Query regarding NS record
Hi, Can anyone let me know how i can resolve the below requirement. Requirement: We have two offices. One is main office and another one is remote branch office. Now my company client requirement is that if main office DNS server is not reachable, all DNS query should be sent to branch office DNS server. How this can be acheived using BIND? For example, my company mail website is; mail.mycompany.com which is pointed as below in ISP name server. mail.mycompany.comINNSns1.mainoffice.com mail.mycompany.comINNSns1.branceoffice.com Is the above record is correct or not? Please suggest. Regards papdheen M___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Query regarding NS record
babu dheen wrote on 2011-09-16: > Hi, > Can anyone let me know how i can resolve the below requirement. > > Requirement: > > We have two offices. One is main office and another one is remote > branch office. Now my company client requirement is that if main office > DNS server is not reachable, all DNS query should be sent to branch > office DNS server. How this can be acheived using BIND? > > For example, my company mail website is; mail.mycompany.com which is > pointed as below in ISP name server. > > mail.mycompany.comINNSns1.mainoffice.com > mail.mycompany.comINNSns1.branceoffice.com > > Is the above record is correct or not? > Please suggest. > Regards > papdheen M > > > > Babu, Your example isn't failover, this is load balancing. That's two different concepts. Florian ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
On Fri, Sep 16, 2011 at 8:52 AM, Florian CROUZAT wrote: > babu dheen wrote on 2011-09-16: > >> Hi, >> Can anyone let me know how i can resolve the below requirement. >> >> Requirement: >> >> We have two offices. One is main office and another one is remote >> branch office. Now my company client requirement is that if main office >> DNS server is not reachable, all DNS query should be sent to branch >> office DNS server. How this can be acheived using BIND? >> >> For example, my company mail website is; mail.mycompany.com which is >> pointed as below in ISP name server. >> >> mail.mycompany.com IN NS ns1.mainoffice.com >> mail.mycompany.com IN NS ns1.branceoffice.com >> >> Is the above record is correct or not? >> Please suggest. >> Regards >> papdheen M >> >> >> >> > > Babu, > > Your example isn't failover, this is load balancing. > That's two different concepts. Actually, I would not describe it as either fail-over or load balancing. It's probably closer to fail-over or the people at the man office, but not for those at the branch. I believe that when multiple NS records are available, BIND will direct queries to the fastest responding server. It does not "round-robin" queries or anything like that. So, people at the main office will usually get response from that system and people at the branch office will usually get responses from that server. But, if the servers are configured properly, they will always be in sync withing seconds of any change. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
So when multiple DNS records are available, is it possible to direct all DNS queries to first (NS) record always? meaning, mail.myoffice.comINNS20.20.20.20 mail.myoffice.comINNS30.30.30.30 In the above, is it possible to dirct all DNS queries only to 20.20.20.20 and if this fails, is it possible to direct dns queries to next NS server(30.30.30.30)? Regards Babu From: Kevin Oberman To: Florian CROUZAT Cc: bind-users@lists.isc.org Sent: Friday, 16 September 2011 8:32 PM Subject: Re: Query regarding NS record On Fri, Sep 16, 2011 at 8:52 AM, Florian CROUZAT wrote: > babu dheen wrote on 2011-09-16: > >> Hi, >> Can anyone let me know how i can resolve the below requirement. >> >> Requirement: >> >> We have two offices. One is main office and another one is remote >> branch office. Now my company client requirement is that if main office >> DNS server is not reachable, all DNS query should be sent to branch >> office DNS server. How this can be acheived using BIND? >> >> For example, my company mail website is; mail.mycompany.com which is >> pointed as below in ISP name server. >> >> mail.mycompany.com IN NS ns1.mainoffice.com >> mail.mycompany.com IN NS ns1.branceoffice.com >> >> Is the above record is correct or not? >> Please suggest. >> Regards >> papdheen M >> >> >> >> > > Babu, > > Your example isn't failover, this is load balancing. > That's two different concepts. Actually, I would not describe it as either fail-over or load balancing. It's probably closer to fail-over or the people at the man office, but not for those at the branch. I believe that when multiple NS records are available, BIND will direct queries to the fastest responding server. It does not "round-robin" queries or anything like that. So, people at the main office will usually get response from that system and people at the branch office will usually get responses from that server. But, if the servers are configured properly, they will always be in sync withing seconds of any change. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
