Re: Split DNS Configuration in BIND
On 05/29/2011 21:59, babu dheen wrote: Hi, Would like to know how to configure split DNS in BIND running in RHEL 5.0 version. Below is our setup and requirement. We have a zone called mycompany.com . So whenever my company users sitting in LAN try to access mycompany.com domain in explorer, they should get internal IP address(private IP address) whereas whenever users from internet should get public IP for mycompany.com domain Better yet, re-examine the reasons you want to do this, and consider not doing it. It's incredibly rare that using split DNS is a solution to a real problem, it's almost always something that people do because they think they need to. On the other hand, if you really need/want to have internal addresses to access company resources, consider placing them in a separate zone. Something like int.mycompany.com. You have to put these addresses in a separate zone _file_ anyway, why not make it a separate zone? It will reduce complexity for you in the long run. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
Dear Doug, Appreciate your quick response. Actually this setup is very much required for us. Let me tell you the scenario: We have DNS record called mail.company.com which is hosted in internal company LAN network. When any users try to access mail.company.com in browser, they will get private IP address and immediately they will get mail.company.com website home page whereas if any of my company users try to access the mail.company.com website from internet(outside company), they should get public IP address which should be pointed to mail.company.com website. Kindly let me know solution for the same. Regards Babu --- On Mon, 30/5/11, Doug Barton do...@dougbarton.us wrote: From: Doug Barton do...@dougbarton.us Subject: Re: Split DNS Configuration in BIND To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Monday, 30 May, 2011, 11:15 AM On 05/29/2011 21:59, babu dheen wrote: Hi, Would like to know how to configure split DNS in BIND running in RHEL 5.0 version. Below is our setup and requirement. We have a zone called mycompany.com . So whenever my company users sitting in LAN try to access mycompany.com domain in explorer, they should get internal IP address(private IP address) whereas whenever users from internet should get public IP for mycompany.com domain Better yet, re-examine the reasons you want to do this, and consider not doing it. It's incredibly rare that using split DNS is a solution to a real problem, it's almost always something that people do because they think they need to. On the other hand, if you really need/want to have internal addresses to access company resources, consider placing them in a separate zone. Something like int.mycompany.com. You have to put these addresses in a separate zone _file_ anyway, why not make it a separate zone? It will reduce complexity for you in the long run. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
babu dheen wrote: Can anyone have any idea as to how we can host our own autherative DNS server for my company. For example if my company domain is mycompany.com, we want to maintain our own DNS server so that users across world should contact our DNS server for name resolution for mycompany.com domain. The most basic way would be: - install a nameserver (BIND) somewhere, and make sure it's reachable on tcp+udp port 53 from the entire world - set up one or more zonefile, configure domain(s) in named.conf - configure one or more external slave servers to _also_ be authoritative for your domain(s), fetching updates from your master DNS server. - make sure your slave server(s) can actually do a zone transfer from your master. You might also want to prevent others (anyone except your slave servers) from doing this. - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers. Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
On Mon, May 30, 2011 at 10:31:28AM +0530, babu dheen babudh...@yahoo.co.in wrote a message of 44 lines which said: Can anyone have any idea as to how we can host our own autherative DNS server for my company. There is not much diference between the hosting of a DNS server and the hosting of any other Internet server. Three possibilities: 1) You host it on your premises, connected through your normal IAP (Internet Access Provider) and you deal with power, air conditioning, system administration, etc. Maximum control, but may be a problem with some IAP which, for instance, do not allocate you enough public IPv4 addresses (and still do not have IPv6). 2) You rent a virtual or physical server somewhere in the cloud and you manage it. No longer power and air conditioning issues (someone else's business) but you still have to do system administration. Many companies have such a service for less than 30 US$/month (http://www.linode.com/, http://www.gandi.net/, http://www.zerigo.com/, http://www.vr.org/ and many, many others). 