DLZ with cacher
Jorgen Lundman <lundman <at> gmo.jp>
2012-07-04 06:39:53 GMT
Our current DLZ+LDAP+BIND is running very well. But something I have been
playing with at the same time, instead of DLZ talking to LDAP for each
QUERY, find a way to use BIND's caching.
One solution is to put forwarding-only forwarders in front of the DLZ DNS
servers. But I'll skip that for now.
So, playing with the named.conf's 'view' to attempt to come to the same setup.
Using this named.conf:
view "internal" {
match-clients { 127.0.0.1; };
recursion no;
allow-recursion { any; };
zone "localhost" { type master; file "localhost.zone"; };
dlz "ldap zone" {
database "ldap 20 v3 simple {cn=admin,dc=COMPANY,dc=TLD}
{LDAPPASSWORD} {LDAP-SERVER-IP}
ldap:///DNSZoneName=$zone$,ou=dns,dc=COMPANY,dc=TLD???objectclass=DNSZone
ldap:///DNSHostName=$record$,DNSZoneName=$zone$,ou=dns,dc=COMPANY,dc=TLD?DNSTTL,DNSType,DNSPreference,DNSData,DNSIPAddr,DNSPrimaryNS,DNSAdminEmail,DNSSerial,DNSRefresh,DNSRetry,DNSExpire,DNSMinimum?sub?objectclass=DNSAbstractRecord
{}
ldap:///DNSZoneName=$zone$,ou=dns,dc=COMPANY,dc=TLD?DNSTTL,DNSType,DNSHostName,DNSPreference,DNSData,DNSIPAddr,DNSPrimaryNS,DNSAdminEmail,DNSSerial,DNSRefresh,DNSRetry,DNSExpire,DNSMinimum?sub?objectclass=DNSAbstractRecord
ldap:///DNSZoneName=$zone$,ou=dns,dc=COMPANY,dc=TLD??sub?(&(objectclass=DNSXFR)(DNSIPAddr=$client$))";
};
};
view "external" {
recursion yes;
allow-recursion { any; };
max-cache-size 512M;
forwarders { 127.0.0.1; };
forward only;
};
The idea being that DNS queries from the Internet "external" will hit the
"forward only" view and send queries to 127.0.0.1. Recursion is allowed
here, so it talks to 127.0.0.1
Queries from 127.0.0.1 "internal", will use DLZ to talk to LDAP. Recursion
is not allowed here, so we only reply with authoritative zones.
I can confirm by using the dig command that DLZ works as usual:
# dig <at> 0 test-unix.com NS
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
test-unix.com. 600 IN SOA dns02.COMPANY.TLD.
1341383404\ <at> COMPANY.TLS.test-unix.com. 2008040201 28800 7200 604800 600
and using snoop, it does indeed talk to LDAP every time.
Then, by querying on the interface (not using 127.0.0.1):
# dig <at> 172.20.11.172 test-unix.com NS
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
test-unix.com. 600 IN SOA dns02.COMPANY.TLD.
1341383404\ <at> COMPANY.TLD.test-unix.com. 2008040201 28800 7200 604800 600
I can confirm with snoop, that only the first query talks to LDAP, after
that, TTL is counting down.
test-unix.com. 553 IN SOA
As far as I can tell, it appears to work just fine, and will do more
performance testing before I try it on production.
Any suggestions, improvement or reason why it might not work? Otherwise,
just sharing in case it helps others.
Lund
--
--
Jorgen Lundman | <lundman <at> lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
RSS Feed