On Thursday 08 March 2007 14:27, Uri Even-Chen wrote:
> On 3/8/07, Oded Arbel <[EMAIL PROTECTED]> wrote:
> > What are you using a name server for ?
> > * If you are using a name server to provide DNS services to your own
> > local network, then you better reference the main root servers.
>
> No.
>
> > * If you are using a name server to cache DNS queries for local
> > processes ("caching name server") then you should forward all real
> > requests to your ISP's DNS - same as what a regular process would do.
>
> Yes.This goes to Oded, rather than Uri. Below it there is something for Uri as well. <Oded> I do not see what is the technical difference between these two. The real life difference is that the clients of the first name server are devices on the net on which this NS is on, while the clients of the second are processes on the same machine. Both are caching-only (if they do not have local zones on them), and the choice to use forwarders is a matter of getting faster results, while risking less redundancy, and possible stale cached data for a while. </Oded> > My DNS server is both a authoritative name server for my domain names, > and also a caching name server for all other domain names. I also > have a mail server, which uses my DNS server to resolve domain names. > And also, my ISP has only 2 DNS servers, and I don't want to rely > completely only on them. If both of them don't work, I still want my > server to work. I'm using my 2 ISP DNS servers also as secondary name > servers for some of my domain names (such as speedy.net), and as > caching name servers for the rest of my domain names (such as > pazgal.com) - that is, they are listed as authoritative name servers > although they are not. It works fine (they return a correct > non-authoritative answer). When I shut down my DNS server, the domain > names such as speedy.net resolve fine, while domain names such as > pazgal.com do not (depends on the cache). The right (well, I am not Paul Vixie but, this is the general consensus) is to split the DNS setup into the following: 1. Authoritative, a set of name servers that only respond to queries of data sets that are local to them. Used for you and others around the world to know about stuff in your domains/zones. These have port 53 of both tcp and udp open to your network and to the world. 2. Caching only, used for your network to resolve stuff that is foreign to your own zones. These are not accessible from the world, and are only accessible to you/your clients. The idea is that all your applications/computers/devices will have the caching only NS defined as their resolver (with a backup to 1-2 ISP based NSs that are available to you due to buying transit from them). As for some more quirks, for larger installations, when you have a few slaves (secondaries) of your authoritative server, it is customary to use something called a stealth master. Usually, in a larger organization, there is one machine that gets the data from all kinds of apps, like CRM, provisioning, automated scripts and local data, and makes it into the zones served by your NS. This name server is also an application server, as it loads, recreates and changes zones as part of its job. This server should better remain unknown to the public, and since the name server on it sometimes is restarted, it will also affect people querying it. In this case, you run a "stealth master" on it. This means that this name server doesn't appear in your zone as a NS record, nor do you register it with your DNS provider. Its job is to serve the zones to the slaves (secondaries), who design it as the master in their named.conf. > > > > P.S. How do I check which version of BIND I'm using? > > > > I usually do rpm -q bind, why ? what do you do ? /path/to/named -v (usually /usr/sbin/named in Linux). Like: /usr/sbin/named -v BIND 9.3.1 --Ariel -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP: http://www.tau.ac.il/~ariel/pgp.html ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