3) You subcontract everything to one of the many companies which provide hosting of a service they manage. Less control, may be questionable (you lose independance), works only for services for which there is an offer (HTTP, of course, but DNS works also). There is something specific to the DNS: you need at least two physical POP. For solution 1), it may be a problem. Nevertheless, some DNS providers allow you to have a master and provide you with a slave. Talk to your IAP, registrar, etc. For example if my company domain is mycompany.com, we want to maintain our own DNS server so that users across world should contact our DNS server for name resolution for mycompany.com domain. This does not require that you have your own servers. My blog is reachable by http://www.bortzmeyer.org/ even if I don't have it on my name servers (entirely hosted by a DNS provider). ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
Dear Olsen, thanks for the update. I can follow all the steps but i couldn't understand below two points - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers My concern if i want to host my own website, do i need to pay to my ISP? and please suggest me that if we want to host our parent domain (company.com) also in our own DNS server. Regards Babu --- On Mon, 30/5/11, Eivind Olsen eiv...@aminor.no wrote: From: Eivind Olsen eiv...@aminor.no Subject: Re: Hosting my company DNS server in Internet To: bind-users@lists.isc.org Date: Monday, 30 May, 2011, 12:18 PM babu dheen wrote: Can anyone have any idea as to how we can host our own autherative DNS server for my company. For example if my company domain is mycompany.com, we want to maintain our own DNS server so that users across world should contact our DNS server for name resolution for mycompany.com domain. The most basic way would be: - install a nameserver (BIND) somewhere, and make sure it's reachable on tcp+udp port 53 from the entire world - set up one or more zonefile, configure domain(s) in named.conf - configure one or more external slave servers to _also_ be authoritative for your domain(s), fetching updates from your master DNS server. - make sure your slave server(s) can actually do a zone transfer from your master. You might also want to prevent others (anyone except your slave servers) from doing this. - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers. Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 30.05.11 05:12, Maren S. Leizaola wrote: DNS-Racing is a method of load balancing access to servers which are multi homed and provides lowest latency access to users and network resilience to ISP/routing failure. like, RRset sorting? **What does it do?* It permits a server which is connected to two ISPs to use the optimal ISP when transferring data to a user regardless of TCP/UDP protocol. When a user does a DNS look up it will select the IP address of the server to which is closest. If one of the two ISPs is down or there is a routing problem the user will only be offered the IP address of the server it has access to. It also means that traffic will have the lowest latency. DNS Racing can be done with 2 or more providers and permits to scale network bandwidth horizontally by adding more providers. In theory up to 14 different ISPs/IPs could be used to do the delivery. IT is a poor man’s replacement for BGP multihoming and IP anycast. For those that want a full explanation and an implementation guide. http://blog.hk.com/index.php?/archives/84-DNS-Racing.-Multi-ISP-load-balancing-with-failover-using-DNS..html Hey it is Free and you can implement it using BIND. So, any server will return the IP that is closer to the _server_, not to the _client_. It relies on BIND RTT-measring feature that has undergone some changes in the past and ocasionally tries the far (topologically) server to see if it's still far, in which case the client will get the worse result... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
