Duplicate authoritative DNS zones .... on purpose

Most DNS administrator will tell you that having multiple DNS servers authoritative for the same zone is a bad idea.

Normally I agree with such sentiments. However, I’m going to explain a scenario where I successfully went against this very tenant of DNS administration to solve a very unique problem. I had a need to point servers in a DR exercise at production (authoritative) DNS servers while still having the ability to supersede some RRs for systems in DR with out effecting production.

I successfully did this by setting up a pair of Bind DNS servers (1) in a very specific configuration, one acted as a forwarder and the other does most of the non standard work. The forwarder simply forwarded to the DR instance of Bind before falling back to roots for queries that didn't receive a satisfactory answer.

The DR instance of Bind started with a standard master zone with the only deviation being a wild card record that resolved to a control IP address. (2) Subsequently I created a Response Policy Zone that had a policy to alter responses to return NODATA to any response that would otherwise have returned the control IP address of the wild card.

The forwarder would interpret the NODATA as an unsatisfactory answer and then query the configured roots. (3)

This relatively simple configuration allowed me to have DR specific resource records in an authoritative zone that effectively superseded the real resource records in the production authoritative while still allowing me to not have to duplicate the thousands of RRs from production. (4)

So, stick this “”hack in your toolbox for the very rare times that you do want duplicate authoritative DNS zones where one overrides the other. (5)

  1. It may be possible to do this with other DNS servers as the forwarder, but I have not tested this as Bind is my name server of choice. Further I’m not aware of any other DNS feature quite like Bind’s Response Policy Zone.
  2. Any IP address could have been used for the control IP as long as it would not conflict with anything else. (I used a test-net IP address. However after the fact I wondered about using a name instead of an IP to reduce the possibility of a collision. YMMV)
  3. Bind can query the normal A – M root DNS servers or if you want to you can re-configure Bind to use your own DNS servers in place of the real roots, thus providing more control over things.
  4. You can debate the merits of my method if you want. However the point of this article is to explain how I successfully used duplicate authoritative DNS zones to my advantage.
  5. Views would not have worked in this scenario because I wanted to layer the zone content together. Views specifically separate content.