[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: RE: bind-users Digest, Vol 1772, Issue 2
From: houguanghua <houguanghua () hotmail ! com>
Date: 2014-02-26 13:49:51
Message-ID: BAY173-W30EE501FA020CB846673D8BB800 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
Thanks kevin. I'll try static-stub.
> Date: Tue, 25 Feb 2014 10:56:11 -0500
> From: Kevin Darcy <kcd@chrysler.com>
> To: bind-users@lists.isc.org
> Subject: Re: how to hidden the salve
> Message-ID: <530CBD1B.1060100@chrysler.com>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> If you have zone-transfer permission, make a stealth slave. That, plus a
> static-stub definition on your "local" server, and you're set.
>
> Or, to simplify things even further, make the "local" server the stealth
> slave (this makes some assumptions about your connectivity to the
> authoritative nameservers for the zone).
>
> - Kevin
>
> On 2/25/2014 9:49 AM, houguanghua wrote:
> > Sorry. My description isn't very clear.
> >
> > The local dns server isn't a stealth slave. I need a stealth slave and
> > the local dns server can query it when all public NSs are out of service.
> >
> > Thanks!
> > Guanghua
> >
> >
> > > Date: Mon, 24 Feb 2014 13:41:03 -0500
> > > From: Kevin Darcy <kcd@chrysler.com>
> > > To: bind-users@lists.isc.org
> > > Subject: Re: how to hidden the salve
> > > Message-ID: <530B923F.8070409@chrysler.com>
> > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
> > >
> > > I guess I'm still not understanding your requirements. In my thinking,
> > > the local DNS server would *be* a stealth slave. Why are you
> > considering
> > > these as 2 separate instances?
> > >
> > > - Kevin
> > >
> > > On 2/24/2014 9:56 AM, houguanghua wrote:
> > > > Dan,
> > > >
> > > > Yes, also-notify can hide the slave name server. But local dns server
> > > > can't know where is 'stealth' slave too.
> > > >
> > > > Thanks,
> > > > Guanghua
> > > >
> > > > ------------------------------------
> > > > Date: Fri, 21 Feb 2014 07:50:05 -0600
> > > > From: Daniel McDonald <dan.mcdonald@austinenergy.com>
> > > > To: Untitled <bind-users@lists.isc.org>
> > > > Subject: Re: bind-users Digest, Vol 1769, Issue 1
> > > > Message-ID: <CF2CB5AD.6AE8E%dan.mcdonald@austinenergy.com>
> > > > Content-Type: text/plain; charset="US-ASCII"
> > > >
> > > > On 2/21/14 3:39 AM, "houguanghua" <houguanghua@hotmail.com> wrote:
> > > >
> > > > > kevin,
> > > > >
> > > > > How does the local name server learn where is the 'stealth' slave?
> > > > For the
> > > > > 'stealth' slave isn't in the NS records.
> > > >
> > > > Also-notify directive. Either in an options stanza or a zone stanza.
> > > >
> > > > >
> > > > > thanks,
> > > > > Guanghua
> > > >
> > > > --
> > > > Daniel J McDonald, CISSP # 78281
> > > >
> > > >
> > > >
> > > > > Date: Thu, 20 Feb 2014 10:48:36 -0500
> > > > > From: Kevin Darcy <kcd@chrysler.com>
> > > > > To: bind-users@lists.isc.org
> > > > > Subject: Re: how to hidden the salve
> > > > > Message-ID: <530623D4.3000508@chrysler.com>
> > > > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
> > > > >
> > > > > A "stealth" slave has a full copy of the zone, is not published
> > in the
> > > > > NS records, and can resolve names in the latest copy of the zone
> > > > that it
> > > > > transferred, even if all of the published NSes are down due to a
> > DDoS
> > > > > attack.
> > > > >
> > > > > So, does that not meet the requirements?
> > > > >
> > > > > - Kevin
> > > > >
> > > > > On 2/20/2014 1:28 AM, houguanghua wrote:
> > > > > > "Stealth" slave doesn't fully meet the requirement. It's just
> > part of
> > > > > > the requirement to not publish the slave name server in the NS
> > > > > > records. Further more, the 'stealth' slave is quired by local DNS
> > > > > > server only when all name servers in the NS records are out of
> > > > service
> > > > > > ( maybe in case of ddos attack).