On Mon, May 30, 2011 at 3:45 PM, babu dheen babudh...@yahoo.co.in wrote: Dear Olsen, thanks for the update. I can follow all the steps but i couldn't understand below two points - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers Have you EVER manage a domain before, whether hosted or not? If not, then I HIGHLY recommend you just use a hosting provider and have them manage both your website and DNS. Back to your original question: My concern if i want to host my own website, do i need to pay to my ISP? That depends. You obviously pay them for internet access. You MIGHT need to pay them if you also use other services, like - buy your domain from your ISP - use your ISP's name server for secondary name server - use your ISP's MX - use additional IP address for your website and please suggest me that if we want to host our parent domain (company.com) also in our own DNS server. Again, it depends. If you know how to set it up, then no, you don't need to pay additional money to your ISP. But it could be YES, if you use some of their services (see above). If you have no idea what I'm talking about, here's a somewhat simple checklist you can look at before you decide whether to run your own DNS/web server: (1) Do you know which service you want to create? Is it a web server? Is it a mail server? Is it a DNS server? All of them? (2) Do you know the difference between difference between the services you're trying to create? What it does? Which software to use? etc. (3) Do you know how they work? Can you setup a web server from scratch? Can you setup a DNS server from scratch? Do you know about DNS hierarchy? etc. (4) Can you manage the servers/services? Do you know how to keep your system secure? Do you know how to update a web page or a DNS record? Do you need a HA setup? etc. If the answer to any one of them if NO, then just use a hosting provider and have them manage both your website and DNS. This list is about the DNS software BIND, not about creating your own website/DNS server. If you have a specific question about BIND, feel free to ask. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
Dear Fajar, Wonderful response from you. Really appreciate. As you asked, below is my update on the checklist. I am not sure why i do need to pay money to my ISP for hosting my website on my company DNS server. If you have no idea what I'm talking about, here's a somewhat simple checklist you can look at before you decide whether to run your own DNS/web server: (1) Do you know which service you want to create? Is it a web server? Is it a mail server? Is it a DNS server? All of them? I just want to create DNS server for my website. Website is managed by me. (2) Do you know the difference between difference between the services you're trying to create? What it does? Which software to use? etc. I am using BIND in my DNS server (3) Do you know how they work? Can you setup a web server from scratch? Can you setup a DNS server from scratch? Do you know about DNS hierarchy? etc. Yes i know how to setup basic DNS server and know the DNS hierarchy. (4) Can you manage the servers/services? Do you know how to keep your system secure? Do you know how to update a web page or a DNS record? Do you need a HA setup? etc. Yes i know how to update DNS record and know how to configure primary and secondary DNS setup in BIND. If the answer to any one of them if NO, then just use a hosting provider and have them manage both your website and DNS. This list is about the DNS software BIND, not about creating your own website/DNS server. If you have a specific question about BIND, feel free to ask. --- On Mon, 30/5/11, Fajar A. Nugraha l...@fajar.net wrote: From: Fajar A. Nugraha l...@fajar.net Subject: Re: Hosting my company DNS server in Internet To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Monday, 30 May, 2011, 3:12 PM On Mon, May 30, 2011 at 3:45 PM, babu dheen babudh...@yahoo.co.in wrote: Dear Olsen, thanks for the update. I can follow all the steps but i couldn't understand below two points - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers Have you EVER manage a domain before, whether hosted or not? If not, then I HIGHLY recommend you just use a hosting provider and have them manage both your website and DNS. Back to your original question: My concern if i want to host my own website, do i need to pay to my ISP? That depends. You obviously pay them for internet access. You MIGHT need to pay them if you also use other services, like - buy your domain from your ISP - use your ISP's name server for secondary name server - use your ISP's MX - use additional IP address for your website and please suggest me that if we want to host our parent domain (company.com) also in our own DNS server. Again, it depends. If you know how to set it up, then no, you don't need to pay additional money to your ISP. But it could be YES, if you use some of their services (see above). If you have no idea what I'm talking about, here's a somewhat simple checklist you can look at before you decide whether to run your own DNS/web server: (1) Do you know which service you want to create? Is it a web server? Is it a mail server? Is it a DNS server? All of them? (2) Do you know the difference between difference between the services you're trying to create? What it does? Which software to use? etc. (3) Do you know how they work? Can you setup a web server from scratch? Can you setup a DNS server from scratch? Do you know about DNS hierarchy? etc. (4) Can you manage the servers/services? Do you know how to keep your system secure? Do you know how to update a web page or a DNS record? Do you need a HA setup? etc. If the answer to any one of them if NO, then just use a hosting provider and have them manage both your website and DNS. This list is about the DNS software BIND, not about creating your own website/DNS server. If you have a specific question about BIND, feel free to ask. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
