<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">If you have zone-transfer permission,
make a stealth slave. That, plus a static-stub definition on your
"local" server, and you're set.<br>
<br>
Or, to simplify things even further, make the "local" server the
stealth slave (this makes some assumptions about your connectivity
to the authoritative nameservers for the zone).<br>
<br>
- Kevin<br>
<br>
On 2/25/2014 9:49 AM, houguanghua wrote:<br>
</div>
<blockquote cite="mid:BAY173-W189F9AAEB337FF62BD8438BB810@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:微软雅黑
}
--></style>
<div dir="ltr">Sorry. My description isn't very clear.<br>
<br>
The local dns server isn't a stealth slave. I need a stealth
slave and the local dns server can query it when all public NSs
are out of service.<br>
<br>
Thanks!<br>
Guanghua <br>
<br>
<div><br>
> Date: Mon, 24 Feb 2014 13:41:03 -0500<br>
> From: Kevin Darcy <a class="moz-txt-link-rfc2396E" href="mailto:kcd@chrysler.com"><kcd@chrysler.com></a><br>
> To: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
> Subject: Re: how to hidden the salve<br>
> Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:530B923F.8070409@chrysler.com"><530B923F.8070409@chrysler.com></a><br>
> Content-Type: text/plain; charset="iso-8859-1";
Format="flowed"<br>
> <br>
> I guess I'm still not understanding your requirements. In
my thinking, <br>
> the local DNS server would *be* a stealth slave. Why are
you considering <br>
> these as 2 separate instances?<br>
> <br>
> - Kevin<br>
> <br>
> On 2/24/2014 9:56 AM, houguanghua wrote:<br>
> > Dan,<br>
> ><br>
> > Yes, also-notify can hide the slave name server. But
local dns server <br>
> > can't know where is 'stealth' slave too.<br>
> ><br>
> > Thanks,<br>
> > Guanghua<br>
> ><br>
> > ------------------------------------<br>
> > Date: Fri, 21 Feb 2014 07:50:05 -0600<br>
> > From: Daniel McDonald
<a class="moz-txt-link-rfc2396E" href="mailto:dan.mcdonald@austinenergy.com"><dan.mcdonald@austinenergy.com></a><br>
> > To: Untitled <a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a><br>
> > Subject: Re: bind-users Digest, Vol 1769, Issue 1<br>
> > Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:CF2CB5AD.6AE8E%dan.mcdonald@austinenergy.com"><CF2CB5AD.6AE8E%dan.mcdonald@austinenergy.com></a><br>
> > Content-Type: text/plain; charset="US-ASCII"<br>
> ><br>
> > On 2/21/14 3:39 AM, "houguanghua"
<a class="moz-txt-link-rfc2396E" href="mailto:houguanghua@hotmail.com"><houguanghua@hotmail.com></a> wrote:<br>
> ><br>
> > > kevin,<br>
> > ><br>
> > > How does the local name server learn where is
the 'stealth' slave? <br>
> > For the<br>
> > > 'stealth' slave isn't in the NS records.<br>
> ><br>
> > Also-notify directive. Either in an options stanza
or a zone stanza.<br>
> ><br>
> > ><br>
> > > thanks,<br>
> > > Guanghua<br>
> ><br>
> > -- <br>
> > Daniel J McDonald, CISSP # 78281<br>
> ><br>
> ><br>
> ><br>
> > > Date: Thu, 20 Feb 2014 10:48:36 -0500<br>
> > > From: Kevin Darcy <a class="moz-txt-link-rfc2396E" href="mailto:kcd@chrysler.com"><kcd@chrysler.com></a><br>
> > > To: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
> > > Subject: Re: how to hidden the salve<br>
> > > Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:530623D4.3000508@chrysler.com"><530623D4.3000508@chrysler.com></a><br>
> > > Content-Type: text/plain; charset="iso-8859-1";
Format="flowed"<br>
> > ><br>
> > > A "stealth" slave has a full copy of the zone,
is not published in the<br>
> > > NS records, and can resolve names in the latest
copy of the zone <br>
> > that it<br>
> > > transferred, even if all of the published NSes
are down due to a DDoS<br>
> > > attack.<br>
> > ><br>
> > > So, does that not meet the requirements?<br>
> > ><br>
> > > - Kevin<br>
> > ><br>
> > > On 2/20/2014 1:28 AM, houguanghua wrote:<br>
> > > > "Stealth" slave doesn't fully meet the
requirement. It's just part of<br>
> > > > the requirement to not publish the slave
name server in the NS<br>
> > > > records. Further more, the 'stealth' slave
is quired by local DNS<br>
> > > > server only when all name servers in the
NS records are out of <br>
> > service<br>
> > > > ( maybe in case of ddos attack).<br>
> > > > Guanghua<br>
> > > > ------------------------------<br>
> > > > On 2/19/2014 11:54 AM, Kevin wrote:<br>
> > > > Date: Wed, 19 Feb 2014 11:54:44 -0500<br>
> > > > From: Kevin Darcy <a class="moz-txt-link-rfc2396E" href="mailto:kcd@chrysler.com"><kcd@chrysler.com></a><br>
> > > > To: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
> > > > Subject: Re: how to modify the cache<br>
> > > > Message-ID: <a class="moz-txt-link-abbreviated" href="mailto:5304E1D4.5000303@chrysler.com">5304E1D4.5000303@chrysler.com</a><br>
> > > >
