LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Need of secondary and Tertiary DNS Server (http://www.linuxquestions.org/questions/linux-networking-3/need-of-secondary-and-tertiary-dns-server-505965/)

nsvora 11-29-2006 01:15 PM

Need of secondary and Tertiary DNS Server
 
Hi All,
I am working on the proprietory Dynamic DNS client implementation . My DHCP and DDNS server are running on LINUX and would like to know some information about Secondary & Tertiary DNS Servers.
Currently, my client send the update to only Primary DNS server.

Could anyone kindly answer the following :
Why do we need secondary and tertiary servers?
My understanding regarding them is that :
- Any client sends the update only to the Primary DNS server.
- Primary server updates the records to secondary and tertiary.
- Any DNS Queries can be answered by any of the primary, secondary or tertiary servers.

Should client send the update record to secondary DNS Server if primary is not reachable?

Thanks in advance,

With Regards,
nsvora

Samoth 11-29-2006 01:43 PM

I believe(in my limited understanding) that the reason we have multiple DNS servers is so that we can rotate between them and so save bandwidth on them. Sort of like NTP offsharing.

chort 11-29-2006 05:04 PM

The reason to have more than one DNS server is for redundency, in case there is a hardware or network failure. Are you sure your dynamic DNS provider only has one server, though? Do a dig your.domain ns and see what the results are. It should look something similar to this:
Code:

;; ANSWER SECTION:
yahoo.com.              66340  IN      NS      ns4.yahoo.com.  <--- names of the DNS servers
yahoo.com.              66340  IN      NS      ns5.yahoo.com.
yahoo.com.              66340  IN      NS      ns1.yahoo.com.
yahoo.com.              66340  IN      NS      ns2.yahoo.com.
yahoo.com.              66340  IN      NS      ns3.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.          39415  IN      A      66.218.71.63  <--- see how they're on many different networks?
ns2.yahoo.com.          23230  IN      A      68.142.255.16
ns3.yahoo.com.          97764  IN      A      217.12.4.104
ns4.yahoo.com.          40180  IN      A      68.142.196.63
ns5.yahoo.com.          148545  IN      A      216.109.116.17

In this case there is no reason for you to setup your own DNS server, because they have plenty of reliability already.

If some friend was hosting your DNS for you, then the probability that their Internet connection could go down, or their server might die is pretty high. In that case it would make sense to run your own DNS server and slave off of his, just in case his goes down. This is the reason why you always see at least two DNS servers for any domain: it's required. How many you actually list depends on what kind of reliability you need. Also, as a general rule you're never supposed to have all of your DNS servers on the same subnet, in case of a network failure. You DNS servers should be on two different subnets and reachable via two different ISPs, but that's stretching it for home users to accomplish (unless you have lots of friends with static IPs and unblocked ports).

nsvora 12-01-2006 09:48 AM

Quote:

Originally Posted by chort
The reason to have more than one DNS server is for redundency, in case there is a hardware or network failure. Are you sure your dynamic DNS provider only has one server, though? Do a dig your.domain ns and see what the results are. It should look something similar to this:
Code:

;; ANSWER SECTION:
yahoo.com.              66340  IN      NS      ns4.yahoo.com.  <--- names of the DNS servers
yahoo.com.              66340  IN      NS      ns5.yahoo.com.
yahoo.com.              66340  IN      NS      ns1.yahoo.com.
yahoo.com.              66340  IN      NS      ns2.yahoo.com.
yahoo.com.              66340  IN      NS      ns3.yahoo.com.

;; ADDITIONAL SECTION:
ns1.yahoo.com.          39415  IN      A      66.218.71.63  <--- see how they're on many different networks?
ns2.yahoo.com.          23230  IN      A      68.142.255.16
ns3.yahoo.com.          97764  IN      A      217.12.4.104
ns4.yahoo.com.          40180  IN      A      68.142.196.63
ns5.yahoo.com.          148545  IN      A      216.109.116.17

In this case there is no reason for you to setup your own DNS server, because they have plenty of reliability already.

If some friend was hosting your DNS for you, then the probability that their Internet connection could go down, or their server might die is pretty high. In that case it would make sense to run your own DNS server and slave off of his, just in case his goes down. This is the reason why you always see at least two DNS servers for any domain: it's required. How many you actually list depends on what kind of reliability you need. Also, as a general rule you're never supposed to have all of your DNS servers on the same subnet, in case of a network failure. You DNS servers should be on two different subnets and reachable via two different ISPs, but that's stretching it for home users to accomplish (unless you have lots of friends with static IPs and unblocked ports).

Thanks for the reply.
I understand the redundancy required for the updates to go throught we need two servers.
But should DDNS client be sending these updates to secondary if primary is not reachable?

Note :
I have proprietory implementation of DHCP and DDNS client so i dont want to have DHCP server
updating the DNS server.

chort 12-01-2006 01:11 PM

Quote:

Originally Posted by nsvora
Thanks for the reply.
I understand the redundancy required for the updates to go throught we need two servers.
But should DDNS client be sending these updates to secondary if primary is not reachable?

Secondary what? Your DNS provider already has multiple DNS servers. The method of updating them is proprietary, though. You can't just pick a DNS server arbitrarily and send it updates. The servers will only take the update if they're configured for whatever protocol/method your client is using, they can authenticate that the data is coming from you, and that server knows that it's authoritative for your zone.

