[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1519
  • Last Modified:

static zones vs dynamic zones on bind9 and also how to split dns

Dear Experts:

Configured ddns which having static zones and dynamic zones , for servers and workstations which is not movable has been assigned with the ip addresses manually from the static zone and for all the remaining laptop users which are of mobile users pointed to the dhcp by using the dynamic zones, i got to know converting the static zones to dynamic , would like know what are the advantages of doing this.

2. As of now ddns is working fine now also planning to install and configure zimbra mail server in the LAN which is behind the firewall i think the recommended practice is to configure the split dns ,  would like to know how to configure the spilt dns with my existing ddns.

Please help. Thanks in advance.
  • 2
1 Solution
There are a few advantages to using dynamic zones vs. static, but the main one is using nsupdate to update zones as opposed to manually editing the zone file.  Manually editing zone files has been a problem for a long time... what if someone typo's the syntax and invalidates the entire zone, or to a lesser extent what if someone made a change but neglected to update the serial.  Things like that can cause major problems in a DNS infrastructure based on static zones.  I have to mention that even with a zone being dynamic, you can still edit it manually... but don't!  Use nsupdate instead, it's easy!

Using nsupdate can be very simple, or a bit more complex by adding some additional error prevention.

The quick way, which is how I do it on my personal server since I am not using views (split dns) and I know how to use nsupdate properly ;)
[root@broken ~]# nsupdate -l
> update add example.domain.com 300 in a
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
example.domain.com.     300    IN       A

> send
> quit
[code][root@broken ~]# dig example.domain.com +short

Open in new window

* I only issued the "show" command to nsupdate for the sake of explaining this -- it is not a required step.
Using nsupdate at work, we add a couple extra layers of "security"
key hmac-sha512:dynamic-key IKy3AmRjgURGYAFvQosnURr9uh6GRv+LjVtepNepBnkZLVh+A+EJwtQpFRbo2I4Ub2w==
zone test-paypal.com
update add example.domain.com 300 IN A

Open in new window

How much complexity / "security" you want to use will depend on the needs of you and the infrastructure.  I put the word security in quotes because it's not really making it anymore secure, but rather is making sure that certain parts of your syntax are assigned properly so that you don't break the entire zone.  For example the zone statement says that all updates must be applied to that zone, key statement says to use a specific TSIG key for authentication (this pertains to views).

On a side note, if you DNSSEC sign your zones (which I also recommend), if setup properly then using nsupdate will trigger an automatic re-signing of the zone, as opposed to having to issue another dnssec-signzone command.  If you are curious about DNSSEC, that should be asked in a separate question.

As far as split DNS (called "views" in BIND) is concerned, check out the following links.  I listed them in order that I think you should read, but you read them in any order you feel comfortable with.  In most Linux distributions, there will already be commented out sections of named.conf to support view, you just need to uncomment them and configure them properly for your environment.

D_wathiAuthor Commented:
Thanks you very much for the detailed information, when extecuted the below command
indar@lampsrv:/var/log$ sudo nsupdate
> update delete linwin.shriramdb.com A
> update add linuxwind.shriramdb.com 86400 A
> send
update failed: REFUSED

Sir, please give help me how to add the A and PTR records also delete using the nsupdate iam getting the message REFUSED.
Need to add -l to nsupdate and set update-policy to local for the zone.
nsupdate can be run in a local-host only mode using the -l flag. This sets the server address to localhost
       (disabling the server so that the server address cannot be overridden). Connections to the local server will use a
       TSIG key found in /var/run/named/session.key, which is automatically generated by named if any local master zone
       has set update-policy to local. The location of this key file can be overridden with the -k option.

If you are chrooted then you will need to create the following symlink
/var/run/named/session.key -> /var/named/chroot/var/run/named/session.key

Open in new window


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now