Firewalls: Re: split-brain DNS

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: split-brain DNS
From:	Natchu Vishnu Priya <vishnu @ brahma . iitm . ernet . in>
Date:	Tue, 2 Jul 1996 22:16:16 +0530 (IST)
To:	Lack Mr G M <gml4410 @ ggr . co . uk>
Cc:	Dan Shadix <shadixdl @ gccs . cpf . navy . mil>
In-reply-to:	<9607011204 . ZM4779 @ ukwit01>

On Mon, 1 Jul 1996, Lack Mr G M wrote:

> > Why can't you make the one master DNS server secondary for all your internal
> sub-domains?  Then if a request is for a domain for which it is authoritative,
> it will just respond, if not then it will go to the Internet at large.
> 
>    Whereas this might work (ie. it sounds as though it will, but I haven't
> thought it through completely) this would leave me with the master server being
This will work...
> authoratative for everything.  This would push the size of its database up from
> ca. 8000 to ca. 40000 entries (guessing here, but of that order).  I don't have
> the memory on the servers for such numbers.
> 
Thats bad.  The point here is that since you are using a single machine 
to answer all of the firewalls queries it is likely to have a very very 
large cache.  Any connection from the firewall to an internal machine 
will make a query to this machine.  If the TTL values are around a day 
(this is what they would be if you do not have a rather static DNS)  then 
a large portion of the internal records are likely to be cached most of 
the time.  Also this machine will also cache all the outgoing queries.  
So you need memory for such numbers anyway...

>    Also, it strikes me as being against the "spirit" of DNS.  Relatively few
> queries go "between" domains, so I don't want this master server to spend a lot
> of its time doing zone queries for timestamps and frequent zone transfers just
> for these.  I just want to send the query off to the relevant server, just as
> in the "full" InterNET.
> 
>    A logical extension of your solution would be to get all of the root name
> servers to become secondaries for all domains, and I'm sure that we can agree
> that would be a disaster!
That would be a disaster... but no other solution seems to present 
itself.... unless you are willing to patch bind to do this.

_______________________________________________________
Vishnu Priya Natchu            System Administrator
225, Saraswathi,               Network Systems Lab,
IIT Madras 600 036             Computer Science & Engg.
INDIA                          IIT Madras
0091-044-235-1889              0091-044-235-1921
_______________________________________________________
Email:      mailto:vishnu @
 brahma .
 iitm .
 ernet .
 in
WWW page:   http://brahma.iitm.ernet.in/~vishnu
_______________________________________________________

References:

Re: split-brain DNS
From: "Lack Mr G M" <gml4410 @ ggr . co . uk>

Indexed By Date	Previous:	Re: /etc/shadow encryption From: Michael Ryan <mike @ networx . ie>
Indexed By Date	Next:	Training duplicate From: Larry Rudnick <ler @ ix12 . ix . netcom . com>
Indexed By Thread	Previous:	Re: split-brain DNS From: "Lack Mr G M" <gml4410 @ ggr . co . uk>
Indexed By Thread	Next:	split-brain DNS From: Jean-Francois Zwobada <zwobada @ apogee-com . fr>