Thanks kevin. I'll try static-stub. > Date: Tue, 25 Feb 2014 10:56:11 -0500 > From: Kevin Darcy <k...@chrysler.com> > To: bind-users@lists.isc.org > Subject: Re: how to hidden the salve > Message-ID: <530cbd1b.1060...@chrysler.com> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > If you have zone-transfer permission, make a stealth slave. That, plus a > static-stub definition on your "local" server, and you're set. > > Or, to simplify things even further, make the "local" server the stealth > slave (this makes some assumptions about your connectivity to the > authoritative nameservers for the zone). > > - Kevin > > On 2/25/2014 9:49 AM, houguanghua wrote: > > Sorry. My description isn't very clear. > > > > The local dns server isn't a stealth slave. I need a stealth slave and > > the local dns server can query it when all public NSs are out of service. > > > > Thanks! > > Guanghua > > > > > > > Date: Mon, 24 Feb 2014 13:41:03 -0500 > > > From: Kevin Darcy <k...@chrysler.com> > > > To: bind-users@lists.isc.org > > > Subject: Re: how to hidden the salve > > > Message-ID: <530b923f.8070...@chrysler.com> > > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > > > > > I guess I'm still not understanding your requirements. In my thinking, > > > the local DNS server would *be* a stealth slave. Why are you > > considering > > > these as 2 separate instances? > > > > > > - Kevin > > > > > > On 2/24/2014 9:56 AM, houguanghua wrote: > > > > Dan, > > > > > > > > Yes, also-notify can hide the slave name server. But local dns server > > > > can't know where is 'stealth' slave too. > > > > > > > > Thanks, > > > > Guanghua > > > > > > > > ------------------------------------ > > > > Date: Fri, 21 Feb 2014 07:50:05 -0600 > > > > From: Daniel McDonald <dan.mcdon...@austinenergy.com> > > > > To: Untitled <bind-users@lists.isc.org> > > > > Subject: Re: bind-users Digest, Vol 1769, Issue 1 > > > > Message-ID: <cf2cb5ad.6ae8e%dan.mcdon...@austinenergy.com> > > > > Content-Type: text/plain; charset="US-ASCII" > > > > > > > > On 2/21/14 3:39 AM, "houguanghua" <houguang...@hotmail.com> wrote: > > > > > > > > > kevin, > > > > > > > > > > How does the local name server learn where is the 'stealth' slave? > > > > For the > > > > > 'stealth' slave isn't in the NS records. > > > > > > > > Also-notify directive. Either in an options stanza or a zone stanza. > > > > > > > > > > > > > > thanks, > > > > > Guanghua > > > > > > > > -- > > > > Daniel J McDonald, CISSP # 78281 > > > > > > > > > > > > > > > > > Date: Thu, 20 Feb 2014 10:48:36 -0500 > > > > > From: Kevin Darcy <k...@chrysler.com> > > > > > To: bind-users@lists.isc.org > > > > > Subject: Re: how to hidden the salve > > > > > Message-ID: <530623d4.3000...@chrysler.com> > > > > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > > > > > > > > > A "stealth" slave has a full copy of the zone, is not published > > in the > > > > > NS records, and can resolve names in the latest copy of the zone > > > > that it > > > > > transferred, even if all of the published NSes are down due to a > > DDoS > > > > > attack. > > > > > > > > > > So, does that not meet the requirements? > > > > > > > > > > - Kevin > > > > > > > > > > On 2/20/2014 1:28 AM, houguanghua wrote: > > > > > > "Stealth" slave doesn't fully meet the requirement. It's just > > part of > > > > > > the requirement to not publish the slave name server in the NS > > > > > > records. Further more, the 'stealth' slave is quired by local DNS > > > > > > server only when all name servers in the NS records are out of > > > > service > > > > > > ( maybe in case of ddos attack). > > > > > > Guanghua > > > > > > ------------------------------ > > > > > > On 2/19/2014 11:54 AM, Kevin wrote: > > > > > > Date: Wed, 19 Feb 2014 11:54:44 -0500 > > > > > > From: Kevin Darcy <k...@chrysler.com> > > > > > > To: bind-users@lists.isc.org > > > > > > Subject: Re: how to modify the cache > > > > > > Message-ID: 5304e1d4.5000...@chrysler.com > > > > > > <mailto:5304e1d4.5000...