> > > > > > Guanghua
> > > > > > ------------------------------
> > > > > > On 2/19/2014 11:54 AM, Kevin wrote:
> > > > > > Date: Wed, 19 Feb 2014 11:54:44 -0500
> > > > > > From: Kevin Darcy <kcd@chrysler.com>
> > > > > > To: bind-users@lists.isc.org
> > > > > > Subject: Re: how to modify the cache
> > > > > > Message-ID: 5304E1D4.5000303@chrysler.com
> > > > > > <mailto:5304E1D4.5000303@chrysler.com>
> > > > > >
> > > > > > Not a good solution. Even under "normal" circumstances, there
> > will be
> > > > > > temporary bottlenecks, dropped packets, etc.. that will trigger
> > > > failover
> > > > > > and users will get different answers at different times. Not
> > good for
> > > > > > support, maintainability, user experience/satisfaction, etc.
> > > > > >
> > > > > > If all you want is resilience, and you own/control the domain in
> > > > > > question, why not just slave it ("stealth" slave, i.e. you don't
> > > > need to
> > > > > > publish it in the NS records)?
> > > > > >
> > > > > > If you *don't* own/control the domain in question, what business
> > > > do you
> > > > > > have standing up a "fake" version of it in your own
> > > > infrastructure? Not
> > > > > > a best practice.
> > > > > >
> > > > > > - Kevin
> > > > > >
> > > > > > On 2/19/2014 4:51 AM, houguanghua wrote:
> > > > > > > Steven,
> > > > > > >
> > > > > > > Your solution is very good. It can forward the queries to
> > > > > > > the specified name servers first.
> > > > > > >
> > > > > > > But if the specified name server is enabled only when normal
> > dns
> > > > query
> > > > > > > process is down. How to configure the local DNS server? The
> > detailed
> > > > > > > scenario is descibed in below figure:
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > --------------
> > > > > > | Root |
> > > > > > | nameServer |
> > > > > > / -------------
> > > > > > (2)/
> > > > > > /
> > > > > > ---------- ----------- -------------
> > > > > > | Client | __(1)____\ | Local | ___(3)_____\ |
> > > > > > Authority |
> > > > > > | Resolver | / | DNS Server | X / | DNS
> > > > > > Server |
> > > > > > ---------- ------------ -------------
> > > > > > \
> > > > > > \(4)
> > > > > > \
> > > > > > \ ------------
> > > > > > | Hidden |
> > > > > > | DNS Server |
> > > > > > ------------
> > > > > >
> > > > > > > Normally,
> > > > > > > 1) A internet user wants to access www.abc.com
> > <http://www.abc.com
> > > > > > <http://www.abc.com/>>,
> > > > > > > a DNS request is sent to local DNS server
> > > > > > > 2) Local DNS server queries the root name server, the .com name
> > > > > > > server to get the Authority Name Server of abc.com
> > > > > > > 3) local DNS server queries the Authority name server, and gets
> > > > the IP
> > > > > > >
> > > > > > > But when the Authority name server is down, the internet
> > user won't
> > > > > > > get the IP address. My solution is as follows:
> > > > > > > a) A hidden name server with low performance is deployed. When
> > > > > > > authority name server can't be accessed, local dns server will
> > > > access
> > > > > > > the hidden server.
> > > > > > > b)The hidden server is never used in normal situation. It act as
> > > > > > > a cold backup for authority name server.
> > > > > > > c) The zone file in the hidden server is the same as that
> > > > > > > configuration in the authority name server
> > > > > > > d) The hidden name server doesn't appear in the NS records
> > > > > > > of authority name server
> > > > > > >
> > > > > > > Btw, all above doesn't consider the cache in the local dns
> > server.
> > > > > > >
> > > > > > >
> > > > > > > Best Regards,
> > > > > > > Guanghua
> > > > > > >
> > > > > > >
> > > > > > > > Date: Mon, 17 Feb 2014 09:09:13 +0000
> > > > > > > > Subject: Re: how to modify the cache
> > > > > > > > From: sjcarr@gmail.com
> > > > > > > > To: houguanghua@hotmail.com
> > > > > > > > CC: bind-users@lists.isc.org
> > > > > > > >
> > > > > > > > On 17 February 2014 01:17, houguanghua
> > <houguanghua@hotmail.com>
> > > > > > wrote:
> > > > > > > > > I want to override the IP address of NS, for I want to
> > use other
> > > > > > > authority
> > > > > > > > > DNS which isn't registered.
