Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi All,
I am working on the proprietory Dynamic DNS client implementation . My DHCP and DDNS server are running on LINUX and would like to know some information about Secondary & Tertiary DNS Servers.
Currently, my client send the update to only Primary DNS server.
Could anyone kindly answer the following :
Why do we need secondary and tertiary servers?
My understanding regarding them is that :
- Any client sends the update only to the Primary DNS server.
- Primary server updates the records to secondary and tertiary.
- Any DNS Queries can be answered by any of the primary, secondary or tertiary servers.
Should client send the update record to secondary DNS Server if primary is not reachable?
I believe(in my limited understanding) that the reason we have multiple DNS servers is so that we can rotate between them and so save bandwidth on them. Sort of like NTP offsharing.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
The reason to have more than one DNS server is for redundency, in case there is a hardware or network failure. Are you sure your dynamic DNS provider only has one server, though? Do a dig your.domain ns and see what the results are. It should look something similar to this:
Code:
;; ANSWER SECTION:
yahoo.com. 66340 IN NS ns4.yahoo.com. <--- names of the DNS servers
yahoo.com. 66340 IN NS ns5.yahoo.com.
yahoo.com. 66340 IN NS ns1.yahoo.com.
yahoo.com. 66340 IN NS ns2.yahoo.com.
yahoo.com. 66340 IN NS ns3.yahoo.com.
;; ADDITIONAL SECTION:
ns1.yahoo.com. 39415 IN A 66.218.71.63 <--- see how they're on many different networks?
ns2.yahoo.com. 23230 IN A 68.142.255.16
ns3.yahoo.com. 97764 IN A 217.12.4.104
ns4.yahoo.com. 40180 IN A 68.142.196.63
ns5.yahoo.com. 148545 IN A 216.109.116.17
In this case there is no reason for you to setup your own DNS server, because they have plenty of reliability already.
If some friend was hosting your DNS for you, then the probability that their Internet connection could go down, or their server might die is pretty high. In that case it would make sense to run your own DNS server and slave off of his, just in case his goes down. This is the reason why you always see at least two DNS servers for any domain: it's required. How many you actually list depends on what kind of reliability you need. Also, as a general rule you're never supposed to have all of your DNS servers on the same subnet, in case of a network failure. You DNS servers should be on two different subnets and reachable via two different ISPs, but that's stretching it for home users to accomplish (unless you have lots of friends with static IPs and unblocked ports).
The reason to have more than one DNS server is for redundency, in case there is a hardware or network failure. Are you sure your dynamic DNS provider only has one server, though? Do a dig your.domain ns and see what the results are. It should look something similar to this:
Code:
;; ANSWER SECTION:
yahoo.com. 66340 IN NS ns4.yahoo.com. <--- names of the DNS servers
yahoo.com. 66340 IN NS ns5.yahoo.com.
yahoo.com. 66340 IN NS ns1.yahoo.com.
yahoo.com. 66340 IN NS ns2.yahoo.com.
yahoo.com. 66340 IN NS ns3.yahoo.com.
;; ADDITIONAL SECTION:
ns1.yahoo.com. 39415 IN A 66.218.71.63 <--- see how they're on many different networks?
ns2.yahoo.com. 23230 IN A 68.142.255.16
ns3.yahoo.com. 97764 IN A 217.12.4.104
ns4.yahoo.com. 40180 IN A 68.142.196.63
ns5.yahoo.com. 148545 IN A 216.109.116.17
In this case there is no reason for you to setup your own DNS server, because they have plenty of reliability already.
If some friend was hosting your DNS for you, then the probability that their Internet connection could go down, or their server might die is pretty high. In that case it would make sense to run your own DNS server and slave off of his, just in case his goes down. This is the reason why you always see at least two DNS servers for any domain: it's required. How many you actually list depends on what kind of reliability you need. Also, as a general rule you're never supposed to have all of your DNS servers on the same subnet, in case of a network failure. You DNS servers should be on two different subnets and reachable via two different ISPs, but that's stretching it for home users to accomplish (unless you have lots of friends with static IPs and unblocked ports).
Thanks for the reply.
I understand the redundancy required for the updates to go throught we need two servers.
But should DDNS client be sending these updates to secondary if primary is not reachable?
Note :
I have proprietory implementation of DHCP and DDNS client so i dont want to have DHCP server
updating the DNS server.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by nsvora
Thanks for the reply.
I understand the redundancy required for the updates to go throught we need two servers.
But should DDNS client be sending these updates to secondary if primary is not reachable?
Secondary what? Your DNS provider already has multiple DNS servers. The method of updating them is proprietary, though. You can't just pick a DNS server arbitrarily and send it updates. The servers will only take the update if they're configured for whatever protocol/method your client is using, they can authenticate that the data is coming from you, and that server knows that it's authoritative for your zone.
I do not believe the dynamic DNS providers allow you to update their nameservers directly. In every case that I've seen, the data is submitted via HTTP to a CGI interface, or something similar. That site processes the data and updates the zone files, which are then loaded by all the DNS servers at regular intervals. So far as I know they don't have multiple sites that you can upload your updates to (but it's been a few years since I used one, so that might have changed). In any case, if such a thing was possible I would expect there to be documentation for it, either on your provider's website, or in the documentation for your ddns client.
