Cacheing vs. Forwarding DNS

Similar Messages

• Forwarding DNS using iptables

  Hello,
  I have this configuration:
  WLAN <---wireless---> PC1 <---ethernet---> PC2
  on PC1 I am using iptables as shown below to route the connection to PC2:
  # WLAN
  iwconfig wlp0s11 essid myessid
  iwconfig wlp0s11 key s:mypassword
  ip link set dev wlp0s11 up
  ip addr add 192.168.5.123/24 broadcast 192.168.5.255 dev wlp0s11
  ip route add default via 192.168.5.1
  # LAN
  ip link set up dev enp0s1f1
  ip addr add 10.0.0.1/24 broadcast 10.0.0.255 dev enp0s1f1
  iptables -t nat -I POSTROUTING -o wlp0s11 -j MASQUERADE
  iptables -I FORWARD -i enp0s1f1 -o wlp0s11 -j ACCEPT
  iptables -I FORWARD -i wlp0s11 -o enp0s1f1 -j ACCEPT
  echo 1 > /proc/sys/net/ipv4/ip_forward
  The problem is I cannot get DNS forwarding to work on PC2.
  I have this (DNS server/router):
  nameserver 192.168.5.1
  in /etc/resolv.conf on PC1
  and this:
  nameserver 10.0.0.1
  in /etc.resolv.conf on PC2.
  If I use Google DNS or DNS server directly in resolv.conf on PC2, everything works.
  But... I don't want to do that, I want to forward DNS requests using NAT through 10.0.0.1.
  Any help is appreciated.
  Cheers!

  Hi Mabel,
  Thanks for taking time to reply.
  The situation is more for development machines, we usually setup local test domain for development sites so that they can be viewed by anyone within the local network. We want to automate that process so that we can add custom A records in the dns server as well as adding vhosts to the dev machine (that later part being done already).
  Since I've posted my initial post I came across nsupdate. Managed to work out how to use it but I ran into a few problems..
  Using nsupdate overwrites the $INCLUDE in the zone's file in /var/named/ (e.g. db.localzone.), which I think renders the actual zone file in /var/named/zones/ (e.g. db.localzone.zone.apple) useless. I think Server Admin would directly update this file, but since the include statement has been overwritten it's not picked up.
  I came to the conclusion that nsupdate was going too much against the Leopard server flow of doing things.
  Are there any other tools, with BIND, leopard or even 3rd party that can allow me to update zone files easily from the command line?
  I know the exact zone file, i'm happy to hard code that path, just need a tool to edit it... could write one I guess but if it's been done already..
  Any suggestion welcome!
  Cheers
  Ben

• Forward DNS does not match reverse dns

  Hi ALl
  I have a fixed IP address via BT. 
  When I type the IP address into MxToolbox or similar i get this warning:
  BT-UK-AS BTnet UK Regional network
  Reverse DNS (PTR) exists and claimes to be: mail.concept-plc.com
  Forward DNS for mail.concept-plc.com is: xx.xxx.xxx.xx
  Should I be worried about this and if so who do i contact to do anything about it! Concept PLC seem to be a real company.
  Are we sharing a fixed IP address?
  Thanks for any help.
  Solved!
  Go to Solution.

  Try the  BT Business forum at http://business.forums.bt.com/
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• Forward DNS Issues

  I am having problems getting the forward lookups on my xserve running 10.5.5. The problem is the DNS with the internal DNS to the server itself. The reverse lookups seem to work just fine.
  Using Network Utility:
  dataxserve.w-harrison.k12.ia.us returns
  Lookup has started ...
  Server: 192.168.0.3
  Address: 192.168.0.3#53
  ** server can't find dataxserve.w-harrison.k12.ia.us: SERVFAIL
  192.168.0.3 returns
  Lookup has started ...
  Server: 192.168.0.3
  Address: 192.168.0.3#53
  3.0.168.192.in-addr.arpa name = dataxserve.w-harrison.k12.ia.us.
  None of my forward lookups seem to work that are setup from Server Admin, but all of the reserve lookups work. Does anyone know what would be causing this and how to fix it?
  Thank you,
  Jeremy

