External queries fail on BIND 8.3.1

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 19 23:50:16 UTC 2002

Six Wayz wrote:

> "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> news:<aeohqq$6gba$1 at isrv4.isc.org>...
> >
> >
> >Hmmm, you *do* have forwarding enabled, but named isn't using it. The only
> >thing that comes to mind is that it gave up temporarily on the forwarders
> >because it previously timed out trying to contact them.
> >
> >One major difference between your "dig" and the way your name is forwarding
> >queries is that you've locked named's query source address to 53. Do you
> >need that for some reason? Maybe this low source port is running afoul of a
> >firewall rule or something. What happens if you comment that out (and then
> >reload named, of course)?
> >
> >Out of curiosity, do you need to use forwarding at all? If you're using it
> >because you can't talk to Internet nameservers directly, then your
> >forwarding mode should be "forward only" (as opposed to the default
> >"forward first", which, by omission, is what you have now). This will allow
> >queries to fail "properly" when the forwarders are unavailable (as opposed
> >to named beating its head against the wall trying to contact root servers
> >that are inaccessible). "Forward first" should only be used when you're
> >using forwarding exclusively as a performance enhancement.
> >
> >
> >- Kevin
> >
> >P.S. I couldn't get any response from your forwarders, but that could
> >easily be because they blackhole all queries which don't originate on their
> >network...
> >
> >
> Is there any way to reset so that named tries to use the forwarders?  The
> strangest part of all of this mess is that is was working correctly for
> weeks after a struggle trying to make it work.  Due to a power outage, I had
> to reboot.  When I rebooted, it was again not working.  All this time I have
> been making only suttle changes to named.conf which have had no effect.
> I have tried commenting out the query source address, but this has been to
> no avail.
> Apparently, I do need to use forwarding.  Otherwise my Win2k resolver will
> not work after the TTL for my internal domain has expired.

Huh? I don't understand this at all. What does your internal domain have to do
with resolving Internet names?

> It is a pain to
> have to run ipconfig /registerdns every day in order to be able to use DNS.
> When this setup was working correctly before, it was running great.  My
> nameserver would answer queries properly and forward queries that it didn't
> know.  It was fast to get the answer from my ISP's nameservers due to a
> large cache. In any case, I also tried forward only with no change in the
> outcome.  I was also recently informed that my ISP's nameservers won't do
> recursion, so I tried other DNS servers and the result was still the same.

Forwarding relies on recursion. If your ISP's servers don't support recursion,
your forwarding will never be a reliable means of name resolution (you'll be
limited to resolving whatever your ISP's servers happen to have in their cache
at any given time).

I think you need to focus your efforts on how to get resolution working
*without* using forwarding.

- Kevin

More information about the bind-users mailing list