BIND round robin dns: how to make nslookup reply with just one ip address
Question
I use bind round robin ,and there are multiple A record for one domain.But when I use nslookup test the resolution, it reply all the ip. is there any way that just reply one hit ip? any idea? thanks alot.
2 answers
solution1
3 ACCPTED 2013-04-29 08:05:16
As Celada points out, doing this for the sake of security is silly, because someone could just keep trying until they get all of them.
However , there is still a way to do this, and people might have reasons to do it, or at least, like me, be curious how it is done.
That is the order random_1 option for named.conf
Big scary warning : this option will break DNSSEC, is intentionally "almost completely undocumented" and is "generally the wrong answer" .
It genuinely does seem pretty completely undocumented and perhaps only present as a patch in Debian/Ubuntu bind, not upstream.
solution2
2 2014-08-18 20:01:47
Order random_1 was added to the Debian bind9 package specifically to address the useless-outside-of-your-corporate-network RFC 3484, which presumes that more bits of network match imply closeness, even if there's only two bits of commonality vs one.
A better solution to that situation would be anycast or some other selection that would defeat windows use of that RFC. See also http://support.microsoft.com/kb/968920
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.