Different behaviour of BIND DNS vs. MS DNS in regards to delegation/forwarding

Wed Sep 18 21:45:38 UTC 2002

"LUEDER,SVEN (HP-Germany,ex2)" wrote:

> >At 02:29 AM 9/14/02, LUEDER,SVEN (HP-Germany,ex2) wrote:
>
> >>Hello,
> >>
> >>i would like to ask you for your opinion about a different behaviour of
> >>ISC's BIND and Microsofts Windows 2000 DNS server.
> >>
> >>We are talking about the following scenario:
> >>- the DNS server is either ISC's BIND (e.g. version 9.2.1) or Microsoft
> >>Windows 2000 DNS
> >
> >Upgrade BIND to 9.2.2rc1 on Windows.  There was a bug in 9.2.1 which
> >caused it to poll 1000 times faster than it should have.
> >
>
> Thank you for this information, i appreciate it...
>
> Please excuse me, Danny, if i was not precise enough.
> First of all, my intention of posting this message is to point out a
> different behaviour of BIND DNS vs. Microsoft DNS in regards to the handling
> of recursive queries, if a global forwarder is in use. To demonstrate this,
> i will use both of them in the same environment, using the same
> configuration.
> Second, my intention is to obtain opinions from the DNS community in regards
> to a) if the expected behaviour in this case is based on a "designers
> choice" or if a standard defines the way, how a DNS server should react
> under these conditions and b) what the DNS community thinks about the
> advantages/disadvantages the implementation of either BIND or Microsoft DNS
> in this case has.
>
> I hope that the contributors are interested in discussing this type of
> findings. If this is not the right place, please let me know.
>
> If i talk now about the DNS server, it can be either BIND or the Microsoft
> Windows 2000 DNS server both running under the same DNS configuration.
>
> >>- the DNS server is configured to allow recursive queries
> >>- the DNS server is configured to use a global forwarder
> >>- the DNS server is authoritative for a DNS zone foo.com
> >>- the DNS zone foo.com contains a delegation to zone test.foo.com
> >>- There is no selective/zone-based forwarding configured on DNS zone
> >>foo.com.
> >>- the DNS server which hosts test.foo.com zone is up and running, =
> >>parenting
> >>for this zone is configured properly
> >>
> >>- A DNS query (type either recursive or non-recursive) now hits the DNS
> >>server hosting foo.com, requesting a A record of e.g. pc.test.foo.com
> >>
> >>If a non-recursive query is used, both types of DNS server (ISC BIND =
> >>and
> >>Microsoft Windows 2000) will return the delegation information of the =
> >>zone
> >>test.foo.com as the answer.
> >>In my opinion, this is the expected behaviour.
> >>
> >>If a recursive query is used, ISC BIND DNS server will ignore the =
> >>delegation
> >>information about test.foo.com in its local zone foo.com.=20
> >>Instead it forwards the request to the forwarder and passes through the
> >>forwarders answer.
> >
> >That's because you told it to.  No doubt you have a forwarders statement
> >in options. Any query that it is not authorative for or it doesn't have the
> >answer to in cache gets forwarded for an answer to the forwarders unless
> >overridden.  You can set up a stub zone for the subdomain on the server
> >and use an empty forwarders statement to override the default forwarders
> >to get what you want.
> >
>
> I see, that we both agree on the way how BIND will handle a recursive
> request in this setup. Nevertheless, thank you for the information regarding
> the stub zone. But because the Windows 2000 DNS server is not capable of
> using stub zones (this and selective forwarding will be introduced in the
> ..Net Server version), i would like to ignore stub zones for the moment.
>
> >>If a recursive query is used, Microsoft Windows 2000 DNS server uses =
> >>the
> >>delegation information in the local zone foo.com.
> >>It actively queries the DNS server hosting test.foo.com and returns the
> >>result of this query.
> >>
> >>
>
> This is the actual difference in the behaviour between Microsoft Windows
> 2000 DNS server and BIND. BIND would ignore the delegation information in
> the zone and makes use of the forwarder, whereas Microsoft makes use of it
> and does not involve forwarding. As far as i have seen, this behaviour of
> Microsoft DNS is also true for the Windows NT 4.0 version.
>
> Please keep in mind, that the configuration of both type of DNS servers is
> identical.
>
> >>I have not found any document or RFC, which states how a DNS server has =
> >>to
> >>react in this situation, so i would like to ask you for your opinion.
> >>I personally believe, that Microsoft's DNS server behaviour is more
> >>reasonable, but i would like to know your opinion.
> >
> >You told BIND to behave that way. It's not a matter of what's more
> reasonable.
> >In fact, Microsoft's behavior may be wrong if you didn't explicitly tell it
> not
> >to forward for the subdomain.
>
> There is no way in Microsoft DNS (including the Windows 2000 DNS server
> version) to configure conditional/zone based forwarding. This will earliest
> be available in the .Net version.
>
> You exactly hit the point. Is "may be wrong" correct because the expected
> DNS server behaviour is not standardized or is "is wrong" the better
> wording, because the Microsoft DNS server violates a standard or does not
> follow the quasi standards which have been set by BIND.
>
> Interestingly, Microsoft has not documented the behaviour of its DNS server
> under these conditions anywhere, neither in the documentation of its DNS
> server, nor in its Knowlege base.
>
> So my question is if a standard is present, describing how a DNS server
> should behave under these conditions or if the way how the DNS server has to
> react is not standardized and thus up to the programmers who implemented the
> DNS server.

Sven,
            Forwarding isn't specified with much precision in the RFC's. The
RFCs describe certain roles -- full resolver, stub resolver, authoritative
nameserver -- and while forwarding basically makes the program function like a
stub resolver, the circumstances which trigger it to do that are completely
implementation-defined.

BIND's implementation of global forwarding is truly *global*, i.e. assuming the
client is allowed to recurse, a query for any name that is not in cache and not
in any zone that the nameserver has explicit knowledge about, and not affected
by a "forwarders { }" statement (see below) will be forwarded initially (what
then happens if the forwarding fails depends on whether the forwarding mode was
defined as "forward only" or "forward first").