On 7/28/10, I wrote:
>> I have a BIND config question. First some history.
>>
>> My initial two DNS servers (A and B) had three NICs and three IP
>> addresses. Then I installed two additional servers (C and D),
>> each with one NIC; each server has one base address and one DNS address.
>> All four servers run Solaris. When I installed C and D, I placed in
>> the config file
>>
>> query-source address <dns-address>;
>> transfer-source <dns-address>;
>> notify-source <dns-address>;
>>
>> Then we changed servers A and B to new hardware, and we have in
>> addition to the three NICs each, a base, non-DNS address for each.
>> We made no config file changes, and no users have reported problems.
>> These "new" servers A and B have been running for a few years.
>>
>> Now, I am converting all four servers to an Ubuntu platform, and I am
>> revisiting the config file. In looking through various firewall and
>> DNS query logs, I see that machines A and B are using the non-DNS
>> and queries to the hidden BIND master via the non-DNS addresses.
>> The Internet queries are being blocked at the firewall because we do
>> not allow non-registered DNS addresses to send DNS queries to the
>> Internet, and the non-DNS addresses have no firewall conduits.
>> I can add three options directives above, as I have done on servers
>> C and D, but the ARM seems to imply that I can list only one address
>> in each directive, and I have three DNS addresses for each server.
>>
>> The BIND is 9.7.x on all machines. Does anyone have suggestions?
>> Thanks.
and Chris Buxton <chris.p.bux...@gmail.com> replied:
>Why do you need 3 DNS interfaces on one box? Why do you need the extra
>interface?
>
>Perhaps you could simplify, or split the three addresses across
>multiple hosts, or even run multiple instances of named on each box.
Historical. The DNS servers serve three Class-B subnets, and it was
decided when the servers were placed in production many years ago
that they should have an address on each of the Class-B subnets.
One of the subnets had a /22 that was used for buildings on campus that
did not have IP connectivity; they got their IP via the phone
system copper and a device plugged in to the phone jack. We had to
have a DNS server on that /22.
We have decided that since we can only place one address in the
query-source address <dns-address>;
transfer-source <dns-address>;
notify-source <dns-address>;
statements, we will choose one of the three addresses on each server
and use it. I believe that it makes no difference if we use the same
address in each of the three statements, or if we use a different
address in each.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