> > > > > > > >
> > > > > > > > For that you use forwarding. Create a zone statement for the
> > > > zone in
> > > > > > > > question and forward the queries to a different name server.
> > > > You don't
> > > > > > > > need to mess with the cache.
> > > > > > > >
> > > > > > > >
> > https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/
> > > > > > >
> >
> >
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140225/e71ee1a6/attachment.html>
>
> ------------------------------
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> End of bind-users Digest, Vol 1772, Issue 2
> *******************************************
[Attachment #5 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:΢ÈíÑźÚ
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Thanks kevin. I'll try \
static-stub.<BR><br>> Date: Tue, 25 Feb 2014 10:56:11 -0500<br>> From: Kevin \
Darcy <kcd@chrysler.com><br>> To: bind-users@lists.isc.org<br>> Subject: \
Re: how to hidden the salve<br>> Message-ID: \
<530CBD1B.1060100@chrysler.com><br>> Content-Type: text/plain; \
charset="iso-8859-1"; Format="flowed"<br>> <br>> If you have zone-transfer \
permission, make a stealth slave. That, plus a <br>> static-stub definition on \
your "local" server, and you're set.<br>> <br>> Or, to simplify things even \
further, make the "local" server the stealth <br>> slave (this makes some \
assumptions about your connectivity to the <br>> authoritative nameservers for the \
zone).<br>> <br>> - Kevin<br>> <br>> On \
2/25/2014 9:49 AM, houguanghua wrote:<br>> > Sorry. My description isn't very \
clear.<br>> ><br>> > The local dns server isn't a stealth slave. I need a \
stealth slave and <br>> > the local dns server can query it when all public NSs \
are out of service.<br>> ><br>> > Thanks!<br>> > Guanghua<br>> \
><br>> ><br>> > > Date: Mon, 24 Feb 2014 13:41:03 -0500<br>> \
> > From: Kevin Darcy <kcd@chrysler.com><br>> > > To: \
bind-users@lists.isc.org<br>> > > Subject: Re: how to hidden the \
salve<br>> > > Message-ID: <530B923F.8070409@chrysler.com><br>> \
> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"<br>> \
> ><br>> > > I guess I'm still not understanding your requirements. In \
my thinking,<br>> > > the local DNS server would *be* a stealth slave. Why \
are you <br>> > considering<br>> > > these as 2 separate \
instances?<br>> > ><br>> > > - Kevin<br>> > ><br>> > \
> On 2/24/2014 9:56 AM, houguanghua wrote:<br>> > > > Dan,<br>> \
> > ><br>> > > > Yes, also-notify can hide the slave name \
server. But local dns server<br>> > > > can't know where is 'stealth' \
slave too.<br>> > > ><br>> > > > Thanks,<br>> > > \
> Guanghua<br>> > > ><br>> > > > \
------------------------------------<br>> > > > Date: Fri, 21 Feb 2014 \
07:50:05 -0600<br>> > > > From: Daniel McDonald \
<dan.mcdonald@austinenergy.com><br>> > > > To: Untitled \
<bind-users@lists.isc.org><br>> > > > Subject: Re: bind-users \
Digest, Vol 1769, Issue 1<br>> > > > Message-ID: \
<CF2CB5AD.6AE8E%dan.mcdonald@austinenergy.com><br>> > > > \
Content-Type: text/plain; charset="US-ASCII"<br>> > > ><br>> > > \
> On 2/21/14 3:39 AM, "houguanghua" <houguanghua@hotmail.com> wrote:<br>> \
> > ><br>> > > > > kevin,<br>> > > > ><br>> \
> > > > How does the local name server learn where is the 'stealth' \
slave?<br>> > > > For the<br>> > > > > 'stealth' slave \
isn't in the NS records.<br>> > > ><br>> > > > Also-notify \
directive. Either in an options stanza or a zone stanza.<br>> > > \
><br>> > > > ><br>> > > > > thanks,<br>> > \
> > > Guanghua<br>> > > ><br>> > > > --<br>> > \
> > Daniel J McDonald, CISSP # 78281<br>> > > ><br>> > > \