On Mon, May 30, 2011 at 04:51:18PM +0530, babu dheen babudh...@yahoo.co.in wrote a message of 227 lines which said: I am not sure why i do need to pay money to my ISP for hosting my website on my company DNS server. This sentence seems to indicate that you know very little about Internet services (hosting a Web site on a DNS server...). In that case, it would be more careful, as suggested by Fajar A. Nugraha, to outsource the hosting (and then to spend time learning). Back to the specific question: if the IAP (Internet Access Provider, ISP is too vague) asks you money to authorize you to deploy a server on your own machine, switch to another IAP. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
Hi, My concern is not giving money to ISP and kindly please note that i am not going to host my website in DNS server whereas we are already managing the website in our network but using ISP DNS server for name resolution only for outside users(internet). In short, i can say that we just want to host authorative DNS server for my company website(company.com). Regards Babu --- On Mon, 30/5/11, Stephane Bortzmeyer bortzme...@nic.fr wrote: From: Stephane Bortzmeyer bortzme...@nic.fr Subject: Re: Hosting my company DNS server in Internet To: babu dheen babudh...@yahoo.co.in Cc: Fajar A. Nugraha l...@fajar.net, bind-users@lists.isc.org Date: Monday, 30 May, 2011, 5:38 PM On Mon, May 30, 2011 at 04:51:18PM +0530, babu dheen babudh...@yahoo.co.in wrote a message of 227 lines which said: I am not sure why i do need to pay money to my ISP for hosting my website on my company DNS server. This sentence seems to indicate that you know very little about Internet services (hosting a Web site on a DNS server...). In that case, it would be more careful, as suggested by Fajar A. Nugraha, to outsource the hosting (and then to spend time learning). Back to the specific question: if the IAP (Internet Access Provider, ISP is too vague) asks you money to authorize you to deploy a server on your own machine, switch to another IAP. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.8 manuals on web
Hello, the web page (http://www.isc.org/software/bind/documentation) claims to provide links to 9.4-9.8 manuals (html and pdf) however only 9.4 and 9.5 are working. Did a mistake happen here? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.* ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Split DNS Configuration in BIND
Not all firewalls can hairpin a public IP back to a private IP. We've had to do this, too. Yes, we could have create a separate zone, but that would requiring training our staff to use on FQDN internally and another with the customers. Easier to teach one thing to the staff and push the complexity back on the configuration. Frank From: bind-users-bounces+frnkblk=iname@lists.isc.org [mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of babu dheen Sent: Monday, May 30, 2011 1:17 AM To: Doug Barton Cc: bind-users@lists.isc.org Subject: Re: Split DNS Configuration in BIND Dear Doug, Appreciate your quick response. Actually this setup is very much required for us. Let me tell you the scenario: We have DNS record called mail.company.com which is hosted in internal company LAN network. When any users try to access mail.company.com in browser, they will get private IP address and immediately they will get mail.company.com website home page whereas if any of my company users try to access the mail.company.com website from internet(outside company), they should get public IP address which should be pointed to mail.company.com website. Kindly let me know solution for the same. Regards Babu --- On Mon, 30/5/11, Doug Barton do...@dougbarton.us wrote: From: Doug Barton do...@dougbarton.us Subject: Re: Split DNS Configuration in BIND To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Monday, 30 May, 2011, 11:15 AM On 05/29/2011 21:59, babu dheen wrote: Hi, Would like to know how to configure split DNS in BIND running in RHEL 5.0 version. Below is our setup and requirement. We have a zone called mycompany.com . So whenever my company users sitting in LAN try to access mycompany.com domain in explorer, they should get internal IP address(private IP address) whereas whenever users from internet should get public IP for mycompany.com domain Better yet, re-examine the reasons you want to do this, and consider not doing it. It's incredibly rare that using split DNS is a solution to a real problem, it's almost always something that people do because they think they need to. On the other hand, if you really need/want to have internal addresses to access company resources, consider placing them in a separate zone. Something like int.mycompany.com. You have to put these addresses in a separate zone _file_ anyway, why not make it a separate zone? It will reduce complexity for you in the long run. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
