Setting up a silent DNS master server
Recently, I have begun the process of moving my domains from the DNS servers at my previous employer. They have allowed me to continue hosting my domains there as I still send them a spam feed of unknown addresses from my various domains. Yes spammers, keep that mail coming. Its only doing you good, I promise 😉
The main reason for the change is that the former employer is locking down the admin access to a standard that as a non-employee, I can no longer get to the admin interface. That’s fine, very understandable. So its time to make a change and I decided to go the route of a silent master.
DNS Overview
If you don’t know what DNS is, then I highly recommend reading the wikipedia aricle. The short definition of what DNS is supposed to do is that for every name that is out there on the internet, there is a corresponding IP address. As an example, if you attempt to look up one of my domains usrlocal.com, you will find the IP address of 66.18.16.207.
What is a Silent Master server?
The way that our DNS system works is that for every domain out there, there are a set of servers that will answer for that domain authoritatively. If you have registered your domain at some of the big regisrars, they will often throw in DNS hosting for free or a very nominal fee. Depending on who your ISP is, they will often allow you to host your domains for pretty cheap as well. The idea of a silent master is that there is a server that you control that is _not_ listed in the authoritative DNS servers for your domain. What happens is that you set the servers that are going to answer authoritatively for your domain to load your domain as a secondary zone. The theory is that you can have a lower powered server that is protected from the outside world doing the updates on your domain while the rest of the world hits your authoritative DNS servers.
Why would you do this?
There are really two reasons why you would want something like this:
-
Control over your domain – It could be that your DNS provider doesn’t have a very nice interface for controlling your domain or doesn’t allow you to control it directly. It may be that you have to open a support ticket for each update.
-
Save on internet traffic – Basically, I don’t want all of that traffic hitting the lowly DNS server that I have. I would rather them hit the DNS servers at my ISP and pound on those bad boys. They can take it, they’re beefy for a reason.
Technical Details
So here is how you setup your DNS zone to work appropriately. I’m going to use BIND in my example as that is one of the more popular DNS servers out there.
I have setup my server with the following configuration options. First I setup an ACL list of the servers that are allowed to pull information from my server. My example looks something like this:
11.22.33.123; // ns1.isphost.com
22.11.33.124; // ns2.isphost.com
33.11.22.125; // ns3.isphost.com
};
Now, I allow them to connect to the server and pull domains.
directory "/var/named";
allow-query { le_dns; };
allow_transfer { "le_dns"; };
recursion no;
};
Then each zone file is treated as you normally would if you were serving it up authoritatively.
{
type master;
file "usrlocal.com";
allow-update { none; };
};
Next, tell your authoritative DNS server to grab the zones as secondary zones. Depending on where you are hosting things, it may be a configuration that you need to put in place, something along the lines of this:
{
type slave;
file "usrlocal.com";
masters {11.11.11.22; 11.22.33.11};
};
Finally, update your registrar to point to your DNS servers that you have setup that are serving up the secondary zone. It may take 24-72 hours for the new information to propagate, but after that you should have the full control, and bandwidth savings of a silent DNS master server.