Hi All:
I am looking for some possible recommendations on the handling of our internal DNS services. First some background...
Until recently our entire network was located within a single facility with internal DNS services provided by our CentOS 4.7 (using BIND). While I had problems with DHCP/DNS communications it was basically working.
At the beginning of the month we moved the production servers (a couple of RHEL5.3 boxes with a Windows 2008 server) to a new facility connected to the old facility via a VPN. We are still running with our DevSys as the DNS server but I would like to make the two locations at least partially independent. I have been doing some research (probably enough to be really dangerous to myself<g>) and it looks like I need to setup a master/slave setup.
Here are my questions...
1. Is the BIND master/slave the appropriate approach?
2. Can I have each subnet be a master for itself and a slave for the other subnet?
3. Any pointers to applicable docs/examples?
4. Can you recommend a "front end" for BIND (we have webmin installed but I have yet to start working with it)?
Any and all thoughts, suggestions, criticisms gladly accepted.
TIA
Regards, Hugh
-- Hugh E Cruickshank, Forward Software, www.forward-software.com
On Friday 14 August 2009 17:17, Hugh E Cruickshank wrote:
Here are my questions...
- Is the BIND master/slave the appropriate approach?
Yes, you should already have something like this in case the main/master server would fail.
- Can I have each subnet be a master for itself and a slave for the other subnet?
DNS is about domains not subnets. If each subnet was going to have it's own domain then the answer could be 'yes'.
- Any pointers to applicable docs/examples?
The ones that ship with the Bind package are good from what I understand. I have not looked at them so I cannot say one way or the other. If you are looking for a good book on the subject I would highly recommend O'Reilly's DNS and BIND 5th edition.
- Can you recommend a "front end" for BIND (we have webmin installed but I have yet to start working with it)?
How large is this domain and how many domains are there going to be? Is the DNS server going to be updated automatically or by hand?
From: Robert Spangler Sent: August 14, 2009 16:18
On Friday 14 August 2009 17:17, Hugh E Cruickshank wrote:
Here are my questions...
- Is the BIND master/slave the appropriate approach?
Yes, you should already have something like this in case the main/master server would fail.
I did have two independent DNS servers. One on our primary development server and one on our old production server. We have replaced the old production server but have not pulled it from service yet. I am now in the process of ensuring that all functionality of the old server has been migrated to either the new production servers or some place else. My current efforts on revising our internal DNS service is part of this review process.
- Can I have each subnet be a master for itself and a slave for the other subnet?
DNS is about domains not subnets. If each subnet was going to have it's own domain then the answer could be 'yes'.
My bad! In my own mind I have been treating the two locations as domains while they are in fact only subnets. It should not take too much effort to translate my thinking to fact.
- Any pointers to applicable docs/examples?
The ones that ship with the Bind package are good from what I understand. I have not looked at them so I cannot say one way or the other. If you are looking for a good book on the subject I would highly recommend O'Reilly's DNS and BIND 5th edition.
As soon as I saw your book recommendation there was the sound of a loud "AARRRGGGGHHHH!!!!!" followed closely by the some mutterings that sounded much like "I have that book! Why did I not think of it in the first place! Now where frack did I put it?". Of course knowing me by the time I find it I will have forgotten why I was looking for it (and will be an old edition to boot).
- Can you recommend a "front end" for BIND (we have webmin installed but I have yet to start working with it)?
How large is this domain and how many domains are there going to be? Is the DNS server going to be updated automatically or by hand?
It is not large probably less than 50 devices in total. The only automatic updating that I can foresee would be from the DHCP server. the only reason I asked about this was that I was thinking that it might be easier to administer and ensure valid BIND config files.
Thanks for your input.
Regards, Hugh
On Friday 14 August 2009 21:29, Hugh E Cruickshank wrote:
From: Robert Spangler Sent: August 14, 2009 16:18
On Friday 14 August 2009 17:17, Hugh E Cruickshank wrote:
Here are my questions...
