I am the DNS manager for the following delegations at GW:
You can send me email at hostmaster@anydelegation.
DNS service is powered by djbdns.
Using dnscache at the Virginia Campus avoids nefarious management headaches of BIND. dnscache is a recursive resolver. It will only provide data obtained from authoritative servers. These servers are found via a chain of delegations from authoritative servers starting from the configured-in roots.
I encourage Unix administrators at the Virginia Campus to run a local dnscache and local DNS root on their systems and not rely needlessly on external resolvers and caches.
In addition, a local root server can reduce big DNS lookup delays. The external resolver and caches at the Virginia Campus now also run a local root server on 127.53.0.1 and my djbdns software distribution has been updated to include the scripts needed to install in crontab to update the database automatically.
The Virginia Campus messaging server sets server entries for the mail domains it hosts. These need to be updated if the authoritative name server addresses change.
I no longer use the OpenRoot Server Confederation servers for dnscache root/servers/@.
See my comments on using CommuniGate Pro with dnscache and Cisco access lists with tinydns and dnscache.
Bonjour
Networking - Bonjour. Looks to be a possible way to use DNS to make sharing printer configurations easy. More information to follow.
GWU.edu parent zone
The GWU.edu parent zone recursive and authoritative name servers are handled by the same hosts. The BIND camp has admitted on many occasions that separate services are best practice. Vixie's RFC 2010, section 2.12:
An organization's recursive DNS needs should be served by some other host than its root name server(s).
And on slide 45 of Brad Knowles LISA slides, he tells everybody to
split functions onto separate machines or IP addresses:
authoritative servers should be authoritative-only
[while] recursive/caching servers should not be authoritative.
2002-06-21: InterMapper tests for the last 42 days show a 2.1% packet loss to the two GW authoritative nameservers. The same test on the authoritative nameserver at rcn.net shows only 0.38% packet loss. If all the packet loss to rcn.net can be attributed to Virginia Campus network problems, then there is a significant problem on the network GW's nameservers are hosted.
2002-12-03: Broken router ACL's caused us not to be able to reach DNS servers. We lost the ability to resolve our own host names because of the extremely short TTL's on GWU NS records.
Local DNS root server
The local root server came from D.J. Bernstein and it seemed reasonable and easy so I decided to try it on my external resolver and caches, dhcp servers, and mail server. Mirrored root servers have also been suggested by Karl Auerbach.
Make sure there are the users Gtinydns and Gdnslog. For UID's see UNIX account names. On the host, configure the 127.53.0.1 alias on the localhost interface.
tinydns-conf Gtinydns Gdnslog /etc/rootdns 127.53.0.1
Start the service
ln -s /etc/rootdns /service
Edit the /service/rootdns/root/Makefile
all: axfr data.cdb data.cdb: data /usr/local/bin/tinydns-data data: root.orsc @./cleanup < $? > orsc.$@.tmp @mv orsc.$@.tmp $@ axfr: @/usr/local/bin/tcpclient c.root-servers.orsc 53 /usr/local/bin/axfr-get . root.orsc root.orsc.tmp
Run make. And then prepare cron or /etc/weekly.local to update the rootdns server every seventh day.
cd /service/rootdns/root && make
Then replace the IP address in /service/dnscache/root/@ with 127.53.0.1 so that dnscache consults the local root server. (svc -t must be run for dnscache to notice the change).
root.osrc.gz is a gzip copy of the ORSC root zone in tinydns-data format. This can be downloaded with curl | gzcat and fed through cleanup, instead of relying on the complicated axfr protocol. You can use this when ucspi-tcp is unavailable.
curl -s http://crash.ncac.gwu.edu/jason/orsc/root.orsc.gz | gzcat > root.orsc.tmp export NEWROOT=`head -1 root.orsc.tmp|cut -f1 -d" "` export OLDROOT=`head -1 root.orsc|cut -f1 -d" "` if [ $NEWROOT != $OLDROOT ] ; then mv root.orsc.tmp root.orsc ./cleanup < root.orsc > data fi
Even simpler is run rsync in daemon mode on a server to distribute the copy to your network. rysnc can update the file and the time and reduce the overhead cost of a transfer. Just change .BEGIN: to
.BEGIN: @/usr/local/bin/rsync -t crash.ncac.gwu.edu::dns/root.orsc root.orsc
ORSC seems to be in the process of permitting their root information to be distributed by openssh+rsync or possibly Usenet.
As of IRIX 6.5.22, no /etc/resolv.conf does not default to using a name server on the local machine. To use the local resolver and cache enter just,
nameserver 0
openssl rand -out /service/dnscache/seed 128
Things to do to protect the Domain Name System
Directed graph of ns records (DNS Bajaj)
djbdns home page