Primary DNS server

Kevin Darcy kcd at chrysler.com
Tue Nov 11 02:58:51 UTC 2008


denise.brisson at hrsdc-rhdsc.gc.ca wrote:
> We are re-evaluating the way our DNS server are set-up. We currently have one primary  and one slave DNS server. Each of them can resolve any domain names that they are authoritative for (approx 175 domain names). 
>  
> I'm wondering if it is possible to only have the slave servers (2 or 3 of them) answering all queries and leaving the primary out of it. 
>  
> Is it safe to do this type of set-up. Any advise appreciated.
>   
Yes, this is perfectly normal, the so-called "hidden master" setup. Just 
leave the primary master out of the NS records and any resolver configs 
and no-one should be sending normal queries to it. It should only be 
getting refresh queries and zone-transfer requests from its slaves.

Note, however, that if you use Dynamic Update at all, the presence of 
the primary master in the SOA.MNAME of the relevant zone(s) might not be 
sufficient identification of the Dynamic Update master if that name is 
missing from the NS records of the zone(s). You might need to _force_ 
the client to use the primary master if it's "hidden" in this way. In 
nsupdate, for instance, you'd use the "server" command to do that. Every 
Dynamic Update client has -- or should have -- its own mechanism for 
forcing the Dynamic Update requests to go to a particular place.

                                                                         
                              - Kevin



More information about the bind-users mailing list