4

For our servers hosted at OVH, they suggest we use sdns1.ovh.net or sdns2.ovh.net as our secondary DNS servers, which is great and it works fine and everything. The thing I'm wondering is how do the servers figure out which records to send?

The idea of the sdns services is if our main DNS server goes down, whichever sdns server we used will keep sending out the correct DNS records. I've tested this and it works, I can do nslookup mydomain.com sdns1.ovh.net it returns the correct records. If I update the BIND config on my main DNS server, wait till the TTL has expired and try again it shows the updated record from the SDNS servers but, for the life of me, I can't figure out how they know which records are correct.

I got to the point where I was so frustrated with figuring out how this was happening, I set up a virtual machine with BIND on and registered it with the SDNS server through the OVH manager. I set up a basic DNS config to test and it works correctly with the main DNS server and SDNS as expected. Then I created a random subdomain for the domain, something no-body would guess or accidentally access so I could make sure it wouldn't be looked up somehow. I waited about 12 hours (OVH says records to SDNS servers can take up to 12 hours to be picked up, in my experience it's normally whatever the TTL on the domain is but I wanted to make sure) then shutdown the virtual machine, then I queried the SDNS server and it had the correct record for the subdomain!

I did no special configuration of BIND, just followed the standard instructions for installing on RedHat, I know about DNS zone transfers that would allow them to read my entire zone but I hadn't configured that.

How are they reading my entire DNS zone and caching it on their servers?

Functionally, this is brilliant as it means our DNS is near enough 100% uptime, even if our server is down. I just can't figure out how they're doing it =S

Edit:
Cloudflare does the exact same thing, scans an entire DNS zone from a remote server. I thought this couldn't be done without setting up a transfer, am I wrong?

Smudge
  • 24,039
  • 15
  • 57
  • 76

1 Answers1

5

If you don't explicitly restrict zone transfer then Bind9 allows it by default.

http://www.zytrax.com/books/dns/ch7/xfer.html

Try doing it again after restricting zone transfer. Secondly if you are using them as secondary DNS, check if they accept notifications from master so that the update doesn't have to wait till the refresh timeout expires.

Sameer
  • 4,070
  • 2
  • 16
  • 11