MikroTik

Community discussions
https://forum.mikrotik.com/

One for Changeip.com

https://forum.mikrotik.com/viewtopic.php?t=17113

Page 1 of 1

One for Changeip.com

Posted: Sat Jul 14, 2007 1:19 am
by csickles
So I have one for you...

I want to use a 532 as a "DNS proxy" IE:
NS0 = 2003 server with BIND9.4.1 (Auth. for all zones)(No Recursion)
NS1,NS2 = RouterOS 3.10B10 with DNS pointing as NS0 wirh allow remote = on

Can I point my domain registrations at NS1 and NS2..

All zones forward and reverse resolve properly, but they will reply as "NON AUTH"...

Is this an issue with email servers etc....
The goal is to cache dns records, provide redundancy, hide the "master" and GREATLY reduce costs...

Craig

Re: One for Changeip.com

Posted: Sun Jul 15, 2007 9:24 pm
by icemanZ
Hi,

No matter what DNS you use, if the dns zone files are not loaded directly from that software, it will always say it is non-auth. That is because it had to go to another DNS to get the zone information.

Does it really matter if it answers non-auth? As long as the requesters get the information, everything will still work.

Regards,
Robert Macri

Re: One for Changeip.com

Posted: Sun Jul 15, 2007 9:37 pm
by csickles
I am trying to ensure that email will flow.
I dont want anti "whatever" systems to puke up the DNS answers and a spoof enf not forward my outbound mail, or have my server end up on a black list due to "questionable" dns records / responces...

Here is the "rub"... according to "bind9.4.1".. "secondary" servers will reply as Auth servers for a given domain as long as they show that they are in sync with the "primary"...

I dont want to have to use bind servers for the internet... I want to use RouterOS as being a firewalling "device" I have MUCH tighter control over the system.. And wirh a simple script, I can flush the DNS cache on both devices and force an imediate update on the next request, provide redundancy, adn save a SH...t load of money in the process...

If only a "Non Auth" reply is acceptable...

Craug

Re: One for Changeip.com

Posted: Mon Jul 16, 2007 7:18 pm
by changeip
craig, got your voice mail, sorry didnt reply so quickly - been away from the desk for a few.

non auth will be usable, but not recommended. Downstream resolvers, depending on the server software, may not believe your results, especially the NS and SOA records. BIND running on an existing box is almost no additional overhead, and then use mikrotik to firewall it well. From my experience the dns cache in RouterOS is problematic sometimes and I wouldn't rely on it for authoritative stuff. You could also just use us for authoritative DNS : )

Re: One for Changeip.com

Posted: Mon Jul 16, 2007 8:59 pm
by csickles
I had a feeling about this one....

Drop me a line when you have a spare moment (yeh right...)..

Craig
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/