nanog mailing list archives
Re: DNS problems to RoadRunner - tcp vs udp
From: Mike Lewinski <mike () rockynet com>
Date: Sat, 14 Jun 2008 18:45:25 -0600
Sean Donelan wrote:
1. Separate your authoritative and recursive name servers2. Recursive name servers should only get replies to their own DNS queries from the Internet, they can use both UDP and TCP
We've just completed a project to separate our authoritative and recursive servers and I have a couple notes...
1) For the recursive-only, we're using a combination of BIND's "query-source address a.b.c.d" and "listen-on e.f.g.h" in the hopes of providing some additional measure of protection against cache poisoning. The "listen-on" IPs are ACL'd at the borders so non-clients cannot get ANY packets to them. The "query-source address" itself doesn't appear in the "listen-on" list either and won't respond to queries. I know this isn't foolproof, but it probably raises the bar slightly against off-net poisoning attempts.
2) The biggest drawback to separation after years of service is that customers have come to expect their DNS changes are propagated instantly when they are on-net. This turns out to be more of an annoyance to us than our customers, since our zone is probably the most frequently updated.
3) I've gone so far as to remove the root hint zone from our auth-only boxes, again out of paranoia ("recursion no" does the trick, this is just an extra bit of insurance against someone flipping that bit due to a lack of understanding of the architecture). There is one third party we have to use an 'also-notify' by IP address in this case for their zone.
Mike
Current thread:
- Re: DNS problems to RoadRunner - tcp vs udp, (continued)
- Re: DNS problems to RoadRunner - tcp vs udp Bill Owens (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Jon Kibler (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Tony Rall (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp John Kristoff (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Randy Bush (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Scott McGrath (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Jeroen Massar (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Scott McGrath (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Jeroen Massar (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Sean Donelan (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Mike Lewinski (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Nathan Ward (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Mark Andrews (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Michael Sinatra (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Bill Owens (Jun 13)
- Re: DNS problems to RoadRunner - tcp vs udp Florian Weimer (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Nathan Ward (Jun 14)
- Re: DNS problems to RoadRunner - tcp vs udp Scott C. McGrath (Jun 16)
- Re: DNS problems to RoadRunner - tcp vs udp Joe Greco (Jun 15)
- Re: DNS problems to RoadRunner - tcp vs udp Roland Dobbins (Jun 15)