“In this howto we will install 2 bind dns servers, one as the master and the other as a slave server. For security reasons we will chroot bind9 in its own jail. Using two servers for a domain is a commonly used setup and in order to host your own domain you are required to have at least 2 domain servers. If one breaks, the other can continue to serve your domain.”
http://www.cymru.com/Documents/secure-bind-template.html — Secure BIND Template
I never really understood why it is required to have 2 DNS machines in order to host a domain? I get that its a good idea to have a backup, but its not like any other service requires redudancy.
Web servers and mail servers go down all the time, but there is no forced requirement for someone to have fail-safes for them.
For a lot of people, interrupted service isn’t life ending and being forced into setting up two machines just for DNS is a pain.
“I never really understood why it is required to have 2 DNS machines in order to host a domain?”
This requirement is registrar-dependant, some requires it others don’t.
It’s a rather pointless requirement but some registrars are surprisingly clueless in the ways of how DNS *really* works.
“I get that its a good idea to have a backup, but its
not like any other service requires redudancy.”
Indeed, unless your services are also redundant being able to resolve names to servers that aren’t responding doesn’t do much good.
On a related note it’s interesting that the article chroot’s BIND for “security reasons” but fail to implement best practices and separate content service from recursive/resolver service.
Exactly! Does anyone actually have two anyway, I assumed everyone faked it same as me.
The theory is that your name server is the most important service you have. If it goes down then all servers and services offered on that domain become unreachable. If your mail server goes down, people can still use your web, ftp, ntp etc. servers.
In practice it isn’t anywhere near as important these days, when most domains only host one unimportanat service used by only a few people.
Another reason is that a remote computer will know that your services exist, even if they are down.
Imagine someone sending an email to you at one of your domain names. If your DNS is down then the sender email will immediately bounce back with an unknown recipient (no such domain). If you have a backup on another ISP or Internet connection, then the mail will stay in the sending mail server queue until the specified timeout period, typically 3 or 4 days. This way your system can accomodate downtime for services and the user will just know that the ‘host is down’, but will probaby be back up soon. If there is no backup DNS then it’s assumed that the ‘domain no longer exists’.
“If your DNS is down then the sender email will immediately bounce back with an unknown recipient (no such domain).”
No it wont, SMTP doesn’t work like that. If your DNS servers are down the queries will timeout and cause a *temporary* failure and the mail will be queued for further attempts later.
“If there is no backup DNS then it’s assumed that the ‘domain no longer exists’.”
“Domain no longer exist” is an entirely different error which will occur if your domain expires (thus usually ceasing to exist) or your registrar for some other reason removes it. It doesn’t occur just because your nameservers are down.
The article is actually pretty bad. They set up both DNS servers on the same subnet which really is a bad practice and loses half the point on the master/slave setup.
To get the real benefit of a master/slave set up the master should be on your main subnet and the slave has to be on a completely different net preferably in a different geographic location. This way if you lose the subnet with your master DNS and main servers you can use your (still accecable) slave DNS to redirect traffic to a still functioning subnet, thus minimizing downtime. If you don’t have the need/option of setting up this kind of system then the master/slave setup is kind of pointless.
“The article is actually pretty bad.”
It doesn’t actually matter most of the time.
“To get the real benefit of a master/slave set up the master should be on your main subnet and the slave has to be on a completely different net preferably in a different geographic location.”
a) it has nothing to do with master/slave really.
b) having DNS servers on different networks is only beneficial of your critical services are also reachable when the network the “master” is on is unreachable or you are providing DNS service for offsite clients.
There’s no point in resolving names to IP addresses that aren’t available.
Having multiple DNS servers, even on the same network, can still be beneficial for other reasons, like load balancing and failover.
Edited 2006-08-28 13:28
http://cr.yp.to/djbdns.html
The best choice