Loop detection

Kevin Darcy kcd at daimlerchrysler.com
Thu Jan 20 04:10:42 UTC 2000 

I believe named won't use a forwarder with the same address as the source
of the query it is trying to resolve. But this doesn't stop loops between
groups of 3 or more nameservers, nor loops in the case where the other
nameserver is originating its queries from a different address than the
one to which you're forwarding.

Prevention? Unfortunately, the "blackhole" option can't be used to prevent
forwarding loops, since it interferes with the responses from the
forwarders. And zones of type forward can't have allow-recursion. Possibly
a default/global allow-recursion ACL blocking all forwarders might work,
as long as there is no legitimate reason for any of them to be querying
you recursively.


- Kevin



Lack Mr G M wrote:

>    Is it possible to configure bind8 (8.2.2-P5) so that it is able to
> detect a loop if it "sends" a query on to a server configured in a zone
> {type forward;}; clause if that "target" server is configured to send
> back to the original server as a forwarder and reckons that it doesn't
> know the answer?
>
> Eg:
>
> ------------------------------------------------------------------
> Main server (172.18.1.1) has:
>   zone "82.168.192.in-addr.arpa" {
>    type forward;
>    forwarders { 192.168.82.55 ; };
> };
>
> ------------------------------------------------------------------
> Sub-server (192.168.82.55) has:
>
>    No info on 82.168.192.in-addr.arpa (eg: accidental file deletion
>                                            other cock-up)
>
>    forwarders {
>       172.18.1.1;
>    };
>
> ------------------------------------------------------------------
>
>    I seem to recall I have seen messages about loop detection in the
> syslog file but that may just work for sub-zones(??).  If there is no
> loop possible then the situation above leads to a rather fast "tennis
> match".
>
> --
> --------- Gordon Lack --------------- gml4410 at ggr.co.uk  ------------
> This message *may* reflect my personal opinion.  It is *not* intended
> to reflect those of my employer, or anyone else.

More information about the bind-users mailing list