  Here is the entire contents of my /etc/named.conf
  // Include keys file
  include "/etc/rndc.key";
  // Declares control channels to be used by the rndc utility.
  // It is recommended that 127.0.0.1 be the only address used.
  // This also allows non-privileged users on the local host to manage
  // your name server.
  // Default controls
  controls {
  inet 127.0.0.1 port 54 allow {any; }
  keys { "rndc-key"; };
  options {
  include "/etc/dns/options.conf.apple";
  * If there is a firewall between you and nameservers you want
  * to talk to, you might need to uncomment the query-source
  * directive below. Previous versions of BIND always asked
  * questions using port 53, but BIND 8.1 uses an unprivileged
  * port by default.
  // query-source address * port 53;
  // a caching only nameserver config
  logging {
  include "/etc/dns/loggingOptions.conf.apple";
  // Public view read by Server Admin
  include "/etc/dns/publicView.conf.apple";
  // Server Admin declares all zones in a view. BIND therefore dictates
  // that all other zone declarations must be contained in views.
  There is only 1 Mac server that provides client services at the school and I have full control over it. So we are not really in a sub domain, but we have to use the w-harrison.k12.ia.us format.

• Cache pollution on DNS servers

  looking for the sigID that would fire on this. We are running 4.1(5)S216.

  In the general sense of cache pollution (cache poisoning) - DNS responses contain additional records that do not pertain to the query in an effort to poison the DNS server's cache. No, there is no signature for this.
  I know Microsoft has a "cache pollution protection" knob on their DNS servers and recent versions of BIND also contain code to perform some additional checks and ignore the non-relevant responses.

• Internet Sharing not forwarding DNS

  I am using Internet Sharing to connect my Parallels virtual machine to an EVDO connection.
  I set it by setting the Novatel Wireless Card to connect to the Ethernet Adapter (en2), which is the Parallels-Host-Guest adapter. The Guest is assigned to use DHCP.
  The guest gets a proper IP address and gateway, and is set to use the gateway (e.g. the NAT connection) for DNS.
  But DNS requests are not answered. If I manually enter a DNS adress into the guest, all works well.
  What is going on? How can I reset the Mac/Tiger behavior?
  -- Harald

  Thank you natila. 
  I followed your "All I had to do was repair permissions from disk utility", then turned off airport, restarted the computer, and it worked.  Internet sharing, which stopped for no apparent reason, worked again. Thankfully.
  Frustration changed to admiration, once again. I do love how the discussions among the community of Apple users make fixing problems doable for folks, like me, who are no pros at it.
  Thanks again.
  EG

• W2003 DNS cache snooping vulnerability for PCI-DSS compliance.

  Hi everyone.
  How can I solve this security vulnerability reported by Nessus(security software) with W2003's DNS ?
  DNS Server Cache Snooping Remote Information Disclosure
  Synopsis:
  The remote DNS server is vulnerable to cache snooping attacks.
  Description:
  The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently
  visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
  Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include
  employees, consultants and potentially users on a guest network or WiFi connection if supported.
  Risk factor:
  Medium
  CVSS Base Score:5.0
  CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
  See also:
  http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
  Solution:
  Contact the vendor of the DNS software for a fix.
  Plugin output:
  Nessus sent a non-recursive query for example.com and received 1 answer : 192.0.43.10
  I have been searching for a solution at the web...but I was unabled to find one..that could let me to use "recursion" at our DNS server.
  We have an internal DNS server for Active Directory, with a forwarding to resolve external internet domains as is a requirement by our application..but now the only way to fix this is to disable "recursion" and we are working with external IP address instead
  of internet DNS names..but this is not a good solution for us.
  I found something about spliting DNS functions, but my point is that we have all the servers internal and DMZ, inside the same AD domain..so we need to use the same DNS server AD integrated, notwithstanding we must resolve external DNS records for our application...How
  can I do this without getting the same vulnerability again ? I don´t know how to do it disabling "recursion"..If I disable recursion I will be unable to resolve external DNS names.
  Any suggestion will be really appreciated!!
  thx!!

