how to hidden the salve

houguanghua houguanghua at hotmail.com
Tue Feb 25 14:49:36 UTC 2014


Sorry.  My description isn't very clear.
 
The local dns server isn't a stealth slave. I need a stealth slave and the local dns server can query it when all public NSs are out of service.
 
Thanks!
Guanghua 
 

> Date: Mon, 24 Feb 2014 13:41:03 -0500
> From: Kevin Darcy <kcd at chrysler.com>
> To: bind-users at lists.isc.org
> Subject: Re: how to hidden the salve
> Message-ID: <530B923F.8070409 at chrysler.com>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
> 
> I guess I'm still not understanding your requirements. In my thinking, 
> the local DNS server would *be* a stealth slave. Why are you considering 
> these as 2 separate instances?
> 
>                                                              - Kevin
> 
> On 2/24/2014 9:56 AM, houguanghua wrote:
> > Dan,
> >
> > Yes, also-notify can hide the slave name server.  But local dns server 
> > can't know where is 'stealth' slave too.
> >
> > Thanks,
> > Guanghua
> >
> > ------------------------------------
> > Date: Fri, 21 Feb 2014 07:50:05 -0600
> > From: Daniel McDonald <dan.mcdonald at austinenergy.com>
> > To: Untitled <bind-users at lists.isc.org>
> > Subject: Re: bind-users Digest, Vol 1769, Issue 1
> > Message-ID: <CF2CB5AD.6AE8E%dan.mcdonald at austinenergy.com>
> > Content-Type: text/plain; charset="US-ASCII"
> >
> > On 2/21/14 3:39 AM, "houguanghua" <houguanghua at hotmail.com> wrote:
> >
> > > kevin,
> > >
> > > How does the local name server learn where is the 'stealth' slave? 
> > For the
> > > 'stealth' slave isn't in the NS records.
> >
> > Also-notify directive. Either in an options stanza or a zone stanza.
> >
> > >
> > > thanks,
> > > Guanghua
> >
> > -- 
> > Daniel J McDonald, CISSP # 78281
> >
> >
> >
> > > Date: Thu, 20 Feb 2014 10:48:36 -0500
> > > From: Kevin Darcy <kcd at chrysler.com>
> > > To: bind-users at lists.isc.org
> > > Subject: Re: how to hidden the salve
> > > Message-ID: <530623D4.3000508 at chrysler.com>
> > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
> > >
> > > A "stealth" slave has a full copy of the zone, is not published in the
> > > NS records, and can resolve names in the latest copy of the zone 
> > that it
> > > transferred, even if all of the published NSes are down due to a DDoS
> > > attack.
> > >
> > > So, does that not meet the requirements?
> > >
> > > - Kevin
> > >
> > > On 2/20/2014 1:28 AM, houguanghua wrote:
> > > > "Stealth" slave doesn't fully meet the requirement. It's just part of
> > > > the requirement to not publish the slave name server in the NS
> > > > records. Further more, the 'stealth' slave is quired by local DNS
> > > > server only when all name servers in the NS records are out of 
> > service
> > > > ( maybe in case of ddos attack).
> > > > Guanghua
> > > > ------------------------------
> > > > On 2/19/2014 11:54 AM, Kevin wrote:
> > > > Date: Wed, 19 Feb 2014 11:54:44 -0500
> > > > From: Kevin Darcy <kcd at chrysler.com>
> > > > To: bind-users at lists.isc.org
> > > > Subject: Re: how to modify the cache
> > > > Message-ID: 5304E1D4.5000303 at chrysler.com
> > > > <mailto:5304E1D4.5000303 at chrysler.com>
> > > >
> > > > Not a good solution. Even under "normal" circumstances, there will be
> > > > temporary bottlenecks, dropped packets, etc.. that will trigger 
> > failover
> > > > and users will get different answers at different times. Not good for
> > > > support, maintainability, user experience/satisfaction, etc.
> > > >
> > > > If all you want is resilience, and you own/control the domain in
> > > > question, why not just slave it ("stealth" slave, i.e. you don't 
> > need to
> > > > publish it in the NS records)?
> > > >
> > > > If you *don't* own/control the domain in question, what business 
> > do you
> > > > have standing up a "fake" version of it in your own 
> > infrastructure? Not
> > > > a best practice.
> > > >
> > > > - Kevin
> > > >
> > > > On 2/19/2014 4:51 AM, houguanghua wrote:
> > > > > Steven,
> > > > >
> > > > > Your solution is very good. It can forward the queries to
> > > > > the specified name servers first.
> > > > >
> > > > > But if the specified name server is enabled only when normal dns 
> > query
> > > > > process is down. How to configure the local DNS server? The detailed
> > > > > scenario is descibed in below figure:
> > > > >
> > > > >
> > > >
> > > > --------------
> > > > | Root |
> > > > | nameServer |
> > > > / -------------
> > > > (2)/
> > > > /
> > > > ---------- ----------- -------------
> > > > | Client | __(1)____\ | Local | ___(3)_____\ |
> > > > Authority |
> > > > | Resolver | / | DNS Server | X / | DNS
> > > > Server |
> > > > ---------- ------------ -------------
> > > > \
> > > > \(4)
> > > > \
> > > > \ ------------
> > > > | Hidden |
> > > > | DNS Server |
> > > > ------------
> > > >
> > > > > Normally,
> > > > > 1) A internet user wants to access www.abc.com <http://www.abc.com
> > > > <http://www.abc.com/>>,
> > > > > a DNS request is sent to local DNS server
> > > > > 2) Local DNS server queries the root name server, the .com name
> > > > > server to get the Authority Name Server of abc.com
> > > > > 3) local DNS server queries the Authority name server, and gets 
> > the IP
> > > > >
> > > > > But when the Authority name server is down, the internet user won't
> > > > > get the IP address. My solution is as follows:
> > > > > a) A hidden name server with low performance is deployed. When
> > > > > authority name server can't be accessed, local dns server will 
> > access
> > > > > the hidden server.
> > > > > b)The hidden server is never used in normal situation. It act as
> > > > > a cold backup for authority name server.
> > > > > c) The zone file in the hidden server is the same as that
> > > > > configuration in the authority name server
> > > > > d) The hidden name server doesn't appear in the NS records
> > > > > of authority name server
> > > > >
> > > > > Btw, all above doesn't consider the cache in the local dns server.
> > > > >
> > > > >
> > > > > Best Regards,
> > > > > Guanghua
> > > > >
> > > > >
> > > > > > Date: Mon, 17 Feb 2014 09:09:13 +0000
> > > > > > Subject: Re: how to modify the cache
> > > > > > From: sjcarr at gmail.com
> > > > > > To: houguanghua at hotmail.com
> > > > > > CC: bind-users at lists.isc.org
> > > > > >
> > > > > > On 17 February 2014 01:17, houguanghua <houguanghua at hotmail.com>
> > > > wrote:
> > > > > > > I want to override the IP address of NS, for I want to use other
> > > > > authority
> > > > > > > DNS which isn't registered.
> > > > > >
> > > > > > For that you use forwarding. Create a zone statement for the 
> > zone in
> > > > > > question and forward the queries to a different name server. 
> > You don't
> > > > > > need to mess with the cache.
> > > > > >
> > > > > > https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/
> > > > >

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140225/19120070/attachment.html>


More information about the bind-users mailing list