On Fri, Sep 16, 2011 at 6:57 PM, babu dheen wrote: > So when multiple DNS records are available, is it possible to direct all DNS > queries to first (NS) record always? meaning, > > mail.myoffice.comINNS20.20.20.20 > mail.myoffice.comINNS30.30.30.30 > > In the above, is it possible to direct all DNS queries only to 20.20.20.20 > and if this fails, is it possible to direct dns queries to next NS > server(30.30.30.30)? I'm not aware of a direct way to do this, but you could do by adding the address listed in the NS record for the backup server to its interface only when the primary stops responding. The backup would need to send a regular query to the primary to know when to add the address. I really don't understand why you would want to do this.It mostly complicates things and reduces robustness. A key in the operation of DNS is to have multiple servers, all answering and all having identical data for queries from any particular source. Kevin Oberman Network Engineer -- Retired kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
Got your concern. Will change my setting accordingly. Thanks for your advise. Regards Babu From: Kevin Oberman To: babu dheen Cc: Florian CROUZAT ; "bind-users@lists.isc.org" Sent: Saturday, 17 September 2011 9:26 AM Subject: Re: Query regarding NS record On Fri, Sep 16, 2011 at 6:57 PM, babu dheen wrote: > So when multiple DNS records are available, is it possible to direct all DNS > queries to first (NS) record always? meaning, > > mail.myoffice.comINNS20.20.20.20 > mail.myoffice.comINNS30.30.30.30 > > In the above, is it possible to direct all DNS queries only to 20.20.20.20 > and if this fails, is it possible to direct dns queries to next NS > server(30.30.30.30)? I'm not aware of a direct way to do this, but you could do by adding the address listed in the NS record for the backup server to its interface only when the primary stops responding. The backup would need to send a regular query to the primary to know when to add the address. I really don't understand why you would want to do this.It mostly complicates things and reduces robustness. A key in the operation of DNS is to have multiple servers, all answering and all having identical data for queries from any particular source. Kevin Oberman Network Engineer -- Retired kob6...@gmail.com___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
Are you talking about recursive clients failing over? Or other nameservers trying to talk to yours, non-recursively? Recursive clients don't use NS records at all and you need to approach the failover problem in a completely different way (e.g. relying on the client failing over from one resolver IP address to another, or implementing an Anycast solution). If you're talking about nameserver-to-nameserver traffic, then just publish multiple NS records for the relevant zone(s) and the nameserver-selection algorithm embedded in every known iterative-resolver implementation will take care of the load-balancing and failover; to summarize, faster-responding nameservers will be chosen over slower-responding ones. - Kevin On 9/16/2011 11:17 AM, babu dheen wrote: Hi, Can anyone let me know how i can resolve the below requirement. Requirement: We have two offices. One is main office and another one is remote branch office. Now my company client requirement is that if main office DNS server is not reachable, all DNS query should be sent to branch office DNS server. How this can be acheived using BIND? For example, my company mail website is; mail.mycompany.com which is pointed as below in ISP name server. mail.mycompany.comINNSns1.mainoffice.com mail.mycompany.comINNSns1.branceoffice.com Is the above record is correct or not? Please suggest. Regards papdheen M ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
Hi, Once i delegated NS record in my ISP name server to my company name server for mail.myoffice.com website as below. Do i need to allow DNS port from ANY(INTERNET) to my DNS server in firewall or i just need to allow DNS traffic only from ISP DNS server ISP DNS server configuration mycompany-dns-server-ip INA 10.10.10.10 mail.myoffice.com INNS Regards Papdheen M From: Kevin Darcy To: bind-users@lists.isc.org Sent: Sunday, 18 September 2011 5:09 PM Subject: Re: Query regarding NS record Are you talking about recursive clients failing over? Or other nameservers trying to talk to yours, non-recursively? Recursive clients don't use NS records at all and you need to approach the failover problem in a completely different way (e.g. relying on the client failing over from one resolver IP address to another, or implementing an Anycast solution). If you're talking about nameserver-to-nameserver traffic, then just publish multiple NS records for the relevant zone(s) and the nameserver-selection algorithm embedded in every known iterative-resolver implementation will take care of the load-balancing and failover; to summarize, faster-responding nameservers will be chosen over slower-responding ones. - Kevin On 9/16/2011 11:17 AM, babu dheen wrote: Hi, > Can anyone let me know how i can resolve the below requirement. > > >Requirement: > >We have two offices. One is main office and another one is remote branch >office. Now my company client requirement is that if main office DNS server is >not reachable, all DNS query should be sent to branch office DNS server. How >this can be acheived using BIND? > >For example, my company mail website is; mail.mycompany.com which is pointed >as below in ISP name server. > >mail.mycompany.comINNSns1.mainoffice.com >mail.mycompany.comINNSns1.branceoffice.com > > Is the above record is correct or not? > > Please suggest. > >Regards >papdheen M > > > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
