Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

NIOS DNS DHCP IPAM

Reply

Adjusting Grid Primary in Name Server Group without trigger SOA Mname change?

Authority
Posts: 35
901     0

As Title says I need to change Grid Primary (stealth) of all Name Server groups, would like to find a way to do this without trigger SOA mname change

 

In gui the moment I make that change Infoblox also pushes out mname change of all zones using the Name Server Group, only way I've seen to get around that so far is to remove the zone and re-add it again but that's not a way forward. 

 

 

 

 

Re: Adjusting Grid Primary in Name Server Group without trigger SOA Mname change?

Moderator
Moderator
Posts: 306
902     0

The MNAME value can be overridden on individual zones.   It can be done in bulk using CSV.

Re: Adjusting Grid Primary in Name Server Group without trigger SOA Mname change?

Authority
Posts: 35
902     0

Hi,

Yes that's one way, but with ~40 NS groups and 3k+ zones I'd risk missing zones where Mname previously adjusted for historical reasons. 

 

One zone gets 0,5M dynamic updates hourly and it wouldn't take long until that cause challenges, even it it only takes minutes to change Mname on that zone. 

Mname change would also cause servers, AD included, sending dynamic updates across the globe to a server they can't reach instead of the local sitting in same Data Center. 

 

-That's why I'm looking to see if there's a way to change stealth Grid Primary of NS groups without trigger Mname change. If there's no way around that I'll know and will do the change on a Sunday when there's less risk of impact, it's unfortunate but better than the alternative 

Re: Adjusting Grid Primary in Name Server Group without trigger SOA Mname change?

Moderator
Moderator
Posts: 306
902     0

Export the zones via CSV and you will have a list of what they're set to, today.

 

Break the actions down into manageble steps.  They could be done in separate maintenance windows.  Here's one possible set of actions:

 

Override the MNAME, force zones to use to the current primary.

 

Add the new server as an additional grid primary (or change from secondary to primary, or whatever)

 

Override the MNAME to the new grid primary.

 

Clients will gradually get the updated SOA over time, as cache expires.  Meanwhile both servers can take updates.  Validate that everything is working as expected.

 

Remove the old primary (or change it to secondary, or whatever)

 

Remove the MNAME overide from the zones so it inherits from the nameserver group.

 

Validate, and then celebrate.

 

 

Re: Adjusting Grid Primary in Name Server Group without trigger SOA Mname change?

Authority
Posts: 35
902     0

Thank you, yes I was hoping for a way around that but seems it's the way I have to go 

 

At least our NS groups are mostly based around server and zone locations, making it easier push changes gradually 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Businesses are investing heavily into securing company resources from cyber-attacks form cybercrimin