I 
>>>>>>>>>>>                       
>>  
>>     
>>>>>>>>>>> was
>>>>>>>>>>> thinking of one master and 2 slaves initially. Then it struck me  
>>>>>>>>>>> that
>>>>>>>>>>> when a Windows Host does DDNS registration against the Load Balance
>>>>>>>>>>>                       
>> r
>>     
>>>>>>>>>>> VIP, and when the Load Balancer redirects the traffic to one of the
>>>>>>>>>>> slave server, it will not accept the changes as its only secondary.
>>>>>>>>>>>
>>>>>>>>>>>           
>>>>>>>>>>>               
>>>>>>>>>>>                   
>>>>>>>>>>>                       
>>>>>>>>>> Not true. 'allow-update-forwarding { any; };'.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>         
>>>>>>>>>>             
>>>>>>>>>>                 
>>>>>>>>>>                     
>>>>>>>>> That'll work as long as the OP only has masters and slaves, but  
>>>>>>>>> doesn't
>>>>>>>>> allow the flexibility to add caching-only resolvers in the future.
>>>>>>>>>
>>>>>>>>> I still think the best approach is to have the DHCP server(s), rather
>>>>>>>>> than the clients themselves, register the client names in DNS. It als
>>>>>>>>>                   
>> o
>>     
>>>>>>>>> raises less security issues.
>>>>>>>>>       
>>>>>>>>>           
>>>>>>>>>               
>>>>>>>>>                   
>>>>>>>> I completely agree. I was just pointing out to the OP that one of his 
>>>>>>>>                 
>>  
>>     
>>>>>>>> assertions was untrue.
>>>>>>>>
>>>>>>>> Chris Buxton
>>>>>>>> Professional Services
>>>>>>>> Men & Mice
>>>>>>>>     
>>>>>>>>         
>>>>>>>>             
>>>>>>>>                 
>>>>>>> 	Caching only name servers are a authorgonal issue.  Your
>>>>>>> 	load balancer may be able to look at the DNS OPCODE and
>>>>>>> 	redirect all UPDATE requests to one machine.
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> It's not orthogonal if there is a proliferation of caching-only 
>>>>>> resolvers at remote sites, with no load-balancers in front of them, or 
>>>>>> no load-balancers capable of the OPCODE-based redirection you describe. 
>>>>>> We don't have a lot of information about the OP's network topology 
>>>>>> and/or their plans for the future, so we can only speculate in that rega
>>>>>>             
>> rd
>>     
>>>>>>         
>>>>>>             
>>>> .
>>>>     
>>>>         
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> 	UPDATE requests are sent to authoritative servers.  They
>>>>> 	are *not* sent to caches.  
>>>>>       
>>>>>           
>>>> You sure about that? My understanding, and what I've been told by 
>>>> numerous Microsoft "experts", is that Windows clients that are set to 
>>>> automatically register themselves in DNS ignore NS, SOA.MNAME, etc. and 
>>>> just use whatever is in their resolver list, which often includes 
>>>> caches. RFC 2136 provides a nice loophole for this, of course, by saying 
>>>> that "Requestors are expected to [...] know or be able to determine the 
>>>> name servers for that zone" without putting any limits or restrictions 
>>>> on how they determine this.
>>>>         
>
> 	Which is not how Microsoft says the clients do it.
>
> 	http://support.microsoft.com/kb/317590		(Windows 2000)
> 	http://support.microsoft.com/kb/816592		(Windows 2003)
>
> 	The SOA query uses the local cache.  The UPDATE goes direct.
> 	If the master is unreachable
> 	The NS query uses the local cache.  The UPDATE goes direct to the
> 	listed nameservers.
>
> 	Now if yoiu can find documentation that says otherwise please
> 	post the URL.
>   
I guess I'm going to have to talk to my Microsoft "experts" then, to get 
some clarification/confirmation. We might even set this up in a test 
lab, since we have a possible requirement to support automatic client 
registration for a small subset of our clients, and need to know 
how/whether it's going to work in our predominantly BIND-based environment.

Thanks for digging these KnowledgeBase articles up -- I looked all over 
Microsoft's website(s) for a description of Dynamic Update client 
internals, but I think I might have been using BIND-oriented or 
DNS-standards-based search terms, rather than Microsoft-ese, so I didn't 
find anything concrete.

                                                                         
                     - Kevin

More information about the bind-users mailing list