@chrysler.com> > > > > > > > > > > > > Not a good solution. Even under "normal" circumstances, there > > will be > > > > > > temporary bottlenecks, dropped packets, etc.. that will trigger > > > > failover > > > > > > and users will get different answers at different times. Not > > good for > > > > > > support, maintainability, user experience/satisfaction, etc. > > > > > > > > > > > > If all you want is resilience, and you own/control the domain in > > > > > > question, why not just slave it ("stealth" slave, i.e. you don't > > > > need to > > > > > > publish it in the NS records)? > > > > > > > > > > > > If you *don't* own/control the domain in question, what business > > > > do you > > > > > > have standing up a "fake" version of it in your own > > > > infrastructure? Not > > > > > > a best practice. > > > > > > > > > > > > - Kevin > > > > > > > > > > > > On 2/19/2014 4:51 AM, houguanghua wrote: > > > > > > > Steven, > > > > > > > > > > > > > > Your solution is very good. It can forward the queries to > > > > > > > the specified name servers first. > > > > > > > > > > > > > > But if the specified name server is enabled only when normal > > dns > > > > query > > > > > > > process is down. How to configure the local DNS server? The > > detailed > > > > > > > scenario is descibed in below figure: > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- > > > > > > | Root | > > > > > > | nameServer | > > > > > > / ------------- > > > > > > (2)/ > > > > > > / > > > > > > ---------- ----------- ------------- > > > > > > | Client | __(1)____\ | Local | ___(3)_____\ | > > > > > > Authority | > > > > > > | Resolver | / | DNS Server | X / | DNS > > > > > > Server | > > > > > > ---------- ------------ ------------- > > > > > > \ > > > > > > \(4) > > > > > > \ > > > > > > \ ------------ > > > > > > | Hidden | > > > > > > | DNS Server | > > > > > > ------------ > > > > > > > > > > > > > Normally, > > > > > > > 1) A internet user wants to access www.abc.com > > <http://www.abc.com > > > > > > <http://www.abc.com/>>, > > > > > > > a DNS request is sent to local DNS server > > > > > > > 2) Local DNS server queries the root name server, the .com name > > > > > > > server to get the Authority Name Server of abc.com > > > > > > > 3) local DNS server queries the Authority name server, and gets > > > > the IP > > > > > > > > > > > > > > But when the Authority name server is down, the internet > > user won't > > > > > > > get the IP address. My solution is as follows: > > > > > > > a) A hidden name server with low performance is deployed. When > > > > > > > authority name server can't be accessed, local dns server will > > > > access > > > > > > > the hidden server. > > > > > > > b)The hidden server is never used in normal situation. It act as > > > > > > > a cold backup for authority name server. > > > > > > > c) The zone file in the hidden server is the same as that > > > > > > > configuration in the authority name server > > > > > > > d) The hidden name server doesn't appear in the NS records > > > > > > > of authority name server > > > > > > > > > > > > > > Btw, all above doesn't consider the cache in the local dns > > server. > > > > > > > > > > > > > > > > > > > > > Best Regards, > > > > > > > Guanghua > > > > > > > > > > > > > > > > > > > > > > Date: Mon, 17 Feb 2014 09:09:13 +0000 > > > > > > > > Subject: Re: how to modify the cache > > > > > > > > From: sjc...@gmail.com > > > > > > > > To: houguang...@hotmail.com > > > > > > > > CC: bind-users@lists.isc.org > > > > > > > > > > > > > > > > On 17 February 2014 01:17, houguanghua > > <houguang...@hotmail.com> > > > > > > wrote: > > > > > > > > > I want to override the IP address of NS, for I want to > > use other > > > > > > > authority > > > > > > > > > DNS which isn't registered. > > > > > > > > > > > > > > > > For that you use forwarding. Create a zone statement for the > > > > zone in > > > > > > > > question and forward the queries to a different name server. > > > > You don't > > > > > > > > need to mess with the cache. > > > > > > > > > > > > > > > > > > https://mknowles.com.au/wordpress/2009/07/20/bind-forwarding-zone/ > > > > > > > > > > > > > > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.isc.org/pipermail/bind-users/attachments/20140225/e71ee1a6/attachment.html> > > ------------------------------ > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > End of bind-users Digest, Vol 1772, Issue 2 > *******************************************
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
