non-recurce queries on 8.2.2 pl 5

Kevin Darcy kcd at
Mon Nov 22 21:28:50 UTC 1999

Peter.Pedersen at wrote:

> Hi,
> we have a DNS server running as strictly forward/cache on a firewall server
> with the bind 8.2.2 pl 5.
> The domain is defined with a primary and a secondary
> server on our intranet.
> When we make a non-recurce query to this DNS on a know host it come back
> with no-answer.
> Then we make a recurce query, and it answers correctly with the A-record.
> Now we are able to make a non-recurce query and it answers correctly with
> the A-record.
> It there something we have missed with the new forward-zone statement in
> bind 8.2.2 ??
> Here is the output from nslookup:

(I have omitted the nslookup output for the sake of brevity. In summary, they
all query the same name and the results, in order, are:to query #1
(non-recursive): 0 answers.
to query #2 (recursive): 1 auth. answer.
to query #3 (non-recursive): 1 non-auth. answer)

You didn't clearly describe how your internal zone is defined on the firewall,
but I'm assuming it is there as "type forward". If so, then this behavior is
expected. A nameserver does not generate any queries of its own in response to
a non-recursive query, so on Query #1, where it is not authoritative for the
zone and did not happen to have the answer in its cache, it simply returned 0
answers. On Query #2, it used the forwarding information to get the answer from
an authoritative server and returned it to the client. On Query #3, it now had
the answer in its cache, so it answered non-authoritatively.

Is there a problem with this? If you have a forwarding hierarchy, this is not a
problem, since forwarded queries are recursive and thus will return the desired
information. If you absolutely *must* have your firewall give full answers for
non-recursive queries of your internal zone (although I'm not sure why this
would be a requirement), then you can always make it a slave to that zone.

- Kevin

More information about the bind-users mailing list