DNS problems to RoadRunner - tcp vs udp
marka at isc.org
Mon Jun 16 01:09:24 UTC 2008
In article <48546625.6040301 at rockynet.com> you write:
>Sean Donelan wrote:
>> 1. Separate your authoritative and recursive name servers
>> 2. Recursive name servers should only get replies to their own DNS
>> queries from the Internet, they can use both UDP and TCP
>We've just completed a project to separate our authoritative and
>recursive servers and I have a couple notes...
>1) For the recursive-only, we're using a combination of BIND's
>"query-source address a.b.c.d" and "listen-on e.f.g.h" in the hopes of
>providing some additional measure of protection against cache poisoning.
>The "listen-on" IPs are ACL'd at the borders so non-clients cannot get
>ANY packets to them. The "query-source address" itself doesn't appear in
>the "listen-on" list either and won't respond to queries. I know this
>isn't foolproof, but it probably raises the bar slightly against off-net
Named will reject queries on the *-source sockets. It
will also drop responses on the listening sockets provided
you havn't set the query-souce port to port 53.
>2) The biggest drawback to separation after years of service is that
>customers have come to expect their DNS changes are propagated instantly
>when they are on-net. This turns out to be more of an annoyance to us
>than our customers, since our zone is probably the most frequently updated.
Querying for type SOA at the name will prevent named caching
negative responses and still allow existance tests to be
made. nsupdate makes SOA queries to workout which zone
needs to be updated and to also determine which server to
send the updates to. We realised a long time ago that we
needed to have a way to find the containing zone that didn't
result in caches being filled with the side effects of that
Named, by default, sets the ttl to zero on negative responses
to SOA queries.
>3) I've gone so far as to remove the root hint zone from our auth-only
>boxes, again out of paranoia ("recursion no" does the trick, this is
>just an extra bit of insurance against someone flipping that bit due to
>a lack of understanding of the architecture). There is one third party
>we have to use an 'also-notify' by IP address in this case for their zone.
Authoritative only servers need hints so that NOTIFY will
work in the general case. Eventually, they will also need
them so we can get rid of IP addresses in masters clauses
on slave/stub zones. This will help reduce the costs in
More information about the NANOG