"ANY". That NS record tells *the*world* (not just your ISP) that they can come to your nameserver to resolve names in the zone. It wouldn't be much a failover strategy if you were relying on your ISP's nameservers to somehow "proxy" the queries over to you, when they're down. Open up inbound destination port 53 TCP/UDP (for queries) and outbound source port 53 TCP/UDP (for responses). The destination port outbound will be the same as the source port inbound, for a given DNS transaction, if your firewalls are stateful enough to keep track of such things. - Kevin On 9/18/2011 12:01 PM, babu dheen wrote: Hi, Once i delegated NS record in my ISP name server to my company name server for mail.myoffice.com website as below. Do i need to allow DNS port from ANY(INTERNET) to my DNS server in firewall or i just need to allow DNS traffic only from ISP DNS server ISP DNS server configuration mycompany-dns-server-ip INA 10.10.10.10 mail.myoffice.com INNS Regards Papdheen M *From:* Kevin Darcy *To:* bind-users@lists.isc.org *Sent:* Sunday, 18 September 2011 5:09 PM *Subject:* Re: Query regarding NS record Are you talking about recursive clients failing over? Or other nameservers trying to talk to yours, non-recursively? Recursive clients don't use NS records at all and you need to approach the failover problem in a completely different way (e.g. relying on the client failing over from one resolver IP address to another, or implementing an Anycast solution). If you're talking about nameserver-to-nameserver traffic, then just publish multiple NS records for the relevant zone(s) and the nameserver-selection algorithm embedded in every known iterative-resolver implementation will take care of the load-balancing and failover; to summarize, faster-responding nameservers will be chosen over slower-responding ones. - Kevin On 9/16/2011 11:17 AM, babu dheen wrote: Hi, Can anyone let me know how i can resolve the below requirement. Requirement: We have two offices. One is main office and another one is remote branch office. Now my company client requirement is that if main office DNS server is not reachable, all DNS query should be sent to branch office DNS server. How this can be acheived using BIND? For example, my company mail website is; mail.mycompany.com which is pointed as below in ISP name server. mail.mycompany.comINNSns1.mainoffice.com mail.mycompany.comINNSns1.branceoffice.com Is the above record is correct or not? Please suggest. Regards papdheen M ___ Please visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
On 18.09.11 21:31, babu dheen wrote: Once i delegated NS record in my ISP name server to my company name server for mail.myoffice.com website as below. Do i need to allow DNS port from ANY(INTERNET) to my DNS server in firewall or i just need to allow DNS traffic only from ISP DNS server ISP DNS server configuration mycompany-dns-server-ip INA 10.10.10.10 mail.myoffice.com INNS you must allow DNS traffic to your server, both TCP and UDP protocols from all world to port 53. Note that this way, when your NS is down, mail.myoffice.com won't work. I recommend tou to get your ISP slave your zone and create additional NS records pointing on your ISP's name severs for mail.myoffice.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
On 9/18/2011 9:01 AM, babu dheen wrote: > mycompany-dns-server-ip INA 10.10.10.10 > mail.myoffice.com INNS One thing to note that is that NS records take labels and not IP addresses. AlanC signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
thanks for your response. From: Matus UHLAR - fantomas To: bind-users@lists.isc.org Sent: Sunday, 18 September 2011 7:50 PM Subject: Re: Query regarding NS record On 18.09.11 21:31, babu dheen wrote: > Once i delegated NS record in my ISP name server to my company name server > for mail.myoffice.com website as below. Do i need to allow DNS port from > ANY(INTERNET) to my DNS server in firewall or i just need to allow DNS > traffic only from ISP DNS server > ISP DNS server configuration > > mycompany-dns-server-ip INA 10.10.10.10 > mail.myoffice.com INNS you must allow DNS traffic to your server, both TCP and UDP protocols from all world to port 53. Note that this way, when your NS is down, mail.myoffice.com won't work. I recommend tou to get your ISP slave your zone and create additional NS records pointing on your ISP's name severs for mail.myoffice.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
