<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:΢ÈíÑźÚ
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:΢ÈíÑźÚ;
}
--></style><BR><div>
<div dir="ltr">Thanks kevin. I'll try static-stub.<br><br>> Date: Tue, 25 Feb 2014 10:56:11 -0500<br>> From: Kevin Darcy <kcd@chrysler.com><br>> To: bind-users@lists.isc.org<br>> Subject: Re: how to hidden the salve<br>> Message-ID: <530CBD1B.1060100@chrysler.com><br>> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"<br>> <br>> If you have zone-transfer permission, make a stealth slave. That, plus a <br>> static-stub definition on your "local" server, and you're set.<br>> <br>> Or, to simplify things even further, make the "local" server the stealth <br>> slave (this makes some assumptions about your connectivity to the <br>> authoritative nameservers for the zone).<br>> <br>> - Kevin<br>> <br>> On 2/25/2014 9:49 AM, houguanghua wrote:<br>> > Sorry. My description isn't very clear.<br>> ><br>> > The local dns server isn't a stealth slave. I need a stealth slave and <br>> > the local dns server can query it when all public NSs are out of service.<br>> ><br>> > Thanks!<br>> > Guanghua<br>> ><br>> ><br>> > > Date: Mon, 24 Feb 2014 13:41:03 -0500<br>> > > From: Kevin Darcy <kcd@chrysler.com><br>> > > To: bind-users@lists.isc.org<br>> > > Subject: Re: how to hidden the salve<br>> > > Message-ID: <530B923F.8070409@chrysler.com><br>> > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"<br>> > ><br>> > > I guess I'm still not understanding your requirements. In my thinking,<br>> > > the local DNS server would *be* a stealth slave. Why are you <br>> > considering<br>> > > these as 2 separate instances?<br>> > ><br>> > > - Kevin<br>> > ><br>> > > On 2/24/2014 9:56 AM, houguanghua wrote:<br>> > > > Dan,<br>> > > ><br>> > > > Yes, also-notify can hide the slave name server. But local dns server<br>> > > > can't know where is 'stealth' slave too.<br>> > > ><br>> > > > Thanks,<br>> > > > Guanghua<br>> > > ><br>> > > > ------------------------------------<br>> > > > Date: Fri, 21 Feb 2014 07:50:05 -0600<br>> > > > From: Daniel McDonald <dan.mcdonald@austinenergy.com><br>> > > > To: Untitled <bind-users@lists.isc.org><br>> > > > Subject: Re: bind-users Digest, Vol 1769, Issue 1<br>> > > > Message-ID: <CF2CB5AD.6AE8E%dan.mcdonald@austinenergy.com><br>> > > > Content-Type: text/plain; charset="US-ASCII"<br>> > > ><br>> > > > On 2/21/14 3:39 AM, "houguanghua" <houguanghua@hotmail.com> wrote:<br>> > > ><br>> > > > > kevin,<br>> > > > ><br>> > > > > How does the local name server learn where is the 'stealth' slave?<br>> > > > For the<br>> > > > > 'stealth' slave isn't in the NS records.<br>> > > ><br>> > > > Also-notify directive. Either in an options stanza or a zone stanza.<br>> > > ><br>> > > > ><br>> > > > > thanks,<br>> > > > > Guanghua<br>> > > ><br>> > > > --<br>> > > > Daniel J McDonald, CISSP # 78281<br>> > > ><br>> > > ><br>> > > ><br>> > > > > Date: Thu, 20 Feb 2014 10:48:36 -0500<br>> > > > > From: Kevin Darcy <kcd@chrysler.com><br>> > > > > To: bind-users@lists.isc.org<br>> > > > > Subject: Re: how to hidden the salve<br>> > > > > Message-ID: <530623D4.3000508@chrysler.com><br>> > > > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"<br>> > > > ><br>> > > > > A "stealth" slave has a full copy of the zone, is not published <br>> > in the<br>> > > > > NS records, and can resolve names in the latest copy of the zone<br>> > > > that it<br>> > > > > transferred, even if all of the published NSes are down due to a <br>> > DDoS<br>> > > > > attack.<br>> > > > ><br>> > > > > So, does that not meet the requirements?<br>> > > > ><br>> > > > > - Kevin<br>> > > > ><br>> > > > > On 2/20/2014 1:28 AM, houguanghua wrote:<br>> > > > > > "Stealth" slave doesn't fully meet the requirement. It's just <br>> > part of<br>> > > > > > the requirement to not publish the slave name server in the NS<br>> > > > > > records. Further more, the 'stealth' slave is quired by local DNS<br>> > > > > > server only when all name servers in the NS records are out of<br>> > > > service<br>> > > > > > ( maybe in case of ddos attack).<br>> > > > > > Guanghua<br>> > > > > > ------------------------------<br>> > > > > > On 2/19/2014 11:54 AM, Kevin wrote:<br>> > > > > > Date: Wed, 19 Feb 2014 11:54:44 -0500<br>> > > > > > From: Kevin Darcy <kcd@chrysler.com><br>> > > > > > To: bind-users@lists.isc.org<br>> > > > > > Subject: Re: how to modify the cache<br>> > > > > > Message-ID: 5304E1D4.5000303@chrysler.com<br>> > > > > > <mailto:5304E1D4.5000303@chrysler.com><br>> > > > > ><br>> > > > > > Not a good solution. Even under "normal" circumstances, there <br>> > will be<br>> > > > > > temporary bottlenecks, dropped packets, etc.. that will trigger<br>> > > > failover<br>> > > > > > and users will get different answers at different times. Not <br>> > good for<br>> > > > > > support, maintainability, user experience/satisfaction, etc.