Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.



Customized NS Records

[ Edited ]
New Member
Posts: 3
4152     0

Is there any way not to expose my member node names in NS records for authoritative zones on my grid? There are 2 reasons why this is desireable:


1) Our customers generally point their zones to and at their registrar.  In order to be able to take advantage to the resiliency of our multi-member grid, those A records resolve to 2 Anycast IP addresses being advertised by our grid, rather than 2 specific member node IP addresses.  The NS records in the customer's zone on our grid should match the NS records created at the registrar.


2) Many customers want to personalize their NS records to list and rather than pointing to something using our domain name (even though they point to the same IP addresses).  This is entirely sound, technically, and a very common practice.


I've tried the following so far, with no luck:


1) Adding my grid members as stealth secondaries and manually creating the desired NS records.  This doesn't work because NIOS forces you to have at least one non-stealth secondary.


2) Adding my grid members as external secondaries (with the same IP addresses but different names). This doesn't work because NIOS detects that those IP addresses are in use on the grid and won't let you use them as external servers.

Is there any way to achieve this? It seems like NIOS is being overly rigid in the way it forces NS record creation based on internally-configured member node names.

Re: Customized NS Records

Posts: 63
4153     0

I believe you are correct!  The NS configuration on a zone is rather fixed.  You cannot adjust settings like TTL either.  Here have been enhancement requests for some time now to allow more control.


You may be able to use the CLI to force addition of NS records.  Set the grid NS servers as stealth, and add the ones you want via the CLI.


According to KB article 6906, you can add records to a zone via the nsupdate command.  This requires Linux or the BIND Tools on Windows.


-bash-4.0# nsupdate
> server <server IP>
> update add <zone> 3600 CAA 0 issue "caa_information"
> send


You may be able to use the CLI command DDNS_ADD, too.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You