RE: how to hidden the salve
Sorry. My description isn't very clear. The local dns server isn't a stealth slave. I need a stealth slave and the local dns server can query it when all public NSs are out of service. Thanks! Guanghua Date: Mon, 24 Feb 2014 13:41:03 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to hidden the salve Message-ID: 530b923f.8070...@chrysler.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed I guess I'm still not understanding your requirements. In my thinking, the local DNS server would *be* a stealth slave. Why are you considering these as 2 separate instances? - Kevin On 2/24/2014 9:56 AM, houguanghua wrote: Dan, Yes, also-notify can hide the slave name server. But local dns server can't know where is 'stealth' slave too. Thanks, Guanghua Date: Fri, 21 Feb 2014 07:50:05 -0600 From: Daniel McDonald dan.mcdon...@austinenergy.com To: Untitled bind-users@lists.isc.org Subject: Re: bind-users Digest, Vol 1769, Issue 1 Message-ID: cf2cb5ad.6ae8e%dan.mcdon...@austinenergy.com Content-Type: text/plain; charset=US-ASCII On 2/21/14 3:39 AM, houguanghua houguang...@hotmail.com wrote: kevin, How does the local name server learn where is the 'stealth' slave? For the 'stealth' slave isn't in the NS records. Also-notify directive. Either in an options stanza or a zone stanza. thanks, Guanghua -- Daniel J McDonald, CISSP # 78281 Date: Thu, 20 Feb 2014 10:48:36 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to hidden the salve Message-ID: 530623d4.3000...@chrysler.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed A stealth slave has a full copy of the zone, is not published in the NS records, and can resolve names in the latest copy of the zone that it transferred, even if all of the published NSes are down due to a DDoS attack. So, does that not meet the requirements? - Kevin On 2/20/2014 1:28 AM, houguanghua wrote: Stealth slave doesn't fully meet the requirement. It's just part of the requirement to not publish the slave name server in the NS records. Further more, the 'stealth' slave is quired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to modify the cache Message-ID: 5304e1d4.5000...@chrysler.com mailto:5304e1d4.5000...@chrysler.com Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is resilience, and you own/control the domain in question, why not just slave it (stealth slave, i.e. you don't need to publish it in the NS records)? If you *don't* own/control the domain in question, what business do you have standing up a fake version of it in your own infrastructure? Not a best practice. - Kevin On 2/19/2014 4:51 AM, houguanghua wrote: Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- | Root | | nameServer | / - (2)/ / -- --- - | Client | __(1)\ | Local | ___(3)_\ | Authority | | Resolver | / | DNS Server | X / | DNS Server | -- - \ \(4) \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com http://www.abc.com http://www.abc.com/, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets the IP But when the Authority name server is down, the internet user won't get the IP address. My solution is as follows: a) A hidden name server with low performance is deployed. When authority name server can't be accessed, local dns server will access the hidden server. b)The hidden server
Re: how to hidden the salve
If you have zone-transfer permission, make a stealth slave. That, plus a static-stub definition on your local server, and you're set. Or, to simplify things even further, make the local server the stealth slave (this makes some assumptions about your connectivity to the authoritative nameservers for the zone). - Kevin On 2/25/2014 9:49 AM, houguanghua wrote: Sorry. My description isn't very clear. The local dns server isn't a stealth slave. I need a stealth slave and the local dns server can query it when all public NSs are out of service. Thanks! Guanghua Date: Mon, 24 Feb 2014 13:41:03 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to hidden the salve Message-ID: 530b923f.8070...@chrysler.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed I guess I'm still not understanding your requirements. In my thinking, the local DNS server would *be* a stealth slave. Why are you considering these as 2 separate instances? - Kevin On 2/24/2014 9:56 AM, houguanghua wrote: Dan, Yes, also-notify can hide the slave name server. But local dns server can't know where is 'stealth' slave too. Thanks, Guanghua Date: Fri, 21 Feb 2014 07:50:05 -0600 From: Daniel McDonald dan.mcdon...@austinenergy.com To: Untitled bind-users@lists.isc.org Subject: Re: bind-users Digest, Vol 1769, Issue 1 Message-ID: cf2cb5ad.6ae8e%dan.mcdon...@austinenergy.com Content-Type: text/plain; charset=US-ASCII On 2/21/14 3:39 AM, houguanghua houguang...