DNS problems to RoadRunner - tcp vs udp

Mark Andrews marka at isc.org
Mon Jun 16 01:09:24 UTC 2008

In article <48546625.6040301 at rockynet.com> you write:
>Sean Donelan wrote:
>> 1. Separate your authoritative and recursive name servers
>> 2. Recursive name servers should only get replies to their own DNS 
>> queries from the Internet, they can use both UDP and TCP
>We've just completed a project to separate our authoritative and 
>recursive servers and I have a couple notes...
>1) For the recursive-only, we're using a combination of BIND's 
>"query-source address a.b.c.d" and "listen-on e.f.g.h" in the hopes of 
>providing some additional measure of protection against cache poisoning. 
>The "listen-on" IPs are ACL'd at the borders so non-clients cannot get 
>ANY packets to them. The "query-source address" itself doesn't appear in 
>the "listen-on" list either and won't respond to queries. I know this 
>isn't foolproof, but it probably raises the bar slightly against off-net 
>poisoning attempts.

	Named will reject queries on the *-source sockets.  It
	will also drop responses on the listening sockets provided
	you havn't set the query-souce port to port 53.

>2) The biggest drawback to separation after years of service is that 
>customers have come to expect their DNS changes are propagated instantly 
>when they are on-net. This turns out to be more of an annoyance to us 
>than our customers, since our zone is probably the most frequently updated.

	Querying for type SOA at the name will prevent named caching
	negative responses and still allow existance tests to be
	made.  nsupdate makes SOA queries to workout which zone
	needs to be updated and to also determine which server to
	send the updates to.  We realised a long time ago that we
	needed to have a way to find the containing zone that didn't
	result in caches being filled with the side effects of that
	discover mechanism.

	Named, by default, sets the ttl to zero on negative responses
	to SOA queries.

>3) I've gone so far as to remove the root hint zone from our auth-only 
>boxes, again out of paranoia ("recursion no" does the trick, this is 
>just an extra bit of insurance against someone flipping that bit due to 
>a lack of understanding of the architecture). There is one third party 
>we have to use an 'also-notify' by IP address in this case for their zone.

	Authoritative only servers need hints so that NOTIFY will
	work in the general case.  Eventually, they will also need
	them so we can get rid of IP addresses in masters clauses
	on slave/stub zones.  This will help reduce the costs in



More information about the NANOG mailing list