Re: DNS problems to RoadRunner - tcp vs udp

[Mark Andrews <marka () isc org>]

In article <48546625.6040301 () rockynet com> you write:
> Sean Donelan wrote:
>
> > 1. Separate your authoritative and recursive name servers
> > 2. Recursive name servers should only get replies to their own DNS 
> > queries from the Internet, they can use both UDP and TCP
>
> We've just completed a project to separate our authoritative and 
> recursive servers and I have a couple notes...
>
> 1) For the recursive-only, we're using a combination of BIND's 
> "query-source address a.b.c.d" and "listen-on e.f.g.h" in the hopes of 
> providing some additional measure of protection against cache poisoning. 
> The "listen-on" IPs are ACL'd at the borders so non-clients cannot get 
> ANY packets to them. The "query-source address" itself doesn't appear in 
> the "listen-on" list either and won't respond to queries. I know this 
> isn't foolproof, but it probably raises the bar slightly against off-net 
> poisoning attempts.

        Named will reject queries on the *-source sockets.  It
        will also drop responses on the listening sockets provided
        you havn't set the query-souce port to port 53.

> 2) The biggest drawback to separation after years of service is that 
> customers have come to expect their DNS changes are propagated instantly 
> when they are on-net. This turns out to be more of an annoyance to us 
> than our customers, since our zone is probably the most frequently updated.

        Querying for type SOA at the name will prevent named caching
        negative responses and still allow existance tests to be
        made.  nsupdate makes SOA queries to workout which zone
        needs to be updated and to also determine which server to
        send the updates to.  We realised a long time ago that we
        needed to have a way to find the containing zone that didn't
        result in caches being filled with the side effects of that
        discover mechanism.

        Named, by default, sets the ttl to zero on negative responses
        to SOA queries.

> 3) I've gone so far as to remove the root hint zone from our auth-only 
> boxes, again out of paranoia ("recursion no" does the trick, this is 
> just an extra bit of insurance against someone flipping that bit due to 
> a lack of understanding of the architecture). There is one third party 
> we have to use an 'also-notify' by IP address in this case for their zone.

        Authoritative only servers need hints so that NOTIFY will
        work in the general case.  Eventually, they will also need
        them so we can get rid of IP addresses in masters clauses
        on slave/stub zones.  This will help reduce the costs in
        renumbering.

> Mike

        Mark