DNS related question

tusher · 12-01-2003, 08:55 AM

Hi,

I got to setup a DNS server for an ISP, i need my nameserver to resolve the outbound as well as
inbound queries. From the "TLDP howto" (http://www.tldp.org/HOWTO/DNS-HOWTO.html) I am little bit
confiused by hearing resolving, caching, etc. name server.

I know that, the name server cache outbound query...is known as caching only nameserver. and anoter
aspect of nameserver is "forwarding" - this can forward the outbound query to another nameserver,
usually nameserver provided by ISP.

My question is:

1. I don't want caching/forwarding nameserver...i want a standrad server just like ISP.
so, what to do?

2. How to mirror same entry to a backup (secondery DNS) server on-the-fly whenever
i am making new dns entry.

Tusher.

chort · 12-01-2003, 09:15 AM

You want to setup a name server that is authoritative for your zone(s), i.e. it's listed as "master" next to the zone(s) you load. This will answer "inbound" (not that simple) queries, which are requests asking for information about your domain(s). By default, this will also allow requests about other zones and it will answer those as well.

Now the next question is: do you want to allow anyone to ask your name server about any zone at all, or do you only want to allow your own users to make requests that aren't in your zone(s)? If you want it restricted to your users (wise) then you should make use of the allow-query option to restrict queries in the "." zone only to users with approved IPs (basically you would add the network you want to allow queries from).

To mirror the changes to another server you need to list it in the zone file as another IN NS entry. When you configure the named.conf on the secondary server you list the type as "slave". When you update the zone(s) on the master, make sure you increment the serial number for the zone (usually in the format of yyyymmddcc, where cc is the number of changes for today--example: 2003120102 would mean you changed the zone two different times today). After doing this you issue the command rndc reconfig and it should send out notifications to all the slaves (you can have more than one) that they need to update their zones.

Make sure your firewall allows both port 53/UDP and 53/TCP from any host. It's a common error to only allow UDP, thinking that TCP is only used for zone file transfers, but the protocols makes a provision to use TCP when the answer results in a lot of data.