  That's basically for your internet facing DNS. I wouldn't worry about it too much for internal DNS, since that's only hosting your internal AD zone.
  Other than setting the "Secure cache against polution" setting, you can also opt to disable caching of all records so each and every query is a fresh query. This actually fixes CNAME vs A record TTL mismatch issues, too, not that you're probably seeing them
  or not, but just wanted to add that:
  Description of DNS registry entries in Windows 2000 Server, part 2 of 3 (applies to 2003, 2008 & 2008 R2)
  http://support.microsoft.com/kb/813964
  Cannot resolve names in certain top level domains like .co.uk.
  http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
  ============
  To turn off or disable local cache: (WIndows 2000 notes, but they apply to all current OS's)
  Set the MaxCacheTtl to 0 in the registry or use Dnscmd
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
     Value:     MaxCacheTtl
     Type:     DWORD
     Default:  NoKey (Cache for up to one day)
     Function: Set maximum caching TTL.
  MaxCacheTtl
  Type: DWORD
  Default value: 0x15180 (86,400 seconds = 1 day)
  Function: Determines how long the DNS server can save a record of a
  recursive name query.
  You can use the MaxCacheTtl registry entry to specify how long the DNS
  server can save a record of a recursive name query.
  If the value of the MaxCacheTtl entry is 0x0, the DNS server does not save
  any records.
  The DNS server saves the records of recursive name queries in a memory cache
  so that it can respond quickly to new queries for the same name. Records are
  deleted from the cache periodically to keep the cache content current. The
  interval when the records remain in the cache typically is determined by the
  value of the Time to Live (TTL) field in the record. The MaxCacheTtl entry
  establishes the maximum time that records can remain in the cache. The DNS
  server deletes records from the cache when the value of this entry expires,
  even if the value of the TTL field in the record is greater.
  Change method
  To change the value of the MaxCacheTtl entry, use Dnscmd.exe, a tool that is
  included with the Windows 2000 Support Tools. The change is effective
  immediately so that you do not have to restart the DNS server.
  Start method
  DNS reads its registry entries only when it starts. If you change the value
  of the MaxCacheTtl entry by editing the registry, the changes are not
  effective until you restart the DNS server.
  Note the following items: . Windows 2000 does not add the MaxCacheTtl entry
  to the registry. You can add it by editing the registry or by using a
  program that edits the registry.
  The MaxCacheTtl entry does not affect Windows Internet Name Service
  (WINS) data that is saved in the DNS memory cache. WINS data is saved until
  the Cache Timeout Value on the WINS record expires. To view or change the
  Cache Timeout Value on the WINS record, use the DNS snap-in. Right-click a
  zone name, click Properties, click the WINS tab, and then click Advanced.
  ===============================
  Ace
  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• List of DNS Negative Cache

  Hi Folks
  I'm having problems with what I believe to be intermittent negative responses for a host from DNS servers that we forward external queries to and those negative responses being cached.
  Because of the intermittent nature of the problem every time it is reported I have not been able to carry out a query on the downstream DNS servers that has not produced a positive result.
  I would like to know if it is possible to see if negative responses for this specific host are being cached on our DNS servers.
  Thanks in advance
  Kevin

