[TriLUG] OT: Router then Firewall

Jon Carnes jonc at nc.rr.com
Wed May 17 01:47:33 EDT 2006 

On Tue, 2006-05-16 at 23:57, Aaron S. Joyner wrote:

> Friendly public service announcement (I'm sure Jon knows, but I can't 
> let a statement like the above go by with out responding).  Assuming you 
> have some semblance of control over the DNS records themselves, you 
> should lower the TTL before you change the IP (or name) associated with 
> that record, and then raise the TTL again after the change has 
> stabilized.  Let's consider a hypothetical scenario.  You run a web 
> server, www.example.com.  You're going to change providers, and thus 
> change the IP of the machine serving www.example.com.  The steps to 
> follow go something like this:
> 
> 1:  Examine the current record, determine how long the TTL is (we'll say 
> it's 3 days, or 10800 seconds).
> 2:  At least one current-TTL-interval (3 days) before you intend to make 
> the change, update the TTL for that record (and all other potentially 
> affected records) to be very low, for example 5 mins (900 seconds).
> 3:  Test the new setup on the new IP, then 'throw the switch' by 
> changing the DNS record.
> 4:  Establish that everything is working as expected, perhaps wait 1 day 
> to be sure.
> 5:  Make a final DNS update to return the TTL to it's previous long / 
> stable value.
> 
> This way, your DNS updates can normally have nice long cache times, 
> making your bandwidth bill lower, your user's latency lower, still 
> giving you the ability to have quick change over of service, and making 
> the Internet a healthier place.  This makes everyone happy.  :)
> 
> As an exercise for the reader, how would you handle migrating your DNS 
> server(s) from one IP address (or one subnet) to another, using similar 
> techniques?  Do you need to talk to someone outside your organization, 
> or can you do it all in-house?  Are you sure of your answer to that last 
> question?  How would you find out for sure...  :)  A Google T-shirt(*) 
> to the person who comes up with the best / most complete answer(+).
> 
> Aaron S. Joyner
> 
> * - Size of your choice, in white or black:
> http://www.googlestore.com/product.asp?catid=5&code=GO0108
> http://www.googlestore.com/product.asp?catid=5&code=GO13022
> 
> + - Final decision about answer quality is at my sole discretion, 
> although I promise to be as fair as possible.  Credit for information 
> posted will come on a first-come, first-serve basis - ie. if someone 
> posts a 90% complete answer, and you rephrase their answer plus 10% 
> more, unless that 10% is really critical they'll probably be considered 
> to have the better answer.  Hence, posting sooner is better, but I'll 
> probably wait either until every angle has been exhausted or at most 5 
> days.  Time differences of less than roughly 2-3 mins in time sent are 
> not considered note-worthy.
> 

Well who could resist that offer... especially since I move folks DNS
servers over to our ISP all the time (and we've never lost a look-up
yet!).

 1) On the old servers, set the TTL to 4 hours (14400) or less. Set the
SOA Refresh interval to 20 minutes (3600) if you expect to keep some of
the current secondary NS servers up and running. This tells the
secondaries to check in every 20 minutes for updates.

 2) On the new servers, setup the Name info for the domain. Be sure the
SOA is setup properly to reflect the new server. Make sure you list your
new Name servers as DNS entries.

 3) Once the new servers are setup and running you can simply go to your
Domain register (GoDaddy.com) and change your Name servers. The change
will take awhile, so you need to get this done a few days to one week
prior to when you want to make the move. We find that 48 hours pretty
much does the trick. A check of the logs indicates if any traffic is
still going to the old servers

... and that is pretty much it unless you are also changing IP ranges.


Check your Name server setup by visting:
  http://www.dnsreport.com
<Trilug does fairly good here - only having one red mark - It's an open
DNS server and these days the Black hat guys can exploit that>


Use the "whois" command to see what your current Name servers are set to
at the Internic:
  Name Server:NS.WAYFARER.ORG
  Name Server:NS2.TRILUG.ORG

Use the command "host -t ns <domain name>" to see what your primary name
server *thinks* your Name servers are... these should agree.
   host -t ns trilug.org
     trilug.org name server ns.wayfarer.org.
     trilug.org name server ns2.trilug.org.


Jon Carnes

More information about the TriLUG mailing list