recursive lookups problems with 9.8.0_p2
Hello, after upgrading to 9.8.0p2 I have notices problems with recursive queries. The server sometimes does not return answer for e.g. www.yahoo.com. Repeated lookups for www.yahoo.com sometimes do, sometimes do not return the answer, only the first CNAME, but the nameserver did know where the CNAMEs point to and answered when I asked. A few times I was unable to get the full answer for quite long time. (and users were complaining). I don't have this problem with 9.7.3... I found the 9.8.0 CNAMEs chain problem reported in April without further informations. I think this situation can cause real troubles, because stub resolvers are not expected to lookup the CNAMEs themselves, are they? Example, a few lookups in the short time: uhlar@fantomas% dig www.yahoo.com @195.168.1.156 [snip] ;; ANSWER SECTION: www.yahoo.com. 65 IN CNAME fp.wg1.b.yahoo.com. fp.wg1.b.yahoo.com. 3035IN CNAME eu-fp.wa1.b.yahoo.com. eu-fp.wa1.b.yahoo.com. 60 IN A 87.248.122.122 eu-fp.wa1.b.yahoo.com. 60 IN A 87.248.112.181 ;; AUTHORITY SECTION: wa1.b.yahoo.com.600605 IN NS yf2.yahoo.com. wa1.b.yahoo.com.600605 IN NS yf1.yahoo.com. ;; ADDITIONAL SECTION: yf1.yahoo.com. 1235IN A 68.142.254.15 yf2.yahoo.com. 1235IN A 68.180.130.15 ;; Query time: 31 msec ;; SERVER: 195.168.1.156#53(195.168.1.156) ;; WHEN: Mon May 30 17:46:30 2011 ;; MSG SIZE rcvd: 178 uhlar@fantomas% dig www.yahoo.com @195.168.1.156 [snip] ;; ANSWER SECTION: www.yahoo.com. 64 IN CNAME fp.wg1.b.yahoo.com. ;; Query time: 1 msec ;; SERVER: 195.168.1.156#53(195.168.1.156) ;; WHEN: Mon May 30 17:46:31 2011 ;; MSG SIZE rcvd: 54 uhlar@fantomas% dig www.yahoo.com @195.168.1.156 [snip] ;; ANSWER SECTION: www.yahoo.com. 29 IN CNAME fp.wg1.b.yahoo.com. fp.wg1.b.yahoo.com. 2999IN CNAME eu-fp.wa1.b.yahoo.com. eu-fp.wa1.b.yahoo.com. 24 IN A 87.248.112.181 eu-fp.wa1.b.yahoo.com. 24 IN A 87.248.122.122 ;; AUTHORITY SECTION: wa1.b.yahoo.com.600569 IN NS yf2.yahoo.com. wa1.b.yahoo.com.600569 IN NS yf1.yahoo.com. ;; ADDITIONAL SECTION: yf1.yahoo.com. 1199IN A 68.142.254.15 yf2.yahoo.com. 1199IN A 68.180.130.15 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursive lookups problems with 9.8.0_p2
Would it be convenient to try 9.8.1b1? It has a fix that may address this problem. I should add that I don't recommend using 9.8.1b1 in a production environemnt because of a known security flaw. But it might be informative to test with it and see whether it addresses the CNAME problem, and if so you can deploy 9.8.1 in a few weeks. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: recursive lookups problems with 9.8.0_p2
after upgrading to 9.8.0p2 I have notices problems with recursive queries. The server sometimes does not return answer for e.g. www.yahoo.com. Would it be convenient to try 9.8.1b1? It has a fix that may address this problem. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
On 05/30/2011 09:15, Frank Bulk wrote: Not all firewalls can hairpin a public IP back to a private IP. We’ve had to do this, too. First, firewalls don't do routing. :) Yes, we could have create a separate zone, but that would requiring training our staff to use on FQDN internally and another with the customers. Easier to teach one thing to the staff and push the complexity back on the configuration. Second, s/configuration/DNS/, which I would argue is the wrong layer. Solve routing problems at the routing layer. But I realize that there are differing opinions on this. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
On 05/29/2011 23:17, babu dheen wrote: We have DNS record called mail.company.com which is hosted in internal company LAN network. When any users try to access mail.company.com in browser, they will get private IP address and immediately they will get mail.company.com website home page whereas if any of my company users try to access the mail.company.com website from internet(outside company), they should get public IP address which should be pointed to mail.company.com website. It's not clear to me from this description why you need 2 different IP addresses for the same resource. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: DNS Racing -Multi ISP load balancing with failover using DNS.