@hotmail.com wrote: kevin, How does the local name server learn where is the 'stealth' slave? For the 'stealth' slave isn't in the NS records. Also-notify directive. Either in an options stanza or a zone stanza. thanks, Guanghua -- Daniel J McDonald, CISSP # 78281 Date: Thu, 20 Feb 2014 10:48:36 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to hidden the salve Message-ID: 530623d4.3000...@chrysler.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed A stealth slave has a full copy of the zone, is not published in the NS records, and can resolve names in the latest copy of the zone that it transferred, even if all of the published NSes are down due to a DDoS attack. So, does that not meet the requirements? - Kevin On 2/20/2014 1:28 AM, houguanghua wrote: Stealth slave doesn't fully meet the requirement. It's just part of the requirement to not publish the slave name server in the NS records. Further more, the 'stealth' slave is quired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to modify the cache Message-ID: 5304e1d4.5000...@chrysler.com mailto:5304e1d4.5000...@chrysler.com Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is resilience, and you own/control the domain in question, why not just slave it (stealth slave, i.e. you don't need to publish it in the NS records)? If you *don't* own/control the domain in question, what business do you have standing up a fake version of it in your own infrastructure? Not a best practice. - Kevin On 2/19/2014 4:51 AM, houguanghua wrote: Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- | Root | | nameServer | / - (2)/ / -- --- - | Client | __(1)\ | Local | ___(3)_\ | Authority | | Resolver | / | DNS Server | X / | DNS Server | -- - \ \(4) \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com http://www.abc.com http://www.abc.com/, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets
Re: how to hidden the salve
Dan, Yes, also-notify can hide the slave name server. But local dns server can't know where is 'stealth' slave too. Thanks, Guanghua Date: Fri, 21 Feb 2014 07:50:05 -0600 From: Daniel McDonald dan.mcdon...@austinenergy.com To: Untitled bind-users@lists.isc.org Subject: Re: bind-users Digest, Vol 1769, Issue 1 Message-ID: cf2cb5ad.6ae8e%dan.mcdon...@austinenergy.com Content-Type: text/plain; charset=US-ASCII On 2/21/14 3:39 AM, houguanghua houguang...@hotmail.com wrote: kevin, How does the local name server learn where is the 'stealth' slave? For the 'stealth' slave isn't in the NS records. Also-notify directive. Either in an options stanza or a zone stanza. thanks, Guanghua -- Daniel J McDonald, CISSP # 78281 Date: Thu, 20 Feb 2014 10:48:36 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to hidden the salve Message-ID: 530623d4.3000...@chrysler.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed A stealth slave has a full copy of the zone, is not published in the NS records, and can resolve names in the latest copy of the zone that it transferred, even if all of the published NSes are down due to a DDoS attack. So, does that not meet the requirements? - Kevin On 2/20/2014 1:28 AM, houguanghua wrote: Stealth slave doesn't fully meet the requirement. It's just part of the requirement to not publish the slave name server in the NS records. Further more, the 'stealth' slave is quired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to modify the cache Message-ID: 5304e1d4.5000...@chrysler.com mailto:5304e1d4.5000...@chrysler.com Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is resilience, and you own/control the domain in question, why not just slave it (stealth slave, i.e. you don't need to publish it in the NS records)? If you *don't* own/control the domain in question, what business do you have standing up a fake version of it in your own infrastructure? Not a best practice. - Kevin On 2/19/2014 4:51 AM, houguanghua wrote: Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- | Root| | nameServer | / - (2)/ / -- --- - | Client | __(1)\ | Local | ___(3)_\ | Authority| | Resolver | / | DNS Server | X / | DNS Server | -- - \ \(4) \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com http://www.abc.com http://www.abc.com/, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets the IP But when the Authority name server is down, the internet user won't get the IP address. My solution is as follows: a) A hidden name server with low performance is deployed. When authority name server can't be accessed, local dns server will access the hidden server. b)The hidden server is never used in normal situation. It act as a cold backup for authority name server. c) The zone file in the hidden server is the same as that configuration in the authority name server d) The hidden name server doesn't appear in the NS records of authority name server Btw, all above doesn't consider the cache in the local dns server. Best Regards, Guanghua Date: Mon, 17 Feb 2014 09:09:13 + Subject: Re: how to modify the cache From: sjc...@gmail.com To: houguang...@hotmail.com CC: bind-users@lists.isc.org On 17 February 2014 01
