Win95 machine not looking at 2nd and 3rd DNS

Joseph S D Yao jsdy at
Fri Mar 10 23:17:51 UTC 2000

I   h a t e   it when somebody does something like this:
From: nobody <nobody at>

On Thu, Mar 09, 2000 at 05:36:19PM +0000, nobody wrote:
> Hi All
> I have a Win 95 machine which is set up to look at 3 DNS servers.  The
> first is our internal, and the second and third are the ISP's.  If I
> look for a web address, the machine will query only the internal then
> give up (checked this with a packet sniffer).

Very good.  That is the CORRECT thing to happen.

It would be very bogus if you gave a list of alternate name servers,
and it had to go sniffing around at all of them before deciding whether
a name did not exist, or did and had a value.  The servers you give to
your resolver should ALL have the SAME view of the world!  The only
difference should be, if the first one is down, some subsequent one
should be up and able to give the SAME answers the the first one would
have had it been up.

> The internal DNS is sat on a linux box and serves subdomains beneath our
> internet registered domain (ie. registed domain, this box does
> and  The machine has no zone for root
> ".".

Well, then, it would have a heck of a time resolving any addresses for
which it was not authoritative, wouldn't it?  ;-)

> However, other machines I have seem to work fine (a linux box (not the
> name server), and an NT box.  I'v done a quick test and it seems I have
> the same problem with another win95 machine as well.
> Any ideas (i'm sure it was working before)
> Mark Taylor

Check your RCS or SCCS archives for changes that have been made to your
name server.  If "it worked before", I'm sure that you'll find some.
If you don't do revision control on your files, shame on you.

Set up your name server(s) to forward any unresolved queries to a name
server or servers that know the Internet.

If you are trying to deny name resolving of the Internet to anyone,
then in the options, deny them access with allow-query; but in the
local zones, allow-query to all.  This will do you no good as an access
denial mechanism, though.  If they want to go to a site, they will find
its IP address elsewhere, and use it to go there.  Better and easier to
really block access, and let them have full DNS capability.  At least
they'll have a more correct idea where they stand.  ;-)

Joe Yao				jsdy at - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list