><br>> > > ><br>> > > > > Date: Thu, 20 Feb 2014 \
10:48:36 -0500<br>> > > > > From: Kevin Darcy \
<kcd@chrysler.com><br>> > > > > To: \
bind-users@lists.isc.org<br>> > > > > Subject: Re: how to hidden the \
salve<br>> > > > > Message-ID: \
<530623D4.3000508@chrysler.com><br>> > > > > Content-Type: \
text/plain; charset="iso-8859-1"; Format="flowed"<br>> > > > ><br>> \
> > > > A "stealth" slave has a full copy of the zone, is not published \
<br>> > in the<br>> > > > > NS records, and can resolve names in \
the latest copy of the zone<br>> > > > that it<br>> > > > \
> transferred, even if all of the published NSes are down due to a <br>> > \
DDoS<br>> > > > > attack.<br>> > > > ><br>> > \
> > > So, does that not meet the requirements?<br>> > > > \
><br>> > > > > - Kevin<br>> > > > ><br>> > \
> > > On 2/20/2014 1:28 AM, houguanghua wrote:<br>> > > > > \
> "Stealth" slave doesn't fully meet the requirement. It's just <br>> > part \
of<br>> > > > > > the requirement to not publish the slave name \
server in the NS<br>> > > > > > records. Further more, the \
'stealth' slave is quired by local DNS<br>> > > > > > server only \
when all name servers in the NS records are out of<br>> > > > \
service<br>> > > > > > ( maybe in case of ddos attack).<br>> \
> > > > > Guanghua<br>> > > > > > \
------------------------------<br>> > > > > > On 2/19/2014 11:54 \
AM, Kevin wrote:<br>> > > > > > Date: Wed, 19 Feb 2014 11:54:44 \
-0500<br>> > > > > > From: Kevin Darcy \
<kcd@chrysler.com><br>> > > > > > To: \
bind-users@lists.isc.org<br>> > > > > > Subject: Re: how to modify \
the cache<br>> > > > > > Message-ID: \
5304E1D4.5000303@chrysler.com<br>> > > > > > \
<mailto:5304E1D4.5000303@chrysler.com><br>> > > > > ><br>> \
> > > > > Not a good solution. Even under "normal" circumstances, \
there <br>> > will be<br>> > > > > > temporary bottlenecks, \
dropped packets, etc.. that will trigger<br>> > > > failover<br>> > \
> > > > and users will get different answers at different times. Not \
<br>> > good for<br>> > > > > > support, maintainability, \
user experience/satisfaction, etc.<br>> > > > > ><br>> > > \
> > > If all you want is resilience, and you own/control the domain \
in<br>> > > > > > question, why not just slave it ("stealth" slave, \
i.e. you don't<br>> > > > need to<br>> > > > > > \
publish it in the NS records)?<br>> > > > > ><br>> > > \
> > > If you *don't* own/control the domain in question, what \
business<br>> > > > do you<br>> > > > > > have standing \
up a "fake" version of it in your own<br>> > > > infrastructure? \
Not<br>> > > > > > a best practice.<br>> > > > > \
><br>> > > > > > - Kevin<br>> > > > > \
><br>> > > > > > On 2/19/2014 4:51 AM, houguanghua \
wrote:<br>> > > > > > > Steven,<br>> > > > > > \
><br>> > > > > > > Your solution is very good. It can forward \
the queries to<br>> > > > > > > the specified name servers \
first.<br>> > > > > > ><br>> > > > > > > \
But if the specified name server is enabled only when normal <br>> > \
dns<br>> > > > query<br>> > > > > > > process is \
down. How to configure the local DNS server? The <br>> > detailed<br>> > \
> > > > > scenario is descibed in below figure:<br>> > > > \
> > ><br>> > > > > > ><br>> > > > > \
><br>> > > > > > --------------<br>> > > > > > \
| Root |<br>> > > > > > | nameServer |<br>> > > > > \
> / -------------<br>> > > > > > (2)/<br>> > > > \
> > /<br>> > > > > > ---------- ----------- \
-------------<br>> > > > > > | Client | __(1)____\ | Local | \
___(3)_____\ |<br>> > > > > > Authority |<br>> > > > \
> > | Resolver | / | DNS Server | X / | DNS<br>> > > > > > \
Server |<br>> > > > > > ---------- ------------ \