Re: how to hidden the salve
I guess I'm still not understanding your requirements. In my thinking, the local DNS server would *be* a stealth slave. Why are you considering these as 2 separate instances? - Kevin On 2/24/2014 9:56 AM, houguanghua wrote: Dan, Yes, also-notify can hide the slave name server. But local dns server can't know where is 'stealth' slave too. Thanks, Guanghua Date: Fri, 21 Feb 2014 07:50:05 -0600 From: Daniel McDonald dan.mcdon...@austinenergy.com To: Untitled bind-users@lists.isc.org Subject: Re: bind-users Digest, Vol 1769, Issue 1 Message-ID: cf2cb5ad.6ae8e%dan.mcdon...@austinenergy.com Content-Type: text/plain; charset=US-ASCII On 2/21/14 3:39 AM, houguanghua houguang...@hotmail.com wrote: kevin, How does the local name server learn where is the 'stealth' slave? For the 'stealth' slave isn't in the NS records. Also-notify directive. Either in an options stanza or a zone stanza. thanks, Guanghua -- Daniel J McDonald, CISSP # 78281 Date: Thu, 20 Feb 2014 10:48:36 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to hidden the salve Message-ID: 530623d4.3000...@chrysler.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed A stealth slave has a full copy of the zone, is not published in the NS records, and can resolve names in the latest copy of the zone that it transferred, even if all of the published NSes are down due to a DDoS attack. So, does that not meet the requirements? - Kevin On 2/20/2014 1:28 AM, houguanghua wrote: Stealth slave doesn't fully meet the requirement. It's just part of the requirement to not publish the slave name server in the NS records. Further more, the 'stealth' slave is quired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to modify the cache Message-ID: 5304e1d4.5000...@chrysler.com mailto:5304e1d4.5000...@chrysler.com Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is resilience, and you own/control the domain in question, why not just slave it (stealth slave, i.e. you don't need to publish it in the NS records)? If you *don't* own/control the domain in question, what business do you have standing up a fake version of it in your own infrastructure? Not a best practice. - Kevin On 2/19/2014 4:51 AM, houguanghua wrote: Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- | Root | | nameServer | / - (2)/ / -- --- - | Client | __(1)\ | Local | ___(3)_\ | Authority | | Resolver | / | DNS Server | X / | DNS Server | -- - \ \(4) \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com http://www.abc.com http://www.abc.com/, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets the IP But when the Authority name server is down, the internet user won't get the IP address. My solution is as follows: a) A hidden name server with low performance is deployed. When authority name server can't be accessed, local dns server will access the hidden server. b)The hidden server is never used in normal situation. It act as a cold backup for authority name server. c) The zone file in the hidden server is the same as that configuration in the authority name server d) The hidden name server doesn't appear in the NS records of authority name server Btw, all above doesn't consider the cache in the local dns server. Best Regards, Guanghua Date: Mon, 17 Feb 2014 09:09:13 + Subject: Re: how to modify the cache From: sjc...@gmail.com To: houguang...@hotmail.com CC: bind-users@lists.isc.org On 17 February 2014 01:17, houguanghua houguang...@hotmail.com wrote: I want to override the IP address of NS, for I want to use other
Re: how to hidden the salve
A stealth slave has a full copy of the zone, is not published in the NS records, and can resolve names in the latest copy of the zone that it transferred, even if all of the published NSes are down due to a DDoS attack. So, does that not meet the requirements? - Kevin On 2/20/2014 1:28 AM, houguanghua wrote: Stealth slave doesn't fully meet the requirement. It's just part of the requirement to not publish the slave name server in the NS records. Further more, the 'stealth' slave is quired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to modify the cache Message-ID: 5304e1d4.5000...@chrysler.com mailto:5304e1d4.5000...