[AusNOG] DNS design (was Re: Botnet??)

Dobbins, Roland rdobbins at arbor.net
Sun Jul 29 14:21:48 EST 2012


On Jul 29, 2012, at 10:23 AM, Paul Gear wrote:

> *   What is the significance of primary and secondary in that diagram?  I thought BIND 8+ had done away with all that, and there were just masters and slaves.  Is it a role only locally significant on that site, like the anycast loopbacks?

Yes, and in endpoint resolver configuration, round-robin answering of SOA/NS queries, and so forth.  

> *   What is the purpose of the external resolvers?

To serve and cache the answers to authoritative queries from outside one's own network.

>  Wouldn't their purpose be just as easily fulfilled by the zone slaves?

It's best to have zone slaves which don't directly answer queries from endpoints beyond one's own span of administrative control.

> *   What do the hidden masters and zone slaves use for external resolution?  The internal resolvers?

The caching-only resolvers.

>   *   What's the purpose of the aggregate caching-only forwarders?  Is it merely a scale issue that dictates their use instead of a direct relationship between the caching-only forwarders and the internal resolvers?

Correct, and also as a convenient centralized point for any filtering or policy instantiation.  Some folks skip this tier.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the AusNOG mailing list