- Is the BIND master/slave the appropriate approach?
Yes, you should already have something like this in case the main/master server would fail.
I did have two independent DNS servers. One on our primary development server and one on our old production server. We have replaced the old production server but have not pulled it from service yet. I am now in the process of ensuring that all functionality of the old server has been migrated to either the new production servers or some place else. My current efforts on revising our internal DNS service is part of this review process.
I would suggest placing one on each site. That way you can cut the traffic between sites for DNS lookups. I would also ensure that only one does the updates per domain.
- Can I have each subnet be a master for itself and a slave for the other subnet?
DNS is about domains not subnets. If each subnet was going to have it's own domain then the answer could be 'yes'.
My bad! In my own mind I have been treating the two locations as domains while they are in fact only subnets. It should not take too much effort to translate my thinking to fact.
The reason I asked is you should not have a shared domain that can be updated by more then one master. You risk losing data or valid data being over written.
- Any pointers to applicable docs/examples?
The ones that ship with the Bind package are good from what I understand. I have not looked at them so I cannot say one way or the other. If you are looking for a good book on the subject I would highly recommend O'Reilly's DNS and BIND 5th edition.
As soon as I saw your book recommendation there was the sound of a loud "AARRRGGGGHHHH!!!!!" followed closely by the some mutterings that sounded much like "I have that book! Why did I not think of it in the first place! Now where frack did I put it?". Of course knowing me by the time I find it I will have forgotten why I was looking for it (and will be an old edition to boot).
Been there and done that. I now have a book shelf where I keep all my books and manuals.
- Can you recommend a "front end" for BIND (we have webmin installed but I have yet to start working with it)?
How large is this domain and how many domains are there going to be? Is the DNS server going to be updated automatically or by hand?
It is not large probably less than 50 devices in total. The only automatic updating that I can foresee would be from the DHCP server. the only reason I asked about this was that I was thinking that it might be easier to administer and ensure valid BIND config files.
If you are worried about valid config then you should be using the tools that come with Bind instead of relying on some third party software.
named-checkconf for checking the configuration of Bind named-checkzone for checking the zone file.
There are man pages for both that explain how to use them.
Thanks for your input.
You are welcome.
From: Robert Spangler Sent: August 14, 2009 19:22
I would suggest placing one on each site. That way you can cut the traffic between sites for DNS lookups. I would also ensure that only one does the updates per domain.
That makes sense and is essentially what I was planning to do.
The reason I asked is you should not have a shared domain that can be updated by more then one master. You risk losing data or valid data being over written.
Again makes sense. So my idea of setting up the two sites as two domains would then be the logical extension of this.
Been there and done that. I now have a book shelf where I keep all my books and manuals.
Well.... I already have four book shelves, two four-drawer filing cabinets, two large desks, work table and about a dozen storage boxes. Of course lets not forget about the 5 PC waiting to prep, 3-4 that have been pulled from service but are still functional, another bunch that I have scavenging for spare parts, actual new spare parts, tools, a bunch if shipping boxes the are really should break down and put in the recycling bins. Just think of me as a packrat with OCD (Obsessive Compulsive Disorder).
The book is here somewhere but I am just not sure where. I guess it is time for spring cleaning.
If you are worried about valid config then you should be using the tools that come with Bind instead of relying on some third party software.
named-checkconf for checking the configuration of Bind named-checkzone for checking the zone file.
There are man pages for both that explain how to use them.
I will check those out but what about the ease of use factor. Would you suggest something like webmin over had tailoring the config files?
TIA
Regards, Hugh
Hugh:
I will check those out but what about the ease of use factor. Would you suggest something like webmin over had tailoring the config files?
I use Webmin for managing DNS. It is a great tool and makes life much easier.
Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask about our geographically redundant database system.