Secondary what? Your DNS provider already has multiple DNS servers. The method of updating them is proprietary, though. You can't just pick a DNS server arbitrarily and send it updates. The servers will only take the update if they're configured for whatever protocol/method your client is using, they can authenticate that the data is coming from you, and that server knows that it's authoritative for your zone.
I do not believe the dynamic DNS providers allow you to update their nameservers directly. In every case that I've seen, the data is submitted via HTTP to a CGI interface, or something similar. That site processes the data and updates the zone files, which are then loaded by all the DNS servers at regular intervals. So far as I know they don't have multiple sites that you can upload your updates to (but it's been a few years since I used one, so that might have changed). In any case, if such a thing was possible I would expect there to be documentation for it, either on your provider's website, or in the documentation for your ddns client.
Hi Chort,
Thanks a lot for the information.
I had referred to the Primary and Secondary DNS Servers in the prior quote.
I am bit confused here. Could you kindly help me understand the following :
1) We can have only one primary server which can be authoritative for a zone?
2) The DDNS client should send the updates only to the Primary Server. And Primary server
can have the Secondary server configured i.e Primary would send the updates to the secondary or secondary would refresh there data after a periodic interval . Right ?
3) If I have following configuration in named.conf file, will secondary server allow the updates from the client?
zone "testdns.com" in {
file "dyn/testdns.com";
type slave;
allow-update { localhost; localnets; };
};
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by nsvora
Hi Chort,
Thanks a lot for the information.
I had referred to the Primary and Secondary DNS Servers in the prior quote.
I am bit confused here. Could you kindly help me understand the following :
1) We can have only one primary server which can be authoritative for a zone?
You can only have one named as SOA, but all the servers named in NS records should consider themselves authoritative. Note that authoritative != master. Generally it's best to only have one master server for a zone, unless you really know what you're doing. Slave servers are authoritative, though.
Quote:
2) The DDNS client should send the updates only to the Primary Server. And Primary server
can have the Secondary server configured i.e Primary would send the updates to the secondary or secondary would refresh there data after a periodic interval . Right ?
How is the DDNS client configured to send updates?
Yes. From reading the BINDv9 admin manual, it's technically possible, although fantastically insecure to have slave servers forward DDNS updates to the master. It is almost certainly not allowed by your DDNS provider, and I'm certain you would need to use the proper TSIG key to send them updates (it's prbably imbedded in your client).
Quote:
3) If I have following configuration in named.conf file, will secondary server allow the updates from the client?
zone "testdns.com" in {
file "dyn/testdns.com";
type slave;
allow-update { localhost; localnets; };
};
- nsvora
The secondary will, but I'm betting it will be overwritten next time it refreshes from the master (or gets a notify).
You can only have one named as SOA, but all the servers named in NS records should consider themselves authoritative. Note that authoritative != master. Generally it's best to only have one master server for a zone, unless you really know what you're doing. Slave servers are authoritative, though.
Yes. From reading the BINDv9 admin manual, it's technically possible, although fantastically insecure to have slave servers forward DDNS updates to the master. It is almost certainly not allowed by your DDNS provider, and I'm certain you would need to use the proper TSIG key to send them updates (it's prbably imbedded in your client).
The secondary will, but I'm betting it will be overwritten next time it refreshes from the master (or gets a notify).
Thanks a ton for detailed explaination chort.
We have a proprietory implementation of both DHCP and DDNS clients.
Whenever user changes the host name , DDNS update is sent by the client to the server.
I have got it clear that only the primary DNS server should be sent the updates.
Since we have our own implementation of the DDNS client, what are the responsibilities of the DDNS client as far as Secondary DNS Server and Tertiary DNS Server are concerned?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by nsvora
Since we have our own implementation of the DDNS client, what are the responsibilities of the DDNS client as far as Secondary DNS Server and Tertiary DNS Server are concerned?
None.
I don't understand why you're asking these questions if you've built your own DHCP client and DDNS client. It seems to me you should know how these things work if you're going to take the drastic step of building your own implementations. You could allow DDNS clients to update slaves, and you could allow slaves to forward those updates to the master, but then you would need to implement keys and signed updates, otherwise it would be trivial to poison the zone files. If you're not familiar with the authentication options for DNS, than it doesn't seem wise to attempt to implement it.
I don't understand why you're asking these questions if you've built your own DHCP client and DDNS client. It seems to me you should know how these things work if you're going to take the drastic step of building your own implementations. You could allow DDNS clients to update slaves, and you could allow slaves to forward those updates to the master, but then you would need to implement keys and signed updates, otherwise it would be trivial to poison the zone files. If you're not familiar with the authentication options for DNS, than it doesn't seem wise to attempt to implement it.
Sorry for asking such questions but I wanted to make sure that my implementation is in line with industry standard implementations and doesnt violate any rules.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Need of secondary and Tertiary DNS Server
