BobFett
asked on
Backup DNS Techniques
Hi all,
I am wondering if someone can advise me on backup DNS techniques? I have bascially got two servers, one hosted with EV1 and a backup hosted on a business broadband connection. I have setup a backup mailserver on the backup server, along with backup DNS. I have MX records in each domain with a priority of 10 for my primary mail server and 30 for my backup.
My question is this:
Is it possible to prioritise other DNS records? For example, for one of my domains, the name servers are:
ns0.mynameserver.net
ns1.mynameserver.net
ns2.mynameserver.net
Where "ns2.mynameserver.net" is my backup DNS server. For some reason however, some ISPs are going to "ns2.mynameserver.net" for resolution first?
I'd like to be able to put a "www" host entry for all domains in my backup DNS pointing to itself with a standard 'SORRY, THIS WEBPAGE IS CURRENTLY UNAVAILABLE' message but obviously can't if some request are going to resolve usin the backup DNS first.
Any ideas?
Thanks in advance
Bob
I am wondering if someone can advise me on backup DNS techniques? I have bascially got two servers, one hosted with EV1 and a backup hosted on a business broadband connection. I have setup a backup mailserver on the backup server, along with backup DNS. I have MX records in each domain with a priority of 10 for my primary mail server and 30 for my backup.
My question is this:
Is it possible to prioritise other DNS records? For example, for one of my domains, the name servers are:
ns0.mynameserver.net
ns1.mynameserver.net
ns2.mynameserver.net
Where "ns2.mynameserver.net" is my backup DNS server. For some reason however, some ISPs are going to "ns2.mynameserver.net" for resolution first?
I'd like to be able to put a "www" host entry for all domains in my backup DNS pointing to itself with a standard 'SORRY, THIS WEBPAGE IS CURRENTLY UNAVAILABLE' message but obviously can't if some request are going to resolve usin the backup DNS first.
Any ideas?
Thanks in advance
Bob
All I can suggest is that you use some kind of load balancer. A load balancer can have a single web server with another listed as being a backup or it can actually load balance between multiple servers.
These pieces of equipment are not cheap though. Perhaps EV1 have one and you can rent part of the bandwidth on it?
These pieces of equipment are not cheap though. Perhaps EV1 have one and you can rent part of the bandwidth on it?
When You talk About the backup DNS servers that means the record Of any one DNS server will get replicated to All of the DNS servers. You cant make the separate entries on
all your DNS SERVERS.
If u r going to make one entry on the ns2.mynameserver.net the entry will get replicated to all three servers.
Nitesh
all your DNS SERVERS.
If u r going to make one entry on the ns2.mynameserver.net the entry will get replicated to all three servers.
Nitesh
ASKER
Grblades - bugger, thanks for the info. Not going to go with the load balancer I think - it was a nice idea but as long as I can run backup email and backup DNS thats fine.
Nitesh - that will only happen if I configure the nameservers to do that - I can opt to manually maintain the backup DNS server (as I have done for reasons below).
Now the only problem I have is this. If I DO decide to have some of my zones on my primary nam server do a ZONE TRANSFER to my backup DNS server, how do I secure this? Zone transfers use the same port as DNS itself so I can tie that PORT down in the firewall on my backup DNS. There doesn't seem to be an option to only accept a zone transfer from a specific IP - I have the option of not allowing dynamic updates or allowing them from "secure and unsecure" sources. Any ideas?
Thanks for all your help so far
Nitesh - that will only happen if I configure the nameservers to do that - I can opt to manually maintain the backup DNS server (as I have done for reasons below).
Now the only problem I have is this. If I DO decide to have some of my zones on my primary nam server do a ZONE TRANSFER to my backup DNS server, how do I secure this? Zone transfers use the same port as DNS itself so I can tie that PORT down in the firewall on my backup DNS. There doesn't seem to be an option to only accept a zone transfer from a specific IP - I have the option of not allowing dynamic updates or allowing them from "secure and unsecure" sources. Any ideas?
Thanks for all your help so far
The DNS server should have security options so you can limit the IP address of machines which are permitted to perform zone transfers from it.
I normally use BIND on Linux and this has the option.
I am not sure about Windows server as it has been a long time since I have used DNS on it.
I normally use BIND on Linux and this has the option.
I am not sure about Windows server as it has been a long time since I have used DNS on it.
ASKER
GRBladea - I can't see anything like that, thats the problem. In the primary server I can't specifiy the IP address to do the Zone Transfer TO but this doesn't stop my backup DNS from accepting info from other sources. There is not option for this in Windows 2000 Server either (I'm on Windows 2003 Server)
How does it know what is a trusted source and what isn't?
The mystery deepens...
How does it know what is a trusted source and what isn't?
The mystery deepens...
Is there a firewall infront of the windows server?
If there is then you can continue to let through UDP port 53 for normal DNS transfers but you could only let through TCP port 53 from the authorised machines and this will effectivly block others from being able to do zone transfers.
If there is then you can continue to let through UDP port 53 for normal DNS transfers but you could only let through TCP port 53 from the authorised machines and this will effectivly block others from being able to do zone transfers.
There is info on the windows 2003 dns zone transfer security here:-
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_imp_SecuringDNSZones.asp
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_imp_SecuringDNSZones.asp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
iwontleaveyou - the only problem is that this assumes I am using active directory.
These servers are not even part of a domain as they are stand-alone web servers.
Thanx
Bob
These servers are not even part of a domain as they are stand-alone web servers.
Thanx
Bob
No if you specify all 3 nameservers then when someone queries your domain they will be given all 3 nameservers and they will pick one at random to use. This is so that you can perform a crude way of load balancing.