On Friday 14 August 2009 23:31, Hugh E Cruickshank wrote:
If you are worried about valid config then you should be using the tools that come with Bind instead of relying on some third party software.
named-checkconf for checking the configuration of Bind named-checkzone for checking the zone file.
There are man pages for both that explain how to use them.
I will check those out but what about the ease of use factor. Would you suggest something like webmin over had tailoring the config files?
'Ease of use' is subjective. I find them very easy to use and the man pages should be able to direct you.
As to would I suggest a program, I prefer to do things by hand when it comes to DNS. The reason for this is so that I understand the internal workings and how things are setup. I am able to log into a server and look at the config files and understand how this server is working. Should the front end program be programmed with an unforeseen bug, I am still able to fix what the program has broken and keep my services up and running until the bug is fixed.
I am the DNS support person for my companies global DNS infrastructure. The company I work for uses Men & Mice as it's front end and I am thankful for this. The amount of DNS changes done daily is staggering and this tool helps a lot. I do not have experience with other DNS front ends.
If I were supporting a small DNS setup (a hand full of domains that the records do not change often) I think I would prefer to do this by hand.
I recommend a highly secured master that is not queried by any clients (preferably in a network/vlan your clients can't even access)... then configure one-way zone transfers to 2 or more slave servers which you configure your clients to point to. Maintain your zone files in rcs of some sort... For IP control/delegation and DNS control/delegation I recommend IP Plan.
Of course bind is the 800lb gorilla in the DNS world... don't even think about putting DNS on windows.
I don't recommend any front ends being that a few hours well spent reading the docs and man pages will make you a dns expert in no time. Bind is very easy to learn and shouldn't take longer than an afternoon at best.
On Fri, Aug 14, 2009 at 4:17 PM, Hugh E Cruickshank hugh@forsoft.comwrote:
Hi All:
I am looking for some possible recommendations on the handling of our internal DNS services. First some background...
Until recently our entire network was located within a single facility with internal DNS services provided by our CentOS 4.7 (using BIND). While I had problems with DHCP/DNS communications it was basically working.
At the beginning of the month we moved the production servers (a couple of RHEL5.3 boxes with a Windows 2008 server) to a new facility connected to the old facility via a VPN. We are still running with our DevSys as the DNS server but I would like to make the two locations at least partially independent. I have been doing some research (probably enough to be really dangerous to myself<g>) and it looks like I need to setup a master/slave setup.
Here are my questions...
Is the BIND master/slave the appropriate approach?
Can I have each subnet be a master for itself and a slave for the
other subnet?
Any pointers to applicable docs/examples?
Can you recommend a "front end" for BIND (we have webmin installed
but I have yet to start working with it)?
Any and all thoughts, suggestions, criticisms gladly accepted.
TIA
Regards, Hugh
-- Hugh E Cruickshank, Forward Software, www.forward-software.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Chuck wrote:
I recommend a highly secured master that is not queried by any clients (preferably in a network/vlan your clients can't even access)... then configure one-way zone transfers to 2 or more slave servers which you configure your clients to point to. Maintain your zone files in rcs of some sort... For IP control/delegation and DNS control/delegation I recommend IP Plan.
Heh, the shadow master setup.
Of course bind is the 800lb gorilla in the DNS world... don't even think about putting DNS on windows.
ROTFL.
Yes, the 800 pound TURTLE. Old and slow.
I don't recommend any front ends being that a few hours well spent reading the docs and man pages will make you a dns expert in no time. Bind is very easy to learn and shouldn't take longer than an afternoon at best.
Too bad no one has made rpms for djbdns, daemontools and tools to manage tinydns data with a sql backend and a nice web frontend.
