Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Redundant and smart BIND topography

Status
Not open for further replies.
kc5deb

kc5deb

ISP
Nov 21, 2003
1
US
I'm an admin for an ISP with about 30,000+ customers. At the moment we just run 2 DNS server; primary and secondary, both running FreeBSD and bind8.

I've been told that my setup isn't excatly the best suited for redundancy, and was told that using cache servers to hand DNS out to my dialup, and only use my primary and secondary DNS for authoritative queries only.

What is an excepted way to put into place more redundancy with more more than just 2 DNS servers?

Also, it's getting to the point to where adding domains to the servers is a daily issue, and it's becoming a pain to put it into the primary, then turn around and load it into the secondary's named.conf. Is there anything out there yet reliable that if the change is made in the named.conf on the primary, the secondary will pick up the change without user intervention?
 
Sort by date Sort by votes
Yes, as an ISP (smaller!) we would recommend you consider the model you describe.

Dial/DSL/ISDN customers get Resolver DNS boxes as their primary DNS entries.

Create Authoritative (non-resolving) out of your existing DNS boxes. Consider a terciary Authoritative box on an external service for $99 a month, such as
As for zone management, yes, zone creation is a PITA. I might suggest that you consider either 1) a GUI management tool (such as webmin with DNS extensions), or 2) a brief perl script with SSH calls to insert/append the new zone(s) into the Master and Slave(s) server's named.conf and to restart the named service(s). I presume that you have zone transfers enabled for the zone detail itself.

The O-Reilly BIND book and everything that Bernstein ( have ever written encourages the separation of resolving (cache) DNS servers from the authoritative ones. This is justified by 1) cache poisoning and cache DoS attacks, and 2) resource usage.

Yes, its more money and more boxes to babysit, but you'll reduce your single points of failure.

Good luck.


Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Propus Gemini
  • Locked
  • Question
BIND don't resolve Microsoft Teams URL
Replies
1
Views
11K
iggsterman
iggsterman
Nick Ellson
  • Locked
  • Question
Bind9 with RPZ and local forwarding zones?
Replies
1
Views
11K
Nick Ellson
Nick Ellson
R. B.
  • Locked
  • Question
BIND BLOCK IN ANY REQUEST
Replies
0
Views
10K
R. B.
R. B.
dl12345
  • Locked
  • Question
IPV6 related issue on bind 9.16.1 on Ubuntu 20.04
Replies
1
Views
11K
dl12345
dl12345
Wibble2004
  • Locked
  • Question
Bind9.11.20: nslookup shows different MX information on Windows and Linux workstation
Replies
0
Views
10K
Wibble2004
Wibble2004

Part and Inventory Search

Sponsor

Back
Top