nslookup can't but browser can !

Kevin Darcy kcd at daimlerchrysler.com
Fri Aug 25 20:59:36 UTC 2000


Quadri, Jay wrote:

> No sir, I didn't say that at all, no!, again my forwarders include both
> boxes, my forwarders include the Internet DNS server and the other Internal
> DNS located in another branch or site.

You originally said your forwarders included an "Internet" box and
"extranet" boxes. Are you using "extranet" in some unusual way then? It usually
means something *outside* of your security boundary, i.e. *external*.

Why would you put both internal and external boxes in your forwarders list
anyway? That makes no sense. It means the answers to your queries of external
names will be basically a crap-shoot, depending on how quickly or slowly those
forwarders respond. Do you like to gamble with your nameservice?

> I did turn on debug (set d2 /d3),
> I do maintain (strongly) that: When 'forward=first', dns resolves Internal
> names only.  However, if forward=only, it resolves Internet names only.

And I say, again, the only difference between those is what the nameserver does
if it can't get a response from the forwarders. So *something* has to be
failing. This should be obvious from the debug output, which you have not
shown.

> I
> can see these results from my debug.  when  'forward=first', I even moved
> the Internet dns server above the domestic dns server in the named.conf, it
> made no differ.

No surprise. The "forward first"/"forward only" distinction only kicks in after
all of the forwarders have failed. So changing the order shouldn't make any
difference, unless it's a really fine timing issue.

> I even set  'multiple-cnames YES' ; and 'fetch-glue      YES
> ;'

These are irrelevant. No suprise that changing them didn't produce different
results.

> I even turned on recursion: for the server to do everything possible to
> answer the query completely, I turned it off again, it made no difference at
> all.   I disagree with you completely on the recursion issue, I tested DNS
> using Dig or nslookup, ineffect these are clients or resolvers.  turning
> on/off resursion might affect the result to queries. If you have a beefed up
> DNS server then it's alright to turn on recursion. if recursion is set to
> 'no' it will return a referral to the client.  what if the client is not in
> the allow-query list, it'll always fail.  Hence, recursion setting does
> affect results.

I never said "allow-recursion" doesn't affect query *results*. What I said was
that it had nothing to do with whether your server uses iterative or recursive
queries when talking to other nameservers. Nothing you mention in the paragraph
above has anything to do with server-to-server interactions. My point stands.

> I also stick to my guns that:
> forward first = check local cache first then forward.
> Forward only =DNS server will only forward the queries.

"Forward only" also checks the cache. You're barking up the wrong tree. I
justed tested it here: I set my internal nameserver to forward through our
firewall, "forward only", looked up an external name twice, the first time it
forwarded it, the second time it answered directly from its cache. QED.

> I need a fundamental insight!

What I think you need more is to rid yourself of a couple of fallacies
regarding "allow-recursion" and the difference between "forward first" and
"forward only". Cleaning up your networking terminology and posting some debug
output might help too.


- Kevin


> -----Original Message-----
> From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
> Sent: Thursday, August 24, 2000 10:36 PM
> To: bind-users at isc.org
> Subject: Re: nslookup can't but browser can !
>
> 1. *Both* forms of forwarding check the cache first, as I already explained.
>
> 2. "Forward only", as the name suggests, *only* uses the forwarders. You
> explained that your forwarders are all external boxes. This is why it never
> asks your internal boxes when "forward only" is in effect.
>
> 3. How do you know that the query *isn't* being forwarded to your Internet
> box
> when "forward first" is in effect? Have you run a packet trace, turned on
> debugging? All you know for sure is that it isn't getting a satisfactory
> answer. My speculation is that it *is* forwarding but not getting an answer
> fast enough.
>
> 4. What "recursion set"ting are you referring to? "allow-recursion" only
> affects the interaction between the nameserver and its clients and has
> nothing
> to do with whether the server chooses to interact with other nameservers
> recursively or iteratively.
>
> - Kevin
>
> Quadri, Jay wrote:
>
> > I disagree here is why:
> > Forward first causes the server to check the local cache for the answer
> and
> > if not found, then forward the query. This is the default setting.
> > Forward only the server will only forward the queries.
> >
> > You didn't explain why 'forward only' does not forward to other Internal
> > nameserver.
> > and why 'forward  first' does not forward to the Internet nameserver.
> >
> > It's a mystery to me.  You might want to read the question again.
> >
> > >From your definition of 'forward first', will it fall back to iterative
> > resolution even if you have recursion set; I don't think so.
> >
> > -----Original Message-----
> > From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
> > Sent: Thursday, August 24, 2000 12:52 AM
> > To: bind-users at isc.org
> > Subject: Re: nslookup can't but browser can !
> >
> > No, both forms of forwarding look at the cache first. The difference is in
> > what
> > they do if they don't get a response from the forwarder(s): "forward
> > first" falls back to iterative resolution; "forward only" doesn't.
> >
> > Given that, I'd speculate that your forwarder is answering *slowly*. With
> > "forward first", you timeout and ask the internal servers about the
> Internet
> > name, which claim that the name doesn't exist, but with "forward only", it
> > keeps on retrying the query and eventually gets an answer. On the other
> > hand,
> > "forward first" works for internal names, because the internal servers
> know
> > about them, but "forward only" does not, because apparently your forwarder
> > doesn't.
> >
> > This speculation could be verified by enabling debugging on the
> nameserver.
> >
> > If this speculation is correct, then:
> >
> > 1) find out why your forwarder is so slow to respond and fix it
> > 2) change the global forwarding option to "forward only"
> > 3) define the apex zones of all your internal domains as
> slave/stub/forward
> > to
> > the appropriate servers in order to "override" the forwarding to your
> > Internet
> > forwarder (for slave or stub zones you may want to specify "forwarders {
> }"
> > in
> > order to override forwarding for subzones as well). That way you'll be
> able
> > to
> > resolve both internal and external names.
> >
> > - Kevin
> >
> > Quadri, Jay wrote:
> >
> > > I have a similar problem, my DNS box (A) only resolves internal names,
> and
> > > forwards Internet request to an internet DNS box (B), also forwards to
> > other
> > > extranet domestic nameservers (C).  my intranet DNS server has its own
> > hints
> > > file (not the Internic's, I wrote it, only includes my Intranet DNS
> boxes
> > as
> > > root servers).  ping works at all times, nslookup does not depending on
> > the
> > > forward, if the forwarding is set to:
> > >
> > > forward     first ;   I can use nslookup or dig to resolve Domestic
> names
> > > but not Internet names (C) .
> > > (forward first Checks the cache first before forwarding).
> > >
> > > forward   only ;   I can resolve Internet names with nslookup or dig,
> but
> > > can't resolve other domestic names (C) (forward all request).
> > >
> > > Any ideas?
> > >
> > >






More information about the bind-users mailing list