how to hidden the salve

houguanghua houguanghua at hotmail.com
Thu Feb 20 06:28:44 UTC 2014




"Stealth" slave doesn't fully meet the requirement.  It's just part of the requirement  to not publish the slave name server in the NS records. Further more, the 'stealth' slave is quired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua  ------------------------------
On 2/19/2014 11:54  AM,  Kevin wrote: 
Date: Wed, 19 Feb 2014 11:54:44 -0500
From: Kevin Darcy <kcd at chrysler.com>
To: bind-users at lists.isc.org
Subject: Re: how to modify the cache
Message-ID: 5304E1D4.5000303 at chrysler.com

Not a good solution. Even under "normal" circumstances, there will be 
temporary bottlenecks, dropped packets, etc.. that will trigger failover 
and users will get different answers at different times. Not good for 
support, maintainability, user experience/satisfaction, etc.
 
If all you want is resilience, and you own/control the domain in 
question, why not just slave it ("stealth" slave, i.e. you don't need to 
publish it in the NS records)?
 
If you *don't* own/control the domain in question, what business do you 
have standing up a "fake" version of it in your own infrastructure? Not 
a best practice.
 
                     - Kevin
On 2/19/2014 4:51 AM, houguanghua wrote:
> Steven,
>
> Your solution is very good. It can forward the queries to 
> the specified name servers first.
>
> But if the specified name server is enabled only when normal dns query 
> process is down. How to configure the local DNS server? The detailed 
> scenario is descibed in below figure:
>
>

                                                                  --------------
                                                                  |    Root                    |                                  
                                                                                                            | nameServer |
                                                                                                        /  -------------
                                                                                               ②/           
                                                                                                   /
               ----------                  -----------                                              -------------
             | Client         | __①____\ |   Local                  | ___③_____\ |  Authority      |      
             | Resolver |                        / | DNS Server |            X             / | DNS Server  |
               ----------                   ------------                                              -------------
                                                                                                   \                     
                                                                                                     \④
                                                                                                       \
                                                                                                         \   ------------
                                                                                                             |  Hidden           |
                                                                                                             | DNS Server |
                                                                                                                ------------ 
> Normally,
>   1) A internet user wants to access www.abc.com <http://www.abc.com>, 
> a DNS request is sent to local DNS server
>   2) Local DNS server queries the root name server, the .com name 
> server to get the Authority Name Server of abc.com
>  3) local DNS server queries the Authority name server, and gets the IP
>
> But when the Authority name server is down, the internet user won't 
> get  the IP address.  My solution is as follows:
>      a) A hidden name server with low performance is deployed. When 
> authority name server can't be accessed, local dns server will access 
> the hidden server.
>      b)The hidden server is never used in normal situation. It act as 
> a cold backup for authority name server.
>      c) The zone file in the hidden server is the same as that 
> configuration in the authority name server
>      d) The hidden name server doesn't appear in the NS records 
> of  authority name server
>
> Btw, all above doesn't consider the cache in the local dns server.
>
>
>  Best Regards,
> Guanghua
>
>
> > Date: Mon, 17 Feb 2014 09:09:13 +0000
> > Subject: Re: how to modify the cache
> > From: sjcarr at gmail.com
> > To: houguanghua at hotmail.com
> > CC: bind-users at lists.isc.org
> >
> > On 17 February 2014 01:17, houguanghua <houguanghua at hotmail.com> wrote:
> > > I want to override the IP address of NS, for I want to use other 
> authority
> > > DNS which isn't registered.
> >
> > For that you use forwarding. Create a zone statement for the zone in
> > question and forward the queries to a different name server. You don't
> > need to mess with the cache.
> >
> > https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/
>
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140220/01bd28f6/attachment.html>


More information about the bind-users mailing list