Bind Forward and DLZ

bathory · 10-02-2012, 11:45 AM

You need recursion, but only for specific clients. If you use "recursion yes;", then as I've told you, anyone in the world can use your server as a resolver, resulting in cache poisoning, DOS etc

Quote:

Is this my problem? Am I using the wrong zone config type? Would a slave configuration be more what I am striving for? If so, what is the point to a forwarding config?

I don't like forwarders, so I use the hint zone, so my dns servers are both authoritative and caching.

kavius · 10-03-2012, 05:33 AM

This leaves the questions standing: If I'm not supposed to use recursion, but I need it for forwarding, what am I supposed to do?

Does forwarding act as a proxy agent (my assumption), or does it act as a redirecting agent (what it looks like at this point)?

How would "hint" achieve the desired effect? For that matter... what does hint do?

kavius · 10-03-2012, 05:37 AM

Last night, I started configuring it as a master/slave. The reason I chose forwarding was because I didn't want any caching whatsoever and forwarding appeared to achieve that. Forwarding doesn't act as a proxy though.... so there isn't much point in using it.

Slave zones appear closer to what I want. Of course they aren't working either.

bathory · 10-03-2012, 08:12 AM

Quote:

This leaves the questions standing: If I'm not supposed to use recursion, but I need it for forwarding, what am I supposed to do?

I don't tell you not to use recursion. What I'm telling to you, is to specify the clients (hosts/networks) that can do recursive queries to your sever using the "allow-recursion" option, for security reasons.

Regarding your problem, the only difference I can see from here, is that resolving sharoncave.ca using 208.88.5.245 gives a SERVFAIL, not a REFUSED as it did earlier

kavius · 10-03-2012, 08:15 AM

Is recursion a prerequisite for forwarding?

At this point, I'm actually questioning if forwarding is what I want.

bathory · 10-03-2012, 10:09 AM

Quote:

Is recursion a prerequisite for forwarding?

Recursion is not mandatory for an authoritative nameserver. Your dns is authoritative even though it forwards queries to another dns.
You need recursion if you want to use your dns as a caching nameserver (resolver) you your clients. Have a look here for more details.

kavius · 10-03-2012, 10:38 AM

So I can have both non-recursion and forwarding. Do I want forwarding?

As I now understand it, based on

http://technet.microsoft.com/en-us/l...(v=ws.10).aspx
[url]http://en.wikipedia.org/wiki/Domain_Name_System#Recursive_and_caching_name_server[/ur]
and dig traces run during this discussion

Forwarding behaves like this (not the behaviour I am trying to achieve):

Code:

       0
      -+-                +--------------+           +--------------+
       |                 + 208.88.5.245 +           + 208.88.4.232 +
______/_\______          +--------------+           +--------------+
       |                         |                          |
       |----- sharoncave.ca? --->|                          |
       |                         |                          |
       |<-- frwd:208.88.4.232 ---|                          |
       |                                                    |
       |----------------------------- sharoncave.ca? ------>|
       |                                                    |
       |<---------------------------- A rec:208.88.4.232 ---|
       |                                                    |

This is the behaviour I am trying to achieve this:

Code:

       0
      -+-                  +--------------+           +--------------+
       |                   + 208.88.5.245 +           + 208.88.4.232 +
______/_\______            +--------------+           +--------------+
       |                           |                          |
       |----- sharoncave.ca? ----->|                          |
       |                           |                          |
       |                           |--- sharoncave.ca? ------>|
       |                           |                          |
       |                           |<-- A rec:208.88.4.232 ---|
       |                           |                          |
       |<--- A rec:208.88.4.232 ---|                          |
       |                           |                          |

If this is the behaviour I am seeking, should I be using a different type? (slave?)

bathory · 10-03-2012, 11:21 AM

Quote:

Do I want forwarding?

Do you?
The authoritatives nameservers for your domain are 208.88.5.245 208.88.6.207, that both give a SERVFAIL (instead of REDUSED previously)
Anyway looking closer at named.conf you've posted, you have

Quote:

forwarders{208.88.4.232;};

You need to add a blank space after forwarders. I guess that this is because it fails

kavius · 10-03-2012, 11:32 AM

Quote:

Originally Posted by bathory

Do you?

I'm not sure.

I want the behaviour identified here. If that is called "forwarding", then "yes", otherwise "no".

bathory · 10-03-2012, 11:58 AM

I'm not sure if I understand well your figures, so I'm trying to explain how your dns is supposed to work.
When a client on the internet wants to visit sharoncave.ca, it queries his dns.
His dns looks a way to resolve the domain and somehow it finds that the authoritative nameservers are 208.88.5.245 208.88.6.207, so it has to ask one of them.
Say it queries 208.88.5.245.If this server was working correctly, it will forward the query to 208.88.4.232, get the A RR and give the answer to the client. This is dns forwarding, so make sure that this is what you're trying to achieve.

Now both the authoritative nameservers fail because of some misconfiguration (see my previous post if that's the case), so no one can do its job to resolve your domain.

kavius · 10-03-2012, 02:38 PM

I think it would be best if I used a master/slave configuration (slave=208.88.5.245, master=208.88.4.232). I believe this behaviour best matches my desired results. I will spend a few days tinkering with that on my own.

One last question: Does 208.88.4.232 appear to be working correctly at this point (it does to me)?

bathory · 10-04-2012, 12:40 AM

Quote:

Originally Posted by kavius

I think it would be best if I used a master/slave configuration (slave=208.88.5.245, master=208.88.4.232). I believe this behaviour best matches my desired results. I will spend a few days tinkering with that on my own.

One last question: Does 208.88.4.232 appear to be working correctly at this point (it does to me)?

I second that. It's better to use a master/slave dns combination, so if one of them fails, the other can still answer authoritatively for your domain(s).

The fact is, that now I cannot connect to 208.88.4.232 so I can use it as a resolver for your domain, but I can ping it.

Quote:

; <<>> DiG 9.9.1-P3 <<>> sharoncave.ca @208.88.4.232
;; global options: +cmd
;; connection timed out; no servers could be reached

Check if bind is running and there is no firewall blocking port 53 udp/tcp and things like that.

Regards

kavius · 10-04-2012, 05:34 AM

I seem to have this problem now:

http://www.google.ca/url?sa=t&rct=j&...pdZGO5smSLhbrQ

Thanks for your help but suddenly I am dealing with more fundamental problems.