-------------<br>> > > > > > \<br>> > > > > > \
\(4)<br>> > > > > > \<br>> > > > > > \ \
------------<br>> > > > > > | Hidden |<br>> > > > > \
> | DNS Server |<br>> > > > > > ------------<br>> > > \
> > ><br>> > > > > > > Normally,<br>> > > > \
> > > 1) A internet user wants to access www.abc.com <br>> > \
<http://www.abc.com<br>> > > > > > \
<http://www.abc.com/>>,<br>> > > > > > > a DNS request \
is sent to local DNS server<br>> > > > > > > 2) Local DNS server \
queries the root name server, the .com name<br>> > > > > > > \
server to get the Authority Name Server of abc.com<br>> > > > > > \
> 3) local DNS server queries the Authority name server, and gets<br>> > \
> > the IP<br>> > > > > > ><br>> > > > > \
> > But when the Authority name server is down, the internet <br>> > user \
won't<br>> > > > > > > get the IP address. My solution is as \
follows:<br>> > > > > > > a) A hidden name server with low \
performance is deployed. When<br>> > > > > > > authority name \
server can't be accessed, local dns server will<br>> > > > access<br>> \
> > > > > > the hidden server.<br>> > > > > > \
> b)The hidden server is never used in normal situation. It act as<br>> > \
> > > > > a cold backup for authority name server.<br>> > > \
> > > > c) The zone file in the hidden server is the same as that<br>> \
> > > > > > configuration in the authority name server<br>> > \
> > > > > d) The hidden name server doesn't appear in the NS \
records<br>> > > > > > > of authority name server<br>> > \
> > > > ><br>> > > > > > > Btw, all above doesn't \
consider the cache in the local dns <br>> > server.<br>> > > > > \
> ><br>> > > > > > ><br>> > > > > > > \
Best Regards,<br>> > > > > > > Guanghua<br>> > > > \
> > ><br>> > > > > > ><br>> > > > > > \
> > Date: Mon, 17 Feb 2014 09:09:13 +0000<br>> > > > > > > \
> Subject: Re: how to modify the cache<br>> > > > > > > > \
From: sjcarr@gmail.com<br>> > > > > > > > To: \
houguanghua@hotmail.com<br>> > > > > > > > CC: \
bind-users@lists.isc.org<br>> > > > > > > ><br>> > > \
> > > > > On 17 February 2014 01:17, houguanghua <br>> > \
<houguanghua@hotmail.com><br>> > > > > > wrote:<br>> > \
> > > > > > > I want to override the IP address of NS, for I \
want to <br>> > use other<br>> > > > > > > \
authority<br>> > > > > > > > > DNS which isn't \
registered.<br>> > > > > > > ><br>> > > > > \
> > > For that you use forwarding. Create a zone statement for the<br>> \
> > > zone in<br>> > > > > > > > question and \
forward the queries to a different name server.<br>> > > > You \
don't<br>> > > > > > > > need to mess with the cache.<br>> \
> > > > > > ><br>> > > > > > > > \
<br>> > https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/<br>> \
> > > > > ><br>> ><br>> ><br>> ><br>> > \
_______________________________________________<br>> > Please visit \
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this \
list<br>> ><br>> > bind-users mailing list<br>> > \
bind-users@lists.isc.org<br>> > \
https://lists.isc.org/mailman/listinfo/bind-users<br>> <br>> -------------- \
next part --------------<br>> An HTML attachment was scrubbed...<br>> URL: \
<https://lists.isc.org/pipermail/bind-users/attachments/20140225/e71ee1a6/attachment.html><br>> \
<br>> ------------------------------<br>> <br>> \
_______________________________________________<br>> bind-users mailing \
list<br>> bind-users@lists.isc.org<br>> \
https://lists.isc.org/mailman/listinfo/bind-users<br>> <br>> End of bind-users \
Digest, Vol 1772, Issue 2<br>> *******************************************<br><BR> \
</div></body> </html>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic