BIND Non-authoritative.

joeswat · 09-02-2013, 02:55 PM

Been working on BIND for some time now and finally got it to work so other servers can reach for dns lookup however.

if I do dig on Linux machine I get all my answers:

Code:

[myuser@mynixserver ~]# dig @10.x.x.x cnn.com

; <<>> DiG 9.3.4-P1 <<>> @10.x.x.x cnn.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30576
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                300     IN      A       157.166.226.26
cnn.com.                300     IN      A       157.166.226.25

;; AUTHORITY SECTION:
cnn.com.                170753  IN      NS      ns3.timewarner.net.
cnn.com.                170753  IN      NS      ns2.p42.dynect.net.
cnn.com.                170753  IN      NS      ns1.timewarner.net.
cnn.com.                170753  IN      NS      ns1.p42.dynect.net.

;; ADDITIONAL SECTION:
ns1.timewarner.net.     170753  IN      A       204.74.108.238
ns3.timewarner.net.     170753  IN      A       199.7.68.238

However if I do it from windows server I get almost nothing

Code:

> server 10.x.x.x
Default Server:  [10.x.x.x]
Address:  10.x.x.x

> cnn.com
Server:  [10.x.x.x]
Address:  10.x.x.x

Non-authoritative answer:
Name:    xyz.com
Address:  50.x.y.z
Aliases:  cnn.com.xwz.com

jpollard · 09-02-2013, 04:24 PM

What windows is providing is a cached entry, not one from the server. That is why it is "non-authoritative".

This is done to minimize the impact on a name server by thousands of queries. When one tracks down your server, the host (well, name server actually) then caches the answer - so that your server doesn't have to respond any more (at least, not until the timeout interval happens). Over time, thousands of other name servers would pick up your entry - eliminating them from directly contacting your server, and in addition, spread the load out.

OCCASIONALLY, (not very often) I have pre-seeded other name servers by selecting them as a name server and then looking up the designated target. Doing this between the root servers and the intermediate servers between you and the root (there usually is only two or three), greatly reduces an initial load, and can reduce the occurrence of timeouts for users. It doesn't work well when the timeout is long though - the servers will only update after their cache entry times out.

joeswat · 09-02-2013, 04:37 PM

Quote:

Originally Posted by jpollard

What windows is providing is a cached entry, not one from the server. That is why it is "non-authoritative".

This is done to minimize the impact on a name server by thousands of queries. When one tracks down your server, the host (well, name server actually) then caches the answer - so that your server doesn't have to respond any more (at least, not until the timeout interval happens). Over time, thousands of other name servers would pick up your entry - eliminating them from directly contacting your server, and in addition, spread the load out.

OCCASIONALLY, (not very often) I have pre-seeded other name servers by selecting them as a name server and then looking up the designated target. Doing this between the root servers and the intermediate servers between you and the root (there usually is only two or three), greatly reduces an initial load, and can reduce the occurrence of timeouts for users. It doesn't work well when the timeout is long though - the servers will only update after their cache entry times out.

So weird tho all nix servers are fine (not on domain) all windows servers that are on domain are not doing its job

I thought to try some non-cached domain...on windows server by doing
nslookup
server 10.x.x.x
>zumba.com

and this is what I get back

Code:

02-Sep-2013 17:34:47.008 client 10.x.x.x#22547: query: zumba.xyz.com IN A +
 (10.my.ser.ver)

where zumba.xyz.com (xyz.com) is my internal domain from windows server