I do not believe the dynamic DNS providers allow you to update their nameservers directly. In every case that I've seen, the data is submitted via HTTP to a CGI interface, or something similar. That site processes the data and updates the zone files, which are then loaded by all the DNS servers at regular intervals. So far as I know they don't have multiple sites that you can upload your updates to (but it's been a few years since I used one, so that might have changed). In any case, if such a thing was possible I would expect there to be documentation for it, either on your provider's website, or in the documentation for your ddns client.

nsvora 12-01-2006 02:47 PM

Quote:

Originally Posted by chort
Secondary what? Your DNS provider already has multiple DNS servers. The method of updating them is proprietary, though. You can't just pick a DNS server arbitrarily and send it updates. The servers will only take the update if they're configured for whatever protocol/method your client is using, they can authenticate that the data is coming from you, and that server knows that it's authoritative for your zone.

I do not believe the dynamic DNS providers allow you to update their nameservers directly. In every case that I've seen, the data is submitted via HTTP to a CGI interface, or something similar. That site processes the data and updates the zone files, which are then loaded by all the DNS servers at regular intervals. So far as I know they don't have multiple sites that you can upload your updates to (but it's been a few years since I used one, so that might have changed). In any case, if such a thing was possible I would expect there to be documentation for it, either on your provider's website, or in the documentation for your ddns client.

Hi Chort,
Thanks a lot for the information.
I had referred to the Primary and Secondary DNS Servers in the prior quote.
I am bit confused here. Could you kindly help me understand the following :
1) We can have only one primary server which can be authoritative for a zone?
2) The DDNS client should send the updates only to the Primary Server. And Primary server
can have the Secondary server configured i.e Primary would send the updates to the secondary or secondary would refresh there data after a periodic interval . Right ?
3) If I have following configuration in named.conf file, will secondary server allow the updates from the client?
zone "testdns.com" in {
file "dyn/testdns.com";
type slave;
allow-update { localhost; localnets; };
};


- nsvora

chort 12-01-2006 03:36 PM

Quote:

Originally Posted by nsvora
Hi Chort,
Thanks a lot for the information.
I had referred to the Primary and Secondary DNS Servers in the prior quote.
I am bit confused here. Could you kindly help me understand the following :
1) We can have only one primary server which can be authoritative for a zone?

You can only have one named as SOA, but all the servers named in NS records should consider themselves authoritative. Note that authoritative != master. Generally it's best to only have one master server for a zone, unless you really know what you're doing. Slave servers are authoritative, though.

Quote:

2) The DDNS client should send the updates only to the Primary Server. And Primary server
can have the Secondary server configured i.e Primary would send the updates to the secondary or secondary would refresh there data after a periodic interval . Right ?

How is the DDNS client configured to send updates?
Yes. From reading the BINDv9 admin manual, it's technically possible, although fantastically insecure to have slave servers forward DDNS updates to the master. It is almost certainly not allowed by your DDNS provider, and I'm certain you would need to use the proper TSIG key to send them updates (it's prbably imbedded in your client).


Quote:

3) If I have following configuration in named.conf file, will secondary server allow the updates from the client?
zone "testdns.com" in {
file "dyn/testdns.com";
type slave;
allow-update { localhost; localnets; };
};


- nsvora
The secondary will, but I'm betting it will be overwritten next time it refreshes from the master (or gets a notify).

nsvora 12-01-2006 05:24 PM

Quote:

Originally Posted by chort
You can only have one named as SOA, but all the servers named in NS records should consider themselves authoritative. Note that authoritative != master. Generally it's best to only have one master server for a zone, unless you really know what you're doing. Slave servers are authoritative, though.



Yes. From reading the BINDv9 admin manual, it's technically possible, although fantastically insecure to have slave servers forward DDNS updates to the master. It is almost certainly not allowed by your DDNS provider, and I'm certain you would need to use the proper TSIG key to send them updates (it's prbably imbedded in your client).




The secondary will, but I'm betting it will be overwritten next time it refreshes from the master (or gets a notify).

Thanks a ton for detailed explaination chort.

We have a proprietory implementation of both DHCP and DDNS clients.
Whenever user changes the host name , DDNS update is sent by the client to the server.

I have got it clear that only the primary DNS server should be sent the updates.
Since we have our own implementation of the DDNS client, what are the responsibilities of the DDNS client as far as Secondary DNS Server and Tertiary DNS Server are concerned?

chort 12-01-2006 11:13 PM

Quote:

Originally Posted by nsvora
Since we have our own implementation of the DDNS client, what are the responsibilities of the DDNS client as far as Secondary DNS Server and Tertiary DNS Server are concerned?

None.

I don't understand why you're asking these questions if you've built your own DHCP client and DDNS client. It seems to me you should know how these things work if you're going to take the drastic step of building your own implementations. You could allow DDNS clients to update slaves, and you could allow slaves to forward those updates to the master, but then you would need to implement keys and signed updates, otherwise it would be trivial to poison the zone files. If you're not familiar with the authentication options for DNS, than it doesn't seem wise to attempt to implement it.

nsvora 12-08-2006 09:46 AM

Quote:

Originally Posted by chort
None.

I don't understand why you're asking these questions if you've built your own DHCP client and DDNS client. It seems to me you should know how these things work if you're going to take the drastic step of building your own implementations. You could allow DDNS clients to update slaves, and you could allow slaves to forward those updates to the master, but then you would need to implement keys and signed updates, otherwise it would be trivial to poison the zone files. If you're not familiar with the authentication options for DNS, than it doesn't seem wise to attempt to implement it.

Sorry for asking such questions but I wanted to make sure that my implementation is in line with industry standard implementations and doesnt violate any rules.


All times are GMT -5. The time now is 03:17 PM.