On 29 April 2014 07:06, houguanghua <houguang...@hotmail.com> wrote: > hi kevin, > > Stealth slaves can't be used as backup NS server. This backup server can't > be accessed by all internet users. > It can only be accessed by users from one ISP. It's used when all authority > NSs are down, especially in case of DDoS attack. > > Guanghua Hou
That's not how DNS works, DNS is a distributed system for that precise reason. Why would you only want users of a single ISP to be able to resolve a domain if the primary nameservers are down? What happens if the primary nameservers are down for more than SOA Expire time? your secondaries will stop serving the zone anyway as they haven't been able to refresh it from the primary master. You asked this same question a few months ago without explaining why you are wanting to do this and got roughly the same answers. If you own the zone and know the IP address range used by the ISP then you can create a separate view that contains your additional nameserver that no one else will know about, though they still might not be able to access it if the primary nameserver is down and the additional nameserver isn't in the parent's glue records (clients wouldn't be able to find it). But if you don't own the zone then there is nothing you can do, it's not your zone to mess with. If you're trying to mitigate DDoS look at bigger boxes, faster bandwidth, packet filtering and DNS Anycast. Steve _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