Hello, I am reading this mailing as a digest so sorry for the late replies. Firstly we have been using this method for over 4 years and I've yet not had one person tell me that they can connect to our servers using POP3, SMPT, IMAP or WEB. 1. Mark, Regarding Chrome, my last big crawl of the internet from Hong Kong the average DNS resolution was 450ms average... so 300ms would give you what result. Not sure I don't care. I am talking for IP connectivity not some application decigin which RR it shoud use as many applications are dumb and you can't ask the remote end to change anything. FYI, I will never use Chrome and nor will many people due to privacy issues. It is banned in companies in Asia. 2. Mark there are no modification to any packets at the DNS resolver level nor sure why there would have be. We have yet not implemented DNS SEC so I don't know if this breaks anything. First packet wins both can be signed. Now if you have something set on paranoid mode which checks the consistency of the DNS servers it would fail... that is an extreme minority and have YET to see a complaint. Matus, I like your reply. You are right that the wining IP would be the one that is closes to the Resolving server than to the client.. I know that not everyone is using a DNS resolver on the same network/AS number that they are on. This could be the biggest flaw. Say you use Google FreeDNS and it will give as a reply what ever google can access the fastest. However if you are using a DNS resolver within your AS number you will benefit from DNS Racing. Well pointed out. All that this does is breaks the best bath and access guarantee that DNS Racing provides In reality if you don't implement DNS racing you would get the same result. No it does not rely on BIND RTT feature, we are talking about pure latency DNS replies race to the resolver, the one that gets there first is the winner. This is not something that I just dream up yesterday we have been using it for years without problems which is why I feel it is safe to document in and recommend it. Regards, Maren. On 3:59 AM, Mark Andrews wrote: And if people used happy-eyeballs[1] or similar[2] in the applications this would not be needed. Chrome already does this with their latest browser. It uses a 300ms timer to switch to the next address. Happy-eyeballs was primarially written to deal with broken 6to4 links but the techniques are applicable to any multi-homed service be it IPv4 only, IPv6 only or a mixture of IPv4 and IPv6. Mark [1] http://tools.ietf.org/html/draft-wing-v6ops-happy-eyeballs-ipv6-01 [2] https://www.isc.org/community/blog/201101/how-to-connect-to-a-multi-homed-server-over-tcp In message4de2c00b.6090...@isc.org, Alan Clegg writes: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===2705591056810672531== Content-Type: multipart/signed; micalg=pgp-sha1; protocol=application/pgp-signature; boundary=enig46D823F06B8505CC93187062 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --enig46D823F06B8505CC93187062 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 5/29/2011 5:12 PM, Maren S. Leizaola wrote: IT is a poor man=92s replacement for BGP multihoming and IP anycast. Hey it is Free and you can implement it using BIND. And you've just broken DNSSEC. AlanC --enig46D823F06B8505CC93187062 Content-Type: application/pgp-signature; name=signature.asc Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAk3iwA0ACgkQcKpYUrUDCYdMXwCgmIsTehj06i1fsZtJmCaPEHIi JqcAoJPhcXKDf/QgPK06MkkYt2N9gZPB =nLtA -END PGP SIGNATURE- --enig46D823F06B8505CC93187062-- --===2705591056810672531== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===2705591056810672531==-- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Split DNS Configuration in BIND
Point taken, and I should have mentioned that it's NAT in play. I agree, it's a problem that not all firewalls can hairpin public IPs back to their private IPs, but when working with what you got sometimes the solution isn't ideal. Frank -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Monday, May 30, 2011 2:19 PM To: frnk...@iname.com Cc: 'babu dheen'; bind-users@lists.isc.org Subject: Re: Split DNS Configuration in BIND On 05/30/2011 09:15, Frank Bulk wrote: Not all firewalls can hairpin a public IP back to a private IP. We've had to do this, too. First, firewalls don't do routing. :) Yes, we could have create a separate zone, but that would requiring training our staff to use on FQDN internally and another with the customers. Easier to teach one thing to the staff and push the complexity back on the configuration. Second, s/configuration/DNS/, which I would argue is the wrong layer. Solve routing problems at the routing layer. But I realize that there are differing opinions on this. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
In a number of cases NATs have a problem to access the internal boxes via an external address from inside the NAT. In such cases it is much easier to just access the box from inside with it's internal address and from outside with its external address. Using the two views allows for all sorts of scripting etc. without having to consider whether you are on the outside or the inside. I have used that for many years now. On 30/05/11 21:20, Doug Barton wrote: On 05/29/2011 23:17, babu dheen wrote: We have DNS record called mail.company.com which is hosted in internal company LAN network. When any users try to access mail.company.com in browser, they will get private IP address and immediately they will get mail.company.com website home page whereas if any of my company users try to access the mail.company.com website from internet(outside company), they should get public IP address which should be pointed to mail.company.com website. It's not clear to me from this description why you need 2 different IP addresses for the same resource. -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.8 manuals on web
