Secondary DNS: Difference between revisions
Content deleted Content added
Roger.Wilco (talk | contribs) |
|||
| (19 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
Some customers wish to run their own Authoritative Primary DNS server(s) and use A&A's DNS Infrastructure as their Authoritative Secondary slave server(s). |
Some customers wish to run their own Authoritative Primary DNS server(s) and use A&A's DNS Infrastructure as their Authoritative Secondary slave server(s). |
||
A&A are in the middle of a large project to change the DNS Infrastructure. During the change the DNS Infrastructure and the associated information will be in a state of flux. |
<blockquote>A&A are in the middle of a large project to change the DNS Infrastructure. During the change the DNS Infrastructure and the associated information will be in a state of flux. |
||
The information on this page is also augmented by information contained at the page: https://support.aa.net.uk/New_Authoritive_DNS |
|||
| ⚫ | As the DNS Infrastructure is in a state of flux the information below will change in the future and will be updated when appropriate. After completion of the DNS Infrastructure change A&A will eventually have a new system for control & configuration in place for managing customer's Authoritative Secondary DNS. |
||
| ⚫ | As the DNS Infrastructure is in a state of flux the information below will change in the future and will be updated when appropriate. After completion of the DNS Infrastructure change A&A will eventually have a new system for control & configuration in place for managing customer's Authoritative Secondary DNS.</blockquote> |
||
==Working Configuration as at May 2025== |
|||
==Process for setting up A&A as your Authoritative Secondary DNS Server as at May 2025== |
|||
The process for setting up A&A as your Authoritative Secondary DNS server(s). |
The process for setting up A&A as your Authoritative Secondary DNS server(s). |
||
# Configure required ACLs on your Firewall, |
# Configure required ACLs on your Firewall, remember to open TCP as well as UDP |
||
# Configure required access ACLs on your Primary DNS for zone transfers and queries, |
# Configure required access ACLs on your Primary DNS for zone transfers and queries, |
||
# Contact support@aa.net.uk to request your domain to be configured on A&A's Secondary DNS, |
# Contact <code>support@aa.net.uk</code> to request your domain to be configured on A&A's Secondary DNS, |
||
# Verify that |
# Verify that <code>secondary-dns.co.uk</code> provides replies when responding to queries regarding your domain, |
||
# Change the Authoritative DNS servers to include |
# Change the Authoritative DNS servers to include <code>secondary-dns.co.uk</code> for your domain at your Domain Registrar. |
||
==What is needed to setup A&A as your Authoritative Secondary DNS== |
==What is needed to setup A&A as your Authoritative Secondary DNS== |
||
You need to configure your Authoritative Primary DNS to: |
You need to configure your Authoritative Primary DNS to: |
||
* Set your Primary DNS to send NOTIFY to <code>secondary-dns.co.uk</code>. Required for your Primary DNS to notify A&A's Secondary that you've changed or reloaded your domain files. |
|||
# Send NOTIFY to 'secondary-dns.co.uk', |
|||
<pre> |
|||
# Allow '*.secondary-dns.co.uk'; & '*-nameless.aa.net.uk'; to send queries to your Primary DNS, |
|||
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk **NOTIFY** |
|||
# Allow '*.secondary-dns.co.uk'; & '*.primary-dns.co.uk' to request AXFR/IXFR zone transfers. |
|||
</pre> |
|||
* Allow <code>*.secondary-dns.co.uk</code>; & <code>*-nameless.aa.net.uk</code>; & <code>*.primary-dns.co.uk</code>; to request AXFR/IXFR zone transfers from your Primary DNS. Required to allow A&A's secondary DNS to copy your domains from your Primary DNS. |
|||
* Allow <code>*.secondary-dns.co.uk</code>; & <code>*-nameless.aa.net.uk</code>; & <code>*.primary-dns.co.uk</code>; to send queries to your Primary DNS. Required as some of A&A's secondaries send regular SOA query requests, to check the Serial. Also helpful if Support needs to query your Primary DNS. |
|||
==IP addresses required for Firewall and Primary DNS ACLs== |
==IP addresses required for Firewall and Primary DNS ACLs== |
||
| Line 25: | Line 30: | ||
If we are running as your Secondary DNS to your own Primary, then allow these IP addresses through your firewall to your Primary server (UDP & TCP port 53). As well as for access ACLs configuration on your Primary DNS server for both queries & zone transfers for your domain(s): |
If we are running as your Secondary DNS to your own Primary, then allow these IP addresses through your firewall to your Primary server (UDP & TCP port 53). As well as for access ACLs configuration on your Primary DNS server for both queries & zone transfers for your domain(s): |
||
<pre> |
|||
81.187.81.32; //secondary-dns.co.uk **legacy** |
|||
81.187.81.32; //secondary-dns.co.uk **legacy** |
|||
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk |
|||
194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk **NEW** |
|||
194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk **NEW** |
|||
194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk **NEW** |
|||
194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk **NEW** |
|||
81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk |
|||
90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk **legacy** |
|||
90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk |
|||
</pre> |
|||
Starting from March 2025, in addition to legacy |
<blockquote>Starting from March 2025, in addition to legacy <code>secondary-dns.co.uk</code> IP addresses we will also initiate zone transfers from the newer DNS Infrastructure: |
||
* |
* <code>zonetransfers-a.secondary-dns.co.uk</code>; <code>zonetransfers-b.secondary-dns.co.uk</code>; |
||
* |
* <code>zonetransfers-a.primary-dns.co.uk</code>; <code>zonetransfers-b.primary-dns.co.uk</code>; |
||
Legacy |
Legacy <code>secondary-dns.co.uk</code> will still be in use until mid-2025. Therefore, please keep these in your ACLs for the moment until this advice changes.</blockquote> |
||
==Abridged Example Configuration for a BIND9 Authoritative DNS Server== |
==Abridged Example Configuration for a BIND9 Authoritative DNS Server== |
||
| Line 47: | Line 54: | ||
This configuration was verified as working as at May 2025. |
This configuration was verified as working as at May 2025. |
||
< |
<pre> |
||
/etc/bind/named.conf.local |
/etc/bind/named.conf.local |
||
| Line 55: | Line 62: | ||
acl transfer_secondary_dns_co_uk { |
acl transfer_secondary_dns_co_uk { |
||
81.187.81.32; |
81.187.81.32; //secondary-dns.co.uk **legacy** |
||
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk |
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk |
||
194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk |
194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk |
||
| Line 68: | Line 75: | ||
acl transfer_nameless_aa_net_uk { |
acl transfer_nameless_aa_net_uk { |
||
81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk |
81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk |
||
90.155.23.32; 2001:8b0:0:23::32; |
90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk **legacy** |
||
90.155.62.60; 2001:8b0:0:62::60; |
90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk |
||
}; |
}; |
||
| Line 89: | Line 96: | ||
}; |
}; |
||
}; |
}; |
||
</ |
</pre> |
||
==No longer Valid== |
==No longer Valid== |
||