<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">A "stealth" slave has a full copy of
the zone, is not published in the NS records, and can resolve
names in the latest copy of the zone that it transferred, even if
all of the published NSes are down due to a DDoS attack.<br>
<br>
So, does that not meet the requirements?<br>
<br>
- Kevin<br>
<br>
On 2/20/2014 1:28 AM, houguanghua wrote:<br>
</div>
<blockquote cite="mid:BAY173-W411AB0257FF0910B33BCF5BB9A0@phx.gbl"
type="cite">
<div dir="ltr">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:微软雅黑
}
--></style>
<div dir="ltr">"Stealth" slave doesn't fully meet the
requirement. It's just part of the requirement to not
publish the slave name server in the NS records. Further more,
the 'stealth' slave is quired by local DNS server only when
all name servers in the NS records are out of service ( maybe
in case of ddos attack).</div>
<div dir="ltr"> </div>
<div dir="ltr">Guanghua </div>
<div dir="ltr"> </div>
<div dir="ltr">------------------------------<br>
On 2/19/2014 11:54 AM, Kevin wrote: <br>
Date: Wed, 19 Feb 2014 11:54:44 -0500<br>
From: Kevin Darcy <a class="moz-txt-link-rfc2396E" href="mailto:kcd@chrysler.com"><kcd@chrysler.com></a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
Subject: Re: how to modify the cache<br>
Message-ID: <a moz-do-not-send="true"
href="mailto:5304E1D4.5000303@chrysler.com">5304E1D4.5000303@chrysler.com</a><br>
<br>
Not a good solution. Even under "normal" circumstances, there
will be <br>
temporary bottlenecks, dropped packets, etc.. that will
trigger failover <br>
and users will get different answers at different times. Not
good for <br>
support, maintainability, user experience/satisfaction, etc.<br>
<br>
If all you want is resilience, and you own/control the domain
in <br>
question, why not just slave it ("stealth" slave, i.e. you
don't need to <br>
publish it in the NS records)?<br>
<br>
If you *don't* own/control the domain in question, what
business do you <br>
have standing up a "fake" version of it in your own
infrastructure? Not <br>
a best practice.<br>
<br>
- Kevin</div>
<div dir="ltr"><br>
On 2/19/2014 4:51 AM, houguanghua wrote:<br>
> Steven,<br>
><br>
> Your solution is very good. It can forward the queries to
<br>
> the specified name servers first.<br>
><br>
> But if the specified name server is enabled only when
normal dns query <br>
> process is down. How to configure the local DNS server?
The detailed <br>
> scenario is descibed in below figure:<br>
><br>
><br>
<br>
--------------<br>
| Root | <br>
| nameServer |<br>
/ -------------<br>
②/
<br>
/<br>
---------- -----------
-------------<br>
| Client | __①____\ | Local |
___③_____\ | Authority | <br>
| Resolver | / | DNS Server |
X / | DNS Server |<br>
----------
------------ -------------<br>
\
<br>
\④<br>
\<br>
\ ------------<br>
| Hidden |<br>
| DNS Server |<br>
------------</div>
<div dir="ltr"> </div>
<div dir="ltr"><br>
> Normally,<br>
> 1) A internet user wants to access <a class="moz-txt-link-abbreviated" href="http://www.abc.com">www.abc.com</a> <<a
moz-do-not-send="true" href="http://www.abc.com/"
target="_blank"><font color="#0068cf">http://www.abc.com</font></a>>,
<br>
> a DNS request is sent to local DNS server<br>
> 2) Local DNS server queries the root name server, the
.com name <br>
> server to get the Authority Name Server of abc.com<br>
> 3) local DNS server queries the Authority name server,
and gets the IP<br>
><br>
> But when the Authority name server is down, the internet
user won't <br>
> get the IP address. My solution is as follows:<br>
> a) A hidden name server with low performance is deployed.
When <br>
> authority name server can't be accessed, local dns server
will access <br>
> the hidden server.<br>
> b)The hidden server is never used in normal situation. It
act as <br>
> a cold backup for authority name server.<br>
> c) The zone file in the hidden server is the same as that
<br>
> configuration in the authority name server<br>
> d) The hidden name server doesn't appear in the NS
records <br>
> of authority name server<br>
><br>
> Btw, all above doesn't consider the cache in the local
dns server.<br>
><br>
><br>
> Best Regards,<br>
> Guanghua<br>
><br>
><br>
> > Date: Mon, 17 Feb 2014 09:09:13 +0000<br>
> > Subject: Re: how to modify the cache<br>
> > From: <a class="moz-txt-link-abbreviated" href="mailto:sjcarr@gmail.com">sjcarr@gmail.com</a><br>
> > To: <a class="moz-txt-link-abbreviated" href="mailto:houguanghua@hotmail.com">houguanghua@hotmail.com</a><br>
> > CC: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
> ><br>
> > On 17 February 2014 01:17, houguanghua
<a class="moz-txt-link-rfc2396E" href="mailto:houguanghua@hotmail.com"><houguanghua@hotmail.com></a> wrote:<br>
> > > I want to override the IP address of NS, for I
want to use other <br>
> authority<br>
> > > DNS which isn't registered.<br>
> ><br>
> > For that you use forwarding. Create a zone statement
for the zone in<br>
> > question and forward the queries to a different name
server. You don't<br>
> > need to mess with the cache.<br>
> ><br>
> > <a moz-do-not-send="true"
href="https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/"
target="_blank"><font color="#0068cf">https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/</font></a><br>
></div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>