[TriLUG] OT: Router then Firewall

Aaron S. Joyner aaron at joyner.ws
Sat May 20 12:28:53 EDT 2006 

Jon Carnes wrote:

>On Tue, 2006-05-16 at 23:57, Aaron S. Joyner wrote:
>
>  
>
>>Friendly public service announcement (I'm sure Jon knows, but I can't 
>>let a statement like the above go by with out responding).  Assuming you 
>>have some semblance of control over the DNS records themselves, you 
>>should lower the TTL before you change the IP (or name) associated with 
>>that record, and then raise the TTL again after the change has 
>>stabilized.  Let's consider a hypothetical scenario.  You run a web 
>>server, www.example.com.  You're going to change providers, and thus 
>>change the IP of the machine serving www.example.com.  The steps to 
>>follow go something like this:
>>
>>1:  Examine the current record, determine how long the TTL is (we'll say 
>>it's 3 days, or 10800 seconds).
>>2:  At least one current-TTL-interval (3 days) before you intend to make 
>>the change, update the TTL for that record (and all other potentially 
>>affected records) to be very low, for example 5 mins (900 seconds).
>>3:  Test the new setup on the new IP, then 'throw the switch' by 
>>changing the DNS record.
>>4:  Establish that everything is working as expected, perhaps wait 1 day 
>>to be sure.
>>5:  Make a final DNS update to return the TTL to it's previous long / 
>>stable value.
>>
>>This way, your DNS updates can normally have nice long cache times, 
>>making your bandwidth bill lower, your user's latency lower, still 
>>giving you the ability to have quick change over of service, and making 
>>the Internet a healthier place.  This makes everyone happy.  :)
>>
>>As an exercise for the reader, how would you handle migrating your DNS 
>>server(s) from one IP address (or one subnet) to another, using similar 
>>techniques?  Do you need to talk to someone outside your organization, 
>>or can you do it all in-house?  Are you sure of your answer to that last 
>>question?  How would you find out for sure...  :)  A Google T-shirt(*) 
>>to the person who comes up with the best / most complete answer(+).
>>
>>Aaron S. Joyner
>>
>>* - Size of your choice, in white or black:
>>http://www.googlestore.com/product.asp?catid=5&code=GO0108
>>http://www.googlestore.com/product.asp?catid=5&code=GO13022
>>
>>+ - Final decision about answer quality is at my sole discretion, 
>>although I promise to be as fair as possible.  Credit for information 
>>posted will come on a first-come, first-serve basis - ie. if someone 
>>posts a 90% complete answer, and you rephrase their answer plus 10% 
>>more, unless that 10% is really critical they'll probably be considered 
>>to have the better answer.  Hence, posting sooner is better, but I'll 
>>probably wait either until every angle has been exhausted or at most 5 
>>days.  Time differences of less than roughly 2-3 mins in time sent are 
>>not considered note-worthy.
>>
>>    
>>
>
>Well who could resist that offer... especially since I move folks DNS
>servers over to our ISP all the time (and we've never lost a look-up
>yet!).
>
> 1) On the old servers, set the TTL to 4 hours (14400) or less. Set the
>SOA Refresh interval to 20 minutes (3600) if you expect to keep some of
>the current secondary NS servers up and running. This tells the
>secondaries to check in every 20 minutes for updates.
>
> 2) On the new servers, setup the Name info for the domain. Be sure the
>SOA is setup properly to reflect the new server. Make sure you list your
>new Name servers as DNS entries.
>
> 3) Once the new servers are setup and running you can simply go to your
>Domain register (GoDaddy.com) and change your Name servers. The change
>will take awhile, so you need to get this done a few days to one week
>prior to when you want to make the move. We find that 48 hours pretty
>much does the trick. A check of the logs indicates if any traffic is
>still going to the old servers
>
>... and that is pretty much it unless you are also changing IP ranges.
>
>
>Check your Name server setup by visting:
>  http://www.dnsreport.com
><Trilug does fairly good here - only having one red mark - It's an open
>DNS server and these days the Black hat guys can exploit that>
>
>
>Use the "whois" command to see what your current Name servers are set to
>at the Internic:
>  Name Server:NS.WAYFARER.ORG
>  Name Server:NS2.TRILUG.ORG
>
>Use the command "host -t ns <domain name>" to see what your primary name
>server *thinks* your Name servers are... these should agree.
>   host -t ns trilug.org
>     trilug.org name server ns.wayfarer.org.
>     trilug.org name server ns2.trilug.org.
>
>
>Jon Carnes
>
>
>  
>
I'm really surprised no one else has picked up this thread and run with 
it.  :)  Both Jon and Tanner had good answers, so I'll send them both a 
T-shirt (let me know your size and color preference, privately if you 
prefer).  I'll point out some common misconceptions from their answers, 
and pose some additional thinking points.  Jon and Tanner, give it a day 
or so before you respond, if you'd like to.  :)  If things aren't 
completely fleshed out by Monday evening, I'll try to remember to hit 
this thread again and tidy up the loose ends.

1) whois is not used by DNS in any manner, what so ever.  It's used by 
humans, as a database maintained by the registrars, of contact 
information for a given domain.  If I want to look up the name servers 
for a domain, I should use host or dig (no, you really shouldn't use 
nslookup, but it would work :) ).  If I want to look up who to contact 
about that domain, I should use whois.  Well, I'd probably trust the 
email contact listed in the SOA more, but if I needed more traditional 
contact methods, ala name, phone, address, whois provides that.  How 
would I use host or dig to find out what the delegating entity believes 
my name servers are, ie. instead of the whois command Jon suggested: 
`whois trilug.org`?

2) Neither Tanner nor Jon touched on who you actually need to contact to 
update the information in the "whois" record.  There's a good buzzword 
name for that company or entity, which I'm sure they both know, but 
neglected to mention directly.

3) Nobody touched on this fun and interesting angle: Can you do it with 
out talking to that entity, and what interesting things happen if you 
try?  (hint: this more often happens by accident)

4) Neither of them mentioned if any updates would be required to 
secondary servers?

5) Much attention was given to the SOA, the authoritative name server 
mentioned in it, and it's TTL.  What role do each of these parts play?  
What do slaves use to determine who to pull the zone from?  How do they 
decide to get a new copy of the zone?  What roles does the SOA play to 
persons other than the secondary?

If a good answer comes along to all of these, I might feel compelled to 
toss out another T-shirt.  If not, I'll be sure to eventually answer all 
my own questions for the curious minded folks.  :)

Aaron S. Joyner

More information about the TriLUG mailing list