<br>> > > > > ><br>> > > > > > If all you want is resilience, and you own/control the domain in<br>> > > > > > question, why not just slave it ("stealth" slave, i.e. you don't<br>> > > > need to<br>> > > > > > publish it in the NS records)?<br>> > > > > ><br>> > > > > > If you *don't* own/control the domain in question, what business<br>> > > > do you<br>> > > > > > have standing up a "fake" version of it in your own<br>> > > > infrastructure? Not<br>> > > > > > a best practice.<br>> > > > > ><br>> > > > > > - Kevin<br>> > > > > ><br>> > > > > > On 2/19/2014 4:51 AM, houguanghua wrote:<br>> > > > > > > Steven,<br>> > > > > > ><br>> > > > > > > Your solution is very good. It can forward the queries to<br>> > > > > > > the specified name servers first.<br>> > > > > > ><br>> > > > > > > But if the specified name server is enabled only when normal <br>> > dns<br>> > > > query<br>> > > > > > > process is down. How to configure the local DNS server? The <br>> > detailed<br>> > > > > > > scenario is descibed in below figure:<br>> > > > > > ><br>> > > > > > ><br>> > > > > ><br>> > > > > > --------------<br>> > > > > > | Root |<br>> > > > > > | nameServer |<br>> > > > > > / -------------<br>> > > > > > (2)/<br>> > > > > > /<br>> > > > > > ---------- ----------- -------------<br>> > > > > > | Client | __(1)____\ | Local | ___(3)_____\ |<br>> > > > > > Authority |<br>> > > > > > | Resolver | / | DNS Server | X / | DNS<br>> > > > > > Server |<br>> > > > > > ---------- ------------ -------------<br>> > > > > > \<br>> > > > > > \(4)<br>> > > > > > \<br>> > > > > > \ ------------<br>> > > > > > | Hidden |<br>> > > > > > | DNS Server |<br>> > > > > > ------------<br>> > > > > ><br>> > > > > > > Normally,<br>> > > > > > > 1) A internet user wants to access www.abc.com <br>> > <http://www.abc.com<br>> > > > > > <http://www.abc.com/>>,<br>> > > > > > > a DNS request is sent to local DNS server<br>> > > > > > > 2) Local DNS server queries the root name server, the .com name<br>> > > > > > > server to get the Authority Name Server of abc.com<br>> > > > > > > 3) local DNS server queries the Authority name server, and gets<br>> > > > the IP<br>> > > > > > ><br>> > > > > > > But when the Authority name server is down, the internet <br>> > user won't<br>> > > > > > > get the IP address. My solution is as follows:<br>> > > > > > > a) A hidden name server with low performance is deployed. When<br>> > > > > > > authority name server can't be accessed, local dns server will<br>> > > > access<br>> > > > > > > the hidden server.<br>> > > > > > > b)The hidden server is never used in normal situation. It act as<br>> > > > > > > a cold backup for authority name server.<br>> > > > > > > c) The zone file in the hidden server is the same as that<br>> > > > > > > configuration in the authority name server<br>> > > > > > > d) The hidden name server doesn't appear in the NS records<br>> > > > > > > of authority name server<br>> > > > > > ><br>> > > > > > > Btw, all above doesn't consider the cache in the local dns <br>> > server.<br>> > > > > > ><br>> > > > > > ><br>> > > > > > > Best Regards,<br>> > > > > > > Guanghua<br>> > > > > > ><br>> > > > > > ><br>> > > > > > > > Date: Mon, 17 Feb 2014 09:09:13 +0000<br>> > > > > > > > Subject: Re: how to modify the cache<br>> > > > > > > > From: sjcarr@gmail.com<br>> > > > > > > > To: houguanghua@hotmail.com<br>> > > > > > > > CC: bind-users@lists.isc.org<br>> > > > > > > ><br>> > > > > > > > On 17 February 2014 01:17, houguanghua <br>> > <houguanghua@hotmail.com><br>> > > > > > wrote:<br>> > > > > > > > > I want to override the IP address of NS, for I want to <br>> > use other<br>> > > > > > > authority<br>> > > > > > > > > DNS which isn't registered.<br>> > > > > > > ><br>> > > > > > > > For that you use forwarding. Create a zone statement for the<br>> > > > zone in<br>> > > > > > > > question and forward the queries to a different name server.<br>> > > > You don't<br>> > > > > > > > need to mess with the cache.<br>> > > > > > > ><br>> > > > > > > > <br>> > https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/<br>> > > > > > ><br>> ><br>> ><br>> ><br>> > _______________________________________________<br>> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list<br>> ><br>> > bind-users mailing list<br>> > bind-users@lists.isc.org<br>> > https://lists.isc.org/mailman/listinfo/bind-users<br>> <br>> -------------- next part --------------<br>> An HTML attachment was scrubbed...<br>> URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140225/e71ee1a6/attachment.html><br>> <br>> ------------------------------<br>> <br>> _______________________________________________<br>> bind-users mailing list<br>> bind-users@lists.isc.org<br>> https://lists.isc.org/mailman/listinfo/bind-users<br>> <br>> End of bind-users Digest, Vol 1772, Issue 2<br>> *******************************************<br><br> </div></div> </div></body>
</html>