In message 20110530151431.ga23...@fantomas.sk, Matus UHLAR - fantomas writes: Hello, the web page (http://www.isc.org/software/bind/documentation) claims to provide links to 9.4-9.8 manuals (html and pdf) however only 9.4 and 9.5 are working. Did a mistake happen here? Forwarded for actioning. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 9.8 manuals on web
Seems like the ./doc directory is missing from the /isc/bind/cur/9.x tree, which is linked to from the page you mentioned below. It's there in ftp://ftp.isc.org/isc/bind/9.8.0-P1/ but not in ftp://ftp.isc.org/isc/bind/9.8.0-P2/ --jm -Original Message- From: bind-users-bounces+jm=hcn.com...@lists.isc.org [mailto:bind-users-bounces+jm=hcn.com...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Tuesday, 31 May 2011 1:15 AM To: bind-users@lists.isc.org Subject: 9.8 manuals on web Hello, the web page (http://www.isc.org/software/bind/documentation) claims to provide links to 9.4-9.8 manuals (html and pdf) however only 9.4 and 9.5 are working. Did a mistake happen here? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.* ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
It is still a bad idea. Fixing the clients so they work well with multi-homed servers not only works today with mostly IPv4 servers but also works well with dual stack server and IPv6 only servers. You don't have to have artifially low TTLs on the DNS responses. You get sub-second failover on new connections. If you really want to perform races then connect() races will reflect actual client topology not resolver topology. DNS Race doesn't work in a dual stack environment as it is dependent on the record type and transport matching. As for Chrome. It was a example of a application which does work well with multi-homed servers. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
In message 4de42bef.3050...@chrysler.com, Kevin Darcy writes: Get back to us when you prove that this co-exists with DNSSEC; otherwise it's a non-starter. While you're at it, some data proving that this actually enhances performance or availability would be nice too. On further examination it will work w/ DNSSEC. As for availability it will decrease it as there is no way the client can do the failover for itself as it no longer has the necessary data. As for performance, your milage may vary, as they say in car commercials. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
Normally I'd defer to your vastly greater knowledge and experience in DNSSEC, but here in the U.S. we have a saying I'm from Missouri, which is a roundabout way of expressing show me (Show Me being the unofficial slogan of the state of Missouri). Maybe it *should* work, but when it comes to nifty technical hacks, until co-existence is actually demonstrated, I still think there might be a gotcha somewhere... - Kevin P.S. Don't even get me started on car commercials. I've seen a few that never even made it to the public eye :-) On 5/30/2011 8:18 PM, Mark Andrews wrote: In message4de42bef.3050...@chrysler.com, Kevin Darcy writes: Get back to us when you prove that this co-exists with DNSSEC; otherwise it's a non-starter. While you're at it, some data proving that this actually enhances performance or availability would be nice too. On further examination it will work w/ DNSSEC. As for availability it will decrease it as there is no way the client can do the failover for itself as it no longer has the necessary data. As for performance, your milage may vary, as they say in car commercials. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
In message 4de43e3e.2040...@chrysler.com, Kevin Darcy writes: Normally I'd defer to your vastly greater knowledge and experience in DNSSEC, but here in the U.S. we have a saying I'm from Missouri, which is a roundabout way of expressing show me (Show Me being the unofficial slogan of the state of Missouri). Maybe it *should* work, but when it comes to nifty technical hacks, until co-existence is actually demonstrated, I still think there might be a gotcha somewhere... This happens all the time whenever a signed zone content changes. You have different servers returning different answers for the same query all of which can be validated as secure. DNSSEC requires that the data and signature pass through the system as a atomic unit. DNSSEC aware servers and resolvers keep this data together. If you don't things break. DNS Race just keeps the answers permanently out of sync instead of the temporary condition that happens with normal updates. Mark - Kevin P.S. Don't even get me started on car commercials. I've seen a few that never even made it to the public eye :-) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
Its very simple, If you know basic firewall concept, we will configure source NATing from public IP address to original website private address in firewall. So when any users from internet access my company website, they should obviously get public IP of my company website and once they get the IP address from DNS, it can contact the website using source NATing in firewall. Here my concern is not with NATing or firewall. My basic requirement is how can i configure split DNS to maintain two different Ip address for a same website. Regards BaBU --- On Tue, 31/5/11, Doug Barton do...@dougbarton.us wrote: From: Doug Barton do...@dougbarton.us Subject: Re: Split DNS Configuration in BIND To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Tuesday, 31 May, 2011, 12:50 AM On 05/29/2011 23:17, babu dheen wrote: We have DNS record called mail.company.com which is hosted in internal company LAN network. When any users try to access mail.company.com in browser, they will get private IP address and immediately they will get mail.company.com website home page whereas if any of my company users try to access the mail.company.com website from internet(outside company), they should get public IP address which should be pointed to mail.company.com website. It's not clear to me from this description why you need 2 different IP addresses for the same resource. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users