[NTLUG:Discuss] "Back up dns server"?

[Leroy Tennison]

m m wrote:
> 
> 
> 
>> From: sysmail at glade.net> To: discuss at ntlug.org> Subject: Re: [NTLUG:Discuss] "Back up dns server"?> > On Tue, Dec 04, 2007 at 07:49:53PM +0000, m m wrote:> > All:> > > > We all know that we need to have two DNS server for a domain.Usually, these two DNS server have the same A records for a domain.All of this settings are preventing the web site (mail...) failure. > > > > Based on the concept above, I think we should be able to set the 2nd DNS server to a different IP with same domain name as primary DNS server.> > In this case, there is a need to run 2 servers with same domain but different IP. > > Not a problem, one dns server at 1.2.3.4 and another at 4.5.6.7, both> named dns.mydomain.com - but also not giving any redundancy.> > > Why is doing this? When one of the IP is not available, another one will be still available.> > > > Please note, this is not a web farm issue. I think this will be to fix IP (or firewall) "broken" issue. > > > > Firewall issues? Can you amplify
 on that? Seems like that would> different from DNS, unless there is NAT or something that you need to> play tricks with.
>  
> Sorry for the confusion, What I means is when the file setting is massed up, the request packets can not go to your server. for example: 
> you have web site AAA.com with IP 1.2.3.4 on server BOX1, your DNS server have set up correctly. you server BOX1 is behind firewall, and your firewall knows to sent the traffic with IP 1.2.3.4 to BOX1. Everything at this point is good.
>  
> one day, something happened on yor firewall (device), it is dead and doesn't route the request packets to 1.2.3.4. This is what I mean firewall broken.
> How do you keep yor AAA.com site still live at this point?
>  
> if we have the "another" dns server "says" AAA.com have another ip 1.2.3.5, will it solve the problem, right? 
> this my question:
> can we have one dns server says AAA.com's ip is 1.2.3.4 and
> another dns server says AAA.com's ip is 1.2.3.5?
>  
>  > > An interesting point is the DNS servers referenced by name in whois> actually have no firm tie to the name servers that actually serve your> domain. Whois and DNS are not connected. Whois does not need to have> valid name servers listed for your DNS to work without trouble - but you> certainly should try to keep whois current for your domain.> > To find xyz.com, a DNS client will first ask one of the root servers,> taken for granted from the client's 'hints' file, for who has authority> for '.com'. Then the client will ask one of those servers who has> authority for 'xyz.com'. Then, the client will ask one of those servers> for the 'A' record (or whatever you are looking for). The process will> continue if the authority is further delegated.> > Anyway, thought I would offer that - corrections welcome. Did I get> that process right?
> I know this. but this is kind off my point.
>  
>>> Regards,> > Carl> > > Am I right? Any company doing such a "back up DNS server"?> > > > Thanks.> > _________________________________________________________________> > Share life as it happens with the new Windows Live.Download today it's FREE!> > http://www.windowslive.com/share.html?ocid=TXT_TAGLM_Wave2_sharelife_112007> > _______________________________________________> > http://www.ntlug.org/mailman/listinfo/discuss> > -- > > =================================================================> Carl Haddick> sysmail at glade.net> PO Box 1586> Mexia, TX 76667 Remember, Murphy was an optimist.> =================================================================> > _______________________________________________> http://www.ntlug.org/mailman/listinfo/discuss
> _________________________________________________________________
> You keep typing, we keep giving. Download Messenger and join the i’m Initiative now.
> http://im.live.com/messenger/im/home/?source=TAGLM
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
> 
I've seen several replies but I haven't seen a good solution and I don't 
even know if there is a good one.  here's the issues I see.

"one dns server at 1.2.3.4 and another at 4.5.6.7"

If they have the same DNS name or even alias how do you determine which 
one is used when.  A DNS server is going to locate one record first and, 
assuming they are not DNS round-robin (discussed next), supply that as 
it's answer.  I suspect (but don't know) that the answer to "which one 
is found first" may be a combination of the way a particular DNS 
software implementation is written along with with how the entries were 
created.  There is no guarantee that that, if one of the DNS servers is 
down, that the "live" entry is what will be provided to a client request.

"BOX1 is behind firewall"

If at all possible, remove as many points of failure between you and the 
client.  If the DNS server could have a static (or rarely changing) 
database so that it could run off a CD-ROM then dedicate a machine to it 
and remove the firewall device (run a software firewall on the host if 
desired).  This still doesn't deal with the fundamental issue.

"DNS round-robin"

Maybe I'm overly cynical but "DNS round-robin" sounds like an alias for 
"Russian roulette" to me.  This technology is good for load balancing 
but not so great for redundancy.  If you have 'n' DNS servers in a round 
robin and one of them fails then one out of 'n' DNS replies to a client 
will be for the failed server and the client won't get resolution.  If 
the client retries (assuming it didn't cache the bad entry, etc.) then 
maybe the next effort will be successful (particularly if 'n' is large 
but that means multiplied cost) but will the client try again?  This 
also produces intermittent failure which could be more difficult to spot 
or troubleshoot.

Clustering could solve some of the problem (if everything in the path is 
redundant) but it doesn't solve the "site (or link) went down" problem. 
  The ideal solution would be to have two geographically separated (and 
presumably connectivity separated as well) servers providing the same 
service.

A solution (but I don't know enough about how referrals work to know if 
it is applicable, anybody really good with DNS who can answer this 
question? - I'm not) may be at the DNS server lookup level.  DNS servers 
are supposed to be able to handle recursion for clients.  A client asks 
for server1.web.dept.company.com.  The DNS server doing the recursion 
(assuming it isn't authoritative for for web.dept.company.com) looks for 
servers that are authoritative for ".com" and gets a list (or has a 
configured list).  It asks one of these servers for 
web.dept.company.com, what happens if that server isn't available?  Does 
it check the next one?  This isn't really DNS round robin if I 
understand that correctly because I thought that technology only 
referred to resolution of the actual DNS name (not intermediate DNS 
servers along the way when trying to find the name).  If this works then 
you don't need DNS servers with the same name or alias.  Both servers 
are authoritative for the domain and should be supplied in a referral. 
If referrals are checked until one replies then there's no problem.

This is a question I've been pondering off an on for some time and, if 
there is an answer, I'd really like to know.