nslookup can't but browser can !

Quadri, Jay Jay.Quadri at gmk.cwplc.com
Fri Aug 25 10:00:19 UTC 2000 


No sir, I didn't say that at all, no!, again my forwarders include both
boxes, my forwarders include the Internet DNS server and the other Internal
DNS located in another branch or site.  

I did turn on debug (set d2 /d3), 
I do maintain (strongly) that: When 'forward=first', dns resolves Internal
names only.  However, if forward=only, it resolves Internet names only. I
can see these results from my debug.  when  'forward=first', I even moved
the Internet dns server above the domestic dns server in the named.conf, it
made no differ. I even set  'multiple-cnames YES' ; and 'fetch-glue      YES
;'  

I even turned on recursion: for the server to do everything possible to
answer the query completely, I turned it off again, it made no difference at
all.   I disagree with you completely on the recursion issue, I tested DNS
using Dig or nslookup, ineffect these are clients or resolvers.  turning
on/off resursion might affect the result to queries. If you have a beefed up
DNS server then it's alright to turn on recursion. if recursion is set to
'no' it will return a referral to the client.  what if the client is not in
the allow-query list, it'll always fail.  Hence, recursion setting does
affect results.

I also stick to my guns that:
forward first = check local cache first then forward.
Forward only =DNS server will only forward the queries.

I need a fundamental insight!.


-----Original Message-----
From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
Sent: Thursday, August 24, 2000 10:36 PM
To: bind-users at isc.org
Subject: Re: nslookup can't but browser can !



1. *Both* forms of forwarding check the cache first, as I already explained.

2. "Forward only", as the name suggests, *only* uses the forwarders. You
explained that your forwarders are all external boxes. This is why it never
asks your internal boxes when "forward only" is in effect.

3. How do you know that the query *isn't* being forwarded to your Internet
box
when "forward first" is in effect? Have you run a packet trace, turned on
debugging? All you know for sure is that it isn't getting a satisfactory
answer. My speculation is that it *is* forwarding but not getting an answer
fast enough.

4. What "recursion set"ting are you referring to? "allow-recursion" only
affects the interaction between the nameserver and its clients and has
nothing
to do with whether the server chooses to interact with other nameservers
recursively or iteratively.


- Kevin

Quadri, Jay wrote:

> I disagree here is why:
> Forward first causes the server to check the local cache for the answer
and
> if not found, then forward the query. This is the default setting.
> Forward only the server will only forward the queries.
>
> You didn't explain why 'forward only' does not forward to other Internal
> nameserver.
> and why 'forward  first' does not forward to the Internet nameserver.
>
> It's a mystery to me.  You might want to read the question again.
>
> >From your definition of 'forward first', will it fall back to iterative
> resolution even if you have recursion set; I don't think so.
>
> -----Original Message-----
> From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
> Sent: Thursday, August 24, 2000 12:52 AM
> To: bind-users at isc.org
> Subject: Re: nslookup can't but browser can !
>
> No, both forms of forwarding look at the cache first. The difference is in
> what
> they do if they don't get a response from the forwarder(s): "forward
> first" falls back to iterative resolution; "forward only" doesn't.
>
> Given that, I'd speculate that your forwarder is answering *slowly*. With
> "forward first", you timeout and ask the internal servers about the
Internet
> name, which claim that the name doesn't exist, but with "forward only", it
> keeps on retrying the query and eventually gets an answer. On the other
> hand,
> "forward first" works for internal names, because the internal servers
know
> about them, but "forward only" does not, because apparently your forwarder
> doesn't.
>
> This speculation could be verified by enabling debugging on the
nameserver.
>
> If this speculation is correct, then:
>
> 1) find out why your forwarder is so slow to respond and fix it
> 2) change the global forwarding option to "forward only"
> 3) define the apex zones of all your internal domains as
slave/stub/forward
> to
> the appropriate servers in order to "override" the forwarding to your
> Internet
> forwarder (for slave or stub zones you may want to specify "forwarders {
}"
> in
> order to override forwarding for subzones as well). That way you'll be
able
> to
> resolve both internal and external names.
>
> - Kevin
>
> Quadri, Jay wrote:
>
> > I have a similar problem, my DNS box (A) only resolves internal names,
and
> > forwards Internet request to an internet DNS box (B), also forwards to
> other
> > extranet domestic nameservers (C).  my intranet DNS server has its own
> hints
> > file (not the Internic's, I wrote it, only includes my Intranet DNS
boxes
> as
> > root servers).  ping works at all times, nslookup does not depending on
> the
> > forward, if the forwarding is set to:
> >
> > forward     first ;   I can use nslookup or dig to resolve Domestic
names
> > but not Internet names (C) .
> > (forward first Checks the cache first before forwarding).
> >
> > forward   only ;   I can resolve Internet names with nslookup or dig,
but
> > can't resolve other domestic names (C) (forward all request).
> >
> > Any ideas?
> >
> >

More information about the bind-users mailing list