<a class="moz-txt-link-rfc2396E" href="mailto:5304E1D4.5000303@chrysler.com"><mailto:5304E1D4.5000303@chrysler.com></a><br>
> > > ><br>
> > > > Not a good solution. Even under "normal"
circumstances, there will be<br>
> > > > temporary bottlenecks, dropped packets,
etc.. that will trigger <br>
> > failover<br>
> > > > and users will get different answers at
different times. Not good for<br>
> > > > support, maintainability, user
experience/satisfaction, etc.<br>
> > > ><br>
> > > > If all you want is resilience, and you
own/control the domain in<br>
> > > > question, why not just slave it ("stealth"
slave, i.e. you don't <br>
> > need to<br>
> > > > publish it in the NS records)?<br>
> > > ><br>
> > > > If you *don't* own/control the domain in
question, what business <br>
> > do you<br>
> > > > have standing up a "fake" version of it in
your own <br>
> > infrastructure? Not<br>
> > > > a best practice.<br>
> > > ><br>
> > > > - Kevin<br>
> > > ><br>
> > > > On 2/19/2014 4:51 AM, houguanghua wrote:<br>
> > > > > Steven,<br>
> > > > ><br>
> > > > > Your solution is very good. It can
forward the queries to<br>
> > > > > the specified name servers first.<br>
> > > > ><br>
> > > > > But if the specified name server is
enabled only when normal dns <br>
> > query<br>
> > > > > process is down. How to configure the
local DNS server? The detailed<br>
> > > > > scenario is descibed in below figure:<br>
> > > > ><br>
> > > > ><br>
> > > ><br>
> > > > --------------<br>
> > > > | Root |<br>
> > > > | nameServer |<br>
> > > > / -------------<br>
> > > > (2)/<br>
> > > > /<br>
> > > > ---------- ----------- -------------<br>
> > > > | Client | __(1)____\ | Local |
___(3)_____\ |<br>
> > > > Authority |<br>
> > > > | Resolver | / | DNS Server | X / | DNS<br>
> > > > Server |<br>
> > > > ---------- ------------ -------------<br>
> > > > \<br>
> > > > \(4)<br>
> > > > \<br>
> > > > \ ------------<br>
> > > > | Hidden |<br>
> > > > | DNS Server |<br>
> > > > ------------<br>
> > > ><br>
> > > > > Normally,<br>
> > > > > 1) A internet user wants to access
<a class="moz-txt-link-abbreviated" href="http://www.abc.com">www.abc.com</a> <<a class="moz-txt-link-freetext" href="http://www.abc.com">http://www.abc.com</a><br>
> > > > <a class="moz-txt-link-rfc2396E" href="http://www.abc.com/"><http://www.abc.com/></a>>,<br>
> > > > > a DNS request is sent to local DNS
server<br>
> > > > > 2) Local DNS server queries the root
name server, the .com name<br>
> > > > > server to get the Authority Name
Server of abc.com<br>
> > > > > 3) local DNS server queries the
Authority name server, and gets <br>
> > the IP<br>
> > > > ><br>
> > > > > But when the Authority name server is
down, the internet user won't<br>
> > > > > get the IP address. My solution is as
follows:<br>
> > > > > a) A hidden name server with low
performance is deployed. When<br>
> > > > > authority name server can't be
accessed, local dns server will <br>
> > access<br>
> > > > > the hidden server.<br>
> > > > > b)The hidden server is never used in
normal situation. It act as<br>
> > > > > a cold backup for authority name
server.<br>
> > > > > c) The zone file in the hidden server
is the same as that<br>
> > > > > configuration in the authority name
server<br>
> > > > > d) The hidden name server doesn't
appear in the NS records<br>
> > > > > of authority name server<br>
> > > > ><br>
> > > > > Btw, all above doesn't consider the
cache in the local dns server.<br>
> > > > ><br>
> > > > ><br>
> > > > > Best Regards,<br>
> > > > > Guanghua<br>
> > > > ><br>
> > > > ><br>
> > > > > > Date: Mon, 17 Feb 2014 09:09:13
+0000<br>
> > > > > > Subject: Re: how to modify the
cache<br>
> > > > > > From: <a class="moz-txt-link-abbreviated" href="mailto:sjcarr@gmail.com">sjcarr@gmail.com</a><br>
> > > > > > To: <a class="moz-txt-link-abbreviated" href="mailto:houguanghua@hotmail.com">houguanghua@hotmail.com</a><br>
> > > > > > CC: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
> > > > > ><br>
> > > > > > On 17 February 2014 01:17,
houguanghua <a class="moz-txt-link-rfc2396E" href="mailto:houguanghua@hotmail.com"><houguanghua@hotmail.com></a><br>
> > > > wrote:<br>
> > > > > > > I want to override the IP
address of NS, for I want to use other<br>
> > > > > authority<br>
> > > > > > > DNS which isn't registered.<br>
> > > > > ><br>
> > > > > > For that you use forwarding.
Create a zone statement for the <br>
> > zone in<br>
> > > > > > question and forward the queries
to a different name server. <br>
> > You don't<br>
> > > > > > need to mess with the cache.<br>
> > > > > ><br>
> > > > > >
<a class="moz-txt-link-freetext" href="https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/">https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/</a><br>
> > > > ><br>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>