  You can possibly use DNSCMD, but I'm not sure if it will display negatively cached data. Have you tried using ipconfig /displaydns on the client to see what it negatively cached? And I'm not sure that will work. I can't reproduce the problem, since
  none of my customers have this issue.
  Keep in mind, [quoted from http://tools.ietf.org/html/rfc2308]:
  "Negative caching was an optional part of the DNS specification and
     deals with the caching of the non-existence of an RRset [RFC2181] or
     domain name."
  "[...] however had a fundamental flaw in that it did not allow a name
     server to hand out those cached responses to other resolvers [...]"
  So my feeling is there are non-existing records in some of your DNS servers, or incorrect SOA records, or lame delegations. If your organization is that large, and DNS was not designed properly (all DNS servers in an org must have the same exact reference
  to all records or issues will results, especially with AD), then I can see this may occur. So in reality, once you determined what data is negatively cached, the best way is to use DIG or nslookup testing directly against your forwarders for the records
  that you believe are negative lookiong for NXDOMAIN responses (which are the records that have been negatively cached).
  It may have been possible that Negative Caching was set on *some* of your Windows DNS servers, but not all. That will definitely cause problems. That's done by setting the
  NegativeCacheTime to something really much higher than the default 300 seconds (15 minutes). If you are an admin and have access to those machines, you can take a look at that setting in the registry remotely.
  Configuring Caching and Negative Caching
  http://technet.microsoft.com/en-us/library/cc959309.aspx
  Here was a thread that asked the same thing, but no resolution:
  Windows DNS Server Negative Cache
  "So how do I display what info is in the negative cache? From the command line…"
  http://blog.joeware.net/2006/08/12/522/
  Further, if your org is using ISA or TMG, and they've set negative caching on those servers, then DNS has nothing to do with it! Check this article out:
  ISA: Configuring Negative Caching.
  http://www.isaserver.org/tutorials/Configuring_Negative_Caching.html
  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• DNS Forwarder IP

  So in 10.6 Server, you can specify IPs that it will forward non-authoritative queries. I'm setting up 10.4.11 on an old G4 and there is no option for forwarding DNS IPs. Does it just use the system's other DNS IPs? Does it forward at all?
  Thanks!

  You can also add this row beneath yours:
  forward first;
  which means the server forward external lookups first, and only if there isn't a successful reply the internal DNS will try itself.
  I don't know what will happen without this but there is an other option:
  forward only;
  which will make the internal DNS not try itself if there a non successful reply.
  Also forwarding is done mostly for speed reasons and offloading of the internal DNS so if the forwarder DNS are slow you don't gain anything. I'd compare your ISP DNS lookups from the client or DNS server directly to the forwarder DNS IPs to see how fast they are (and to see if you are allowed to used them as forwarders - recursive lookups):
  host -v <FQDN or IP you want to lookup> <forwarder DNS IP to test>
  You will get responses in milliseconds.
  Use FQDNs that is NOT hosted by the forwarder DNS IP you test (preferably use seldom used FQDNs that is not cached).
  Using a "too old" OS might leave you, from a security patch standpoint, having an non updated DNS if relying on Apple updates alone.

• Mac OS X Server Forward Proxy(Web Caching)...setup a website for the proxy???

  My office is a Mac environment with a couple of windows pcs. To save on bandwidth i would like to setup a Mac OS X Snow leopard server with a web caching proxy, forward proxy. I read this link from apple
  Server Admin 10.6 Help: Configuring Web Service Proxy Settings
  i understand that to set this up i must enable it on my Mac Server and also on the clients(end user) web browser. What i don't understand is this part:
  "When setting up a forward proxy, make sure you create and enable a  website for the proxy. You might want to disable logging                      on the proxy site or configure the site to record  its access log in a separate file from your other sites’ access logs.  The                      site does not need to be on port 80 but setting up  web clients is easier if its browsers use port 80 by default."
  Create and enable a website for the proxy??? I don't understand, why do i need a website for web caching? Shouldn't the settings in the web browser direct the http requests to the mac server and it does the rest, what has a website got to do with it and what type of website?How?
  Please help, thank you in advance

  SL Server

• DNS Zone forward OS X10.5 Server

  I have DNS functioning for the internal network with recursion, users can query both internally and externally just fine. I do not service DNS publicly to the Internet.
  I need to setup one zone so that queries for 'map.local' are forwarded to another DNS server I have access to. I prefer a forward instead of becoming a slave to that master domain if possible.
  I do not see any option to this within the GUI.
  Researching this I feel I found how to do this in BIND using /etc/named.conf:
  zone "map.local" IN {
  type forward;
  forwarders { 10.64.0.100; };
  However when I add this DNS simply stops working, the logs in debug mode show nothing. As soon as I remove it DNS starts up.
  It appears all the zone setting are pulled out /etc/named.conf in 10.5 and placed in an include file--however that file's header say do no edit, its written by the GUI. As a test I tried to enter this in that anyway and the same thing happened DNS stopped working.
  How do I setup DNS on OS X 10.5 Server to forward DNS for this one domain 'map.local' to query another DNS server by IP?
  I have read OS X doesn't deal well with '.local' type TLDs, but it can if the domain is added to its search domains. I do not have control over that domain name and must deal with it as '.local'. Any comments on how much trouble this will cause?
  Thanks,
  Joe

