problem: pointing root hints to forwarder only delivers forwa rder s root file

Van Bemmel, Berend VanBemmel.Berend at kpmg.nl
Fri Jul 6 07:38:01 UTC 2001




> -----Original Message-----
> From: chris [mailto:cherbst at hotpop.com]
> Sent: Thursday, July 05, 2001 8:34 PM
> To: comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: problem: pointing root hints to forwarder only delivers
> forwarder s root file
> 
> 
> --- Virus checked / op virussen gecontroleerd ---
> 
> 
> In article <9i1uup$l8m at pub3.rc.vix.com>, "Van Bemmel, Berend"
> <VanBemmel.Berend at kpmg.nl> wrote:
> 
> > Anyways, what happens is that my internal Bind 8.2.3 when confronted
> > with a query for something outside my internal domain it 
> forwards it to
> > the gateway DNS on the DMZ, but surprisingly it gets an 
> answer in the
> > form of the root file being used on the gateway server (which is of
> > course the Internet root file)  instead of the right answer.
> 
> <snip>
> 
> What happens if you query one of the hosts you are forwarding to
> (represented as x.x.x.x and y.y.y.y in your example) with dig 
> or nslookup
> for a domain they are not authoritative for, like this:
> 
> dig @ns1.google.com yahoo.com

In that case the resolution works. In fact, if I query the gateway DNS with
dig  +rec and +norec) I get a name resolved as well. It's only if the
internal Bind itself queries the gateway that it gets the root file.

I tried to debug this, because I first thought that maybe the internal DNS
was quering a different gateway then I thought and such stufff, but I'm
afraid that the above is just what happens :-/

> 
> If they give you the root servers (as ns1.google.com did), 
> they probably
> have recursion disabled for you.  Why not run a caching-only 
> nameserver on
> the "gateway dns machine" and grab the records yourself? It's simple:
> 
> ---
> 
> options {
> 	directory "/var/named";
> 	auth-nxdomain yes;
> };
> 
> zone "." {
>         type hint;
>         file "named.ca";
> };

That's for security reasons, the gateway DNS is on a DMZ segment and we'd
like to restrict it's access to the Internet as much as possible. With
forwarding you can do that very well, only DNS traffic between my gateway
and the forwarders is allowed.  
> ---
> 
> You might also want to disable queries from anywhere but your 
> network, you
> didn't in your example.

I know, but because it didn't work, I though I'd simplify the config until
it works and then complicate it again... in the end it never worked, that's
why I send the messgage ;-)

> 
> You could probably even leave out the root zone (zone ".") 
> with BIND 9, it
> has compiled in defaults.  If you use it anyway, grab a 
> current named.ca
> file.

Ack. I'll remember that.
 
> You might also be able to do all this with a single BIND 9 
> nameserver and
> views. In your current config if either server stops clients 
> can't resolve
> internet names, if you configure your servers to be 
> master/slave and do
> caching, they can resolve any host if either server goes down.

No, that's no option here. We are very strict on the security side of
things. The internal DNS server (there are actually two internal root
servers) is on the internal network and is not allowed to send traffic to
the internet directly, hence the gateway DNS. In the final production
environment, there will be two gateway servers (on in US, and other in
Europe).

Thanx,

Berend


**********************************************************************
De informatie verzonden met dit e-mailbericht (en bijlagen)
is uitsluitend bestemd voor de geadresseerde(n) en zij die
van de geadresseerde(n) toestemming kregen dit bericht te
lezen. Gebruik door anderen dan geadresseerde(n) is
verboden. De informatie in dit e-mailbericht (en bijlagen)
kan vertrouwelijk van aard zijn en kan binnen het bereik
vallen van een geheimhoudingsplicht en een verschonings-
recht.

Any information transmitted by means of this email (and any
of its attachments) is intended exclusively for the addressee
or addressees and for those authorized by the addressee
or addressees to read this message. Any use by a party
other than the addressee or addressees is prohibited.
The information contained in this email (or any of its 
attachments) may be confidential in nature and fall under a
pledge of secrecy and the attorney-client privilege.
**********************************************************************


More information about the bind-users mailing list