On Fri, Aug 14, 2009 at 4:17 PM, Hugh E Cruickshank <hugh@forsoft.com mailto:hugh@forsoft.com> wrote:
Hi All: I am looking for some possible recommendations on the handling of our internal DNS services. First some background... Until recently our entire network was located within a single facility with internal DNS services provided by our CentOS 4.7 (using BIND). While I had problems with DHCP/DNS communications it was basically working. At the beginning of the month we moved the production servers (a couple of RHEL5.3 boxes with a Windows 2008 server) to a new facility connected to the old facility via a VPN. We are still running with our DevSys as the DNS server but I would like to make the two locations at least partially independent. I have been doing some research (probably enough to be really dangerous to myself<g>) and it looks like I need to setup a master/slave setup. Here are my questions... 1. Is the BIND master/slave the appropriate approach? 2. Can I have each subnet be a master for itself and a slave for the other subnet? 3. Any pointers to applicable docs/examples? 4. Can you recommend a "front end" for BIND (we have webmin installed but I have yet to start working with it)? Any and all thoughts, suggestions, criticisms gladly accepted. TIA Regards, Hugh -- Hugh E Cruickshank, Forward Software, www.forward-software.com <http://www.forward-software.com> _______________________________________________ CentOS mailing list CentOS@centos.org <mailto:CentOS@centos.org> http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
From: Chuck Sent: August 16, 2009 18:17
I recommend a highly secured master that is not queried by any clients (preferably in a network/vlan your clients can't even access)... then configure one-way zone transfers to 2 or more slave servers which you configure your clients to point to. Maintain your zone files in rcs of some sort...
While I can agree with you suggestion in principal I think that this might be overkill in our situation. We have a relatively small network (6-8 servers, 15-20 workstations and maybe a dozen other types of equipment). I our case I think we can get away with a master and a slave DNS server running on existing servers.
For IP control/delegation and DNS control/delegation I recommend IP Plan.
I had stumbled across this before but I will have a better look at it.
Of course bind is the 800lb gorilla in the DNS world... don't even think about putting DNS on windows.
We are primarily a UNIX/Linux shop and I prefer not to use windows for such services unless I absolutely must. There are services that we require that only run on windows so we do have windows servers in our mix.
I don't recommend any front ends being that a few hours well spent reading the docs and man pages will make you a dns expert in no time. Bind is very easy to learn and shouldn't take longer than an afternoon at best.
I think I am going to have to disagree with you here. I have been using BIND for several years. While I have spent many hours reading docs and man pages I definitely would not classify myself as a DNS expert. I know that I am of above average intelligence and maybe I just have a "blind spot" when it comes to BIND (and it has been known to happen) but I just do not find it as straight forward to learn as you have. Then again I am getting "on in years" so that may be a contributing factor as well.
Anyway, thank you very much for your comments and suggestions. They are appreciated.
Regards, Hugh
From: Hugh E Cruickshank Sent: August 14, 2009 14:18
I am looking for some possible recommendations on the handling of our internal DNS services. First some background...
I would like to express my appreciation to all those that responded to my request (particularly Robert). I do not have solution yet but I do have a lot of information to review and digest.
Thanks again to all.
Regards, Hugh
You could get really simple if your a small shop and just use dnsmasq. Although, I'm not sure it meets all of your needs.
Matt
-- Mathew S. McCarrell Clarkson University '10
mccarrms@gmail.com mccarrms@clarkson.edu 1-518-314-9214
On Thu, Aug 20, 2009 at 2:39 PM, Hugh E Cruickshank hugh@forsoft.comwrote:
From: Hugh E Cruickshank Sent: August 14, 2009 14:18
I am looking for some possible recommendations on the handling of our internal DNS services. First some background...
I would like to express my appreciation to all those that responded to my request (particularly Robert). I do not have solution yet but I do have a lot of information to review and digest.
Thanks again to all.
Regards, Hugh
-- Hugh E Cruickshank, Forward Software, www.forward-software.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Christopher Chan -
Chuck -
Hugh E Cruickshank -
Mathew S. McCarrell -
Neil Aggarwal -
Robert Spangler