  According to this: http://docstore.mik.ua/orelly/networking2ndEd/dns/ch1005.htm
  you should enter:
  zone "map.local" {
  type forward;
  forwarders { 10.64.0.100; };
  Remove the "IN".
  And "map.local" might work but just ".local" would probably interfere with mDNS/Bonjour.
  I have no idéa if this works but it should.

• How do I flush my DNS cache

  My internet lookup is slow. I have read that I can fix this by using either openDNS or googleDNS servers. How Do I flush my DNS cache after switching DNS servers?

  Restart the computer.

• [solved] disable reverse dns caching (pdnsd)

  Hey guys, i have setup pdnsd for dns caching, and it's working fine. There's a small issue though. I would like to disable caching for reverse dns lookups. This is because the cache file is getting filled up with thousand of such entries, due to p2p software such as rtorrent.
  Is there an option for the pdnsd.conf file which can disable this feature?
  Last edited by x33a (2014-01-23 05:51:37)

  After extensive searching, I found that this can be achieved by disabling PTR rr type, but pdnsd won't run without it.
  For reference purpose:
  Support for different rr types can be disabled by modifying src/rr_types.in accordingly (source code file). unfortunately, PTR along with a few other rr types is essential to pdnsd, so disabling it is not an option.

• DNS - is it necessary on a LAN?

  Hoping someone more advanced than I can help me out - I'm the defacto network admin for a small design shop and we currently have an Xserve G3 running Mac OS X Server 10.3 - I'm going through the Mac OS Server Essentials course (the book version, not the real taught-by-a-pro version -- we don't have that much cash on-hand!) but am by no means a newbie to the basics of networking.
  Our G3 currently handles simple file sharing only. Our DHCP services, DNS services and firewall are all handled by a Cisco PIX unit that's managed by an outside firm that's completely overcharging us to manage. Add to that, they haven't been able toget the VPN services in the PIX to actually work. So, long story short, I want to pull these services in-house to save costs and get rid of these yo-yos controlling my PIX, and resell the PIX. It's overkill for what we need.
  My question is this - After upgrading, I want to use my G3 Xserve to handle file sharing, DHCP addressing, and utilize the VPN services to access our network apps from outside (I Really really really want to work from home again!)... Do I need to establish DNS services on my LAN for this to work, or can I simply rely on an outside DNS and not enable the DNS services on my Xserve?
  We host only 1 website that's reachable exculsively by IP address via a link on an externally hosted site. Currently through the pix, this site is not reachable from our LAN (and that's OK - we have a back door to it that works just fine). Any response would be most appreciated. If more info as to IP addresses or specific configurations are needed, please email me directly at [email protected] I'd prefer to keep that info off the boards.
  Thanks in advance!

