If I have a master DNS that is not bind - can bind still slave to it? (ie does it use the DNS protocol or something else?).
Kind of related - but do people still do this or do they use some other form of data replication to keep DNS records in sync to the slaves (ie file/database copying). I would like to have the slaves refreshed as fast as possible - so I am thinking normal slaving with is expiry/poll based might not be optimal?
-
You're looking for DNS zone transfers. This mechaism copies DNS zones between DNS servers as either a complete transfer, or an incremental transfer of updated records (to save bandwidth and reduce update latency). DNS NOTIFY allows the master server to inform secondaries that updates are available. With NOTIFY, polling isn't necessary.
Virtually every DNS server implementation supports zone transfers. BIND will happily act as as secondary DNS server for any primary DNS server that can supply it with transfers of the DNS zone data.
Michael Neale : hmm... also looking at djbdns - I suppose it would as well.Michael Graff : I thought djb said rsync is the one method, and AXFR/IXFR isn't written for that.chris : You use axfrdns in the djbdns suite to perform zone transfers or otherwise answer dns requests over TCP.From Evan Anderson -
You should consider using djbdns( http://cr.yp.to/djbdns.html ). It is one of the most secure and stable DNS servers available. It uses a local db file that can easily be synced using SCP. This is generally considered preferred over Zone transfers for security purposes(zone transfers are sent in plain text). The install can be a little difficult for beginners to compiling software but it is well worth it. Also there is a very nice web front end that has been developed for it: http://vegadns.sourceforge.net/
Evan Anderson : The records in my Internet-facing DNS servers, at least, are supposed to be public knowledge. DNS queries are, after all, sent in plain text. IPSEC sounds like a smarter answer to me than using application-level tunneling for each and every protocol...einstiien : Some of your DNS records you may not want to be public knowledge. If you read most penetration test/security books one of the first investigating steps is to attempt a zone transfer to find potential targets. Obviously you can block zone transfers by IP but I'd rather not let this info get out.Michael Neale : thanks yes, someone else recommended that. I have zone files, and found a script to convert them to djbdns format: http://qmail.jms1.net/djbdns/Evan Anderson : I'm well aware of the ol' "do a zone transfer to find potential targets", and my response to that would be "don't put those records in a public DNS server, then". DNS queries are plain-text. If you *ever* query for these "secret records" then they're not "secret" anymore. Hiding secrets in plain sight is silly. Assume your attacker can monitor all your DNS queries and responses.einstiien : You're right, generally speaking if someone has a strong desire to obtain a bit of information they will find out how to but I prefer to make it as difficult as I can, security is about layers and usually the more you add the better off you are. It's like putting those cheap locks on a suitcase, its not going to prevent someone from getting in, just makes it that much more difficult. It's the same reason why I am a non-default port kind of person(i.e. running ssh on something other than 22)chris : The published data is public but I don't want my dns "slave" servers to get updates from a spoofed address. That trust issue is avoided if I use ssh/rsync to synchronize the dns data between my dns servers.einstiien : Thanks Chris, another security point I forgot to mention.Evan Anderson : Like I said, IPSEC... I don't want any of my applications to get data from spoofed source addresses, and I don't want to have to mess around with layer 7 tunnels for every single app.bortzmeyer : -1 for unsubstianted claim (that AXFR cannot be secured).Michael Neale : I like the look of djbdns - but find it annoying it doesn't support "zone files" out of the box (scripts exist, and its file format is fine, but sheesh, its a bit tiresome to have something else to get right).From einstiien
0 comments:
Post a Comment