@chrysler.com Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is resilience, and you own/control the domain in question, why not just slave it (stealth slave, i.e. you don't need to publish it in the NS records)? If you *don't* own/control the domain in question, what business do you have standing up a fake version of it in your own infrastructure? Not a best practice. - Kevin On 2/19/2014 4:51 AM, houguanghua wrote: Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- | Root| | nameServer | / - (2)/ / -- --- - | Client | __(1)\ | Local | ___(3)_\ | Authority| | Resolver | / | DNS Server | X / | DNS Server | -- - \ \(4) \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com http://www.abc.com http://www.abc.com/, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets the IP But when the Authority name server is down, the internet user won't get the IP address. My solution is as follows: a) A hidden name server with low performance is deployed. When authority name server can't be accessed, local dns server will access the hidden server. b)The hidden server is never used in normal situation. It act as a cold backup for authority name server. c) The zone file in the hidden server is the same as that configuration in the authority name server d) The hidden name server doesn't appear in the NS records of authority name server Btw, all above doesn't consider the cache in the local dns server. Best Regards, Guanghua Date: Mon, 17 Feb 2014 09:09:13 + Subject: Re: how to modify the cache From: sjc...@gmail.com To: houguang...@hotmail.com CC: bind-users@lists.isc.org On 17 February 2014 01:17, houguanghua houguang...@hotmail.com wrote: I want to override the IP address of NS, for I want to use other authority DNS which isn't registered. For that you use forwarding. Create a zone statement for the zone in question and forward the queries to a different name server. You don't need to mess with the cache. https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to hidden the salve
Stealth slave doesn't fully meet the requirement. It's just part of the requirement to not publish the slave name server in the NS records. Further more, the 'stealth' slave is quired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: how to modify the cache Message-ID: 5304e1d4.5000...@chrysler.com Not a good solution. Even under normal circumstances, there will be temporary bottlenecks, dropped packets, etc.. that will trigger failover and users will get different answers at different times. Not good for support, maintainability, user experience/satisfaction, etc. If all you want is resilience, and you own/control the domain in question, why not just slave it (stealth slave, i.e. you don't need to publish it in the NS records)? If you *don't* own/control the domain in question, what business do you have standing up a fake version of it in your own infrastructure? Not a best practice. - Kevin On 2/19/2014 4:51 AM, houguanghua wrote: Steven, Your solution is very good. It can forward the queries to the specified name servers first. But if the specified name server is enabled only when normal dns query process is down. How to configure the local DNS server? The detailed scenario is descibed in below figure: -- |Root | | nameServer | / - ②/ / -- --- - | Client | __①\ | Local | ___③_\ | Authority | | Resolver |/ | DNS Server |X / | DNS Server | -- - \ \④ \ \ | Hidden | | DNS Server | Normally, 1) A internet user wants to access www.abc.com http://www.abc.com, a DNS request is sent to local DNS server 2) Local DNS server queries the root name server, the .com name server to get the Authority Name Server of abc.com 3) local DNS server queries the Authority name server, and gets the IP But when the Authority name server is down, the internet user won't get the IP address. My solution is as follows: a) A hidden name server with low performance is deployed. When authority name server can't be accessed, local dns server will access the hidden server. b)The hidden server is never used in normal situation. It act as a cold backup for authority name server. c) The zone file in the hidden server is the same as that configuration in the authority name server d) The hidden name server doesn't appear in the NS records of authority name server Btw, all above doesn't consider the cache in the local dns server. Best Regards, Guanghua Date: Mon, 17 Feb 2014 09:09:13 + Subject: Re: how to modify the cache From: sjc...@gmail.com To: houguang...@hotmail.com CC: bind-users@lists.isc.org On 17 February 2014 01:17, houguanghua houguang...@hotmail.com wrote: I want to override the IP address of NS, for I want to use other authority DNS which isn't registered. For that you use forwarding. Create a zone statement for the zone in question and forward the queries to a different