  I agree with Jim Pattison's overall suggestion that you don't need an internal DNS server in most cases for a small office configuration (or small home office, for that matter). Your ISP will provide DNS resolvers for getting at hosts on the Internet, and if your ISP hosts your domain, they'll provide DNS hosting services for any Internet-visible servers you wish the world to know about.
  Where local DNS services comes in handy (and it's important to make the distinction between DNS serving and DNS resolving), is if you:
  1) Want the ability to refer to your local printers, workstations, or servers by name, such as "office-printer" or "berts-mac", or "mail-server", etc., without knowing numeric addresses or using the ".local" convention that works sometimes, but not always, on the Mac.
  2) If you want to enable Kerberos authentication under Open Directory, then it's vital that the OD Master and all of its replicas have working forward and reverse DNS definitions. By 'working' I mean that the forward DNS of each server name matches its IP address, and the reverse DNS of that address matches the server name. Kerberos won't work without matching forward and reverse DNS.
  3) Portable home directories, and other advanced network services won't work unless forward and reverse DNS is defined for the OS X servers. I'm not sure why that is the case, but I do know it is required.
  If your OS X servers are on Internet-visible IP addresses, then their forward DNS can be made part of the DNS definitions your ISP provides. Whether or not your ISP will define matching reverse DNS is another matter -- the better ISPs will provide reverse DNS for your servers. If you run an Internet-visible mail server, for example, then it's important for the rest of the world to see matching forward and reverse DNS definitions or many mail servers will reject your mail thinking you're a spammer.
  If your OS X servers are on internal IP addresses -- like 192.168.., 10..*., 172..*. -- then you need to have one or more OSX Servers (or other servers) providing forward and reverse DNS if you want to take advantage of any of the advanced server features mentioned earlier.
  A DNS CASE STUDY
  At my company, we have a public domain hosted by our ISP (call it mydomain.com). In addition to DNS hosting for that domain, they also provide a couple of DNS resolvers we can point our workstations at. We have two OS X Servers on internal IP addresses 192.168.1.100 and 192.168.1.102 running DNS services -- one is the master and one is a slave. We opted to do DNS programming directly in BIND, which means manually editing the /etc/named.conf file, rather than relying on the graphic front end in Tiger Server Admin. This is simply because we wanted to do more advanced things than you could define via the Server Admin front end.
  Our DNS definitions basically provide for:
  1) Forward DNS for a local.mydomain.com domain to provide names for systems on our LAN. This is where the OS X servers reside -- server1.local.mydomain.com resolves to 192.168.1.100 and server2.local.mydomain.com resolves to 192.168.1.102.
  2) Reverse DNS for the 192.168.0.*, 192.168.1.* and 192.168.2.* address ranges. 192.168.1.100 resolves to server1.local.mydomain.com and 192.168.1.102 resolves to server2.local.mydomain.com.
  3) DNS forwarding, so that if you ask about anything not defined by our forward and reverse DNS zones (like discussions.apple.com, for example), our DNS resolvers pass the request to our ISP rather than try to resolve and cache the answer ourselves. This significantly improves performance, as the ISP can answer our queries much faster than we can perform the lookups starting with the root servers ourselves. This is purely a performance issue.
  4) DNS security -- Only folks on our 192.168.. local area network can ask about the local.mydomain.com domain. It's not visible outside our local network, thus improving security.
  5) Since our servers have matching forward and reverse DNS addresses on the local.mydomain.com domain, we can make use of Kerberos authentication, portable home directories, and so on. These don't work unless your OS X servers have matching forward and reverse DNS -- regardless of who provides the DNS services.
  DNS / BIND RESOURCES
  I based our /etc/named.conf on an excellent article I found online at <http://www.zytrax.com/books/dns/ch6/>. I also recommend O'Reilly & Associates "DNS & Bind" book -- <http://www.oreilly.com/catalog/dns4/index.html>. This is a good way to learn how to build DNS servers.
  If folks are curious, I can post our /etc/named.conf file.
  Xserve G4   Mac OS X (10.4.6)   1GB RAM

• How to configure DNS on RED HAT 5,4

  Hello Linux experts
  I'm need to configure dns service for Oracle RAC 11gR2
  For dns server, I'm using the hosts for RAC.
  How to configure DNS on RED HAT 5.4 ?
  Anyone have a manual for do this ?
  Best Regardss

  Regardless of whether your will find tools or perl scripts like h2n, or manage your configuration files directly, you will need to get yourself familiar with basic DNS concepts and terms. A DNS cluster is a number of nameservers that share DNS records. You may perhaps rather want to setup a DNS server system consisting of a master and slave DNS server for your authoritative zone (domain name) on each node, but also configure for DNS forwarding and perhaps caching to public DNS servers on the internet. You may want to configure primary and secondary DNS records on your client sides in /etc/resolve.conf, perhaps also using some round-robin or timeout options.
  I'm afraid Google will be your best friend. You may find below links helpful in your approach:
  http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_%3A_Ch18_%3A_Configuring_DNS
  http://tldp.org/LDP/lame/LAME/linux-admin-made-easy/domain-name-server.html
  http://www.redhat.com/magazine/025nov06/features/dns/
  http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/dns-static.htm