Different behaviour of BIND DNS vs. MS DNS in regards to dele gation/forwarding

Danny Mayer mayer at gis.net
Thu Sep 19 22:12:00 UTC 2002 

At 07:00 AM 9/18/02, LUEDER,SVEN (HP-Germany,ex2) wrote:
> >At 02:29 AM 9/14/02, LUEDER,SVEN (HP-Germany,ex2) wrote:
>
> >>Hello,
> >>
> >>i would like to ask you for your opinion about a different behaviour of
> >>ISC's BIND and Microsofts Windows 2000 DNS server.
> >>
> >>We are talking about the following scenario:
> >>- the DNS server is either ISC's BIND (e.g. version 9.2.1) or Microsoft
> >>Windows 2000 DNS
> >
> >Upgrade BIND to 9.2.2rc1 on Windows.  There was a bug in 9.2.1 which
> >caused it to poll 1000 times faster than it should have.
> >
>
>
>Thank you for this information, i appreciate it...
>
>Please excuse me, Danny, if i was not precise enough.
>First of all, my intention of posting this message is to point out a
>different behaviour of BIND DNS vs. Microsoft DNS in regards to the handling
>of recursive queries, if a global forwarder is in use. To demonstrate this,
>i will use both of them in the same environment, using the same
>configuration.

That's most unlikely.  BIND and MS 2K DNS are two different servers and
will have different ways of configuring themselves.  You cannot rely on
doing the same thing on both servers and getting the same results. They
are only required to meet protocol requirements defined by the various
  RFC's.

>Second, my intention is to obtain opinions from the DNS community in regards
>to a) if the expected behaviour in this case is based on a "designers
>choice" or if a standard defines the way, how a DNS server should react
>under these conditions and b) what the DNS community thinks about the
>advantages/disadvantages the implementation of either BIND or Microsoft DNS
>in this case has.

There are no standards for configurations. BIND is more fully featured
and has more flexibility and doesn't have a GUI/Wizard to prevent you
from doing the things you need to do (even if they are sometimes wrong).

>I hope that the contributors are interested in discussing this type of
>findings. If this is not the right place, please let me know.
>
>If i talk now about the DNS server, it can be either BIND or the Microsoft
>Windows 2000 DNS server both running under the same DNS configuration.
>
>
> >>- the DNS server is configured to allow recursive queries
> >>- the DNS server is configured to use a global forwarder
> >>- the DNS server is authoritative for a DNS zone foo.com
> >>- the DNS zone foo.com contains a delegation to zone test.foo.com
> >>- There is no selective/zone-based forwarding configured on DNS zone
> >>foo.com.
> >>- the DNS server which hosts test.foo.com zone is up and running, =
> >>parenting
> >>for this zone is configured properly
> >>
> >>- A DNS query (type either recursive or non-recursive) now hits the DNS
> >>server hosting foo.com, requesting a A record of e.g. pc.test.foo.com
> >>
> >>If a non-recursive query is used, both types of DNS server (ISC BIND =
> >>and
> >>Microsoft Windows 2000) will return the delegation information of the =
> >>zone
> >>test.foo.com as the answer.
> >>In my opinion, this is the expected behaviour.
> >>
> >>If a recursive query is used, ISC BIND DNS server will ignore the =
> >>delegation
> >>information about test.foo.com in its local zone foo.com.=20
> >>Instead it forwards the request to the forwarder and passes through the
> >>forwarders answer.
> >
> >That's because you told it to.  No doubt you have a forwarders statement
> >in options. Any query that it is not authorative for or it doesn't have the
> >answer to in cache gets forwarded for an answer to the forwarders unless
> >overridden.  You can set up a stub zone for the subdomain on the server
> >and use an empty forwarders statement to override the default forwarders
> >to get what you want.
> >
>
>
>I see, that we both agree on the way how BIND will handle a recursive
>request in this setup. Nevertheless, thank you for the information regarding
>the stub zone. But because the Windows 2000 DNS server is not capable of
>using stub zones (this and selective forwarding will be introduced in the
>.Net Server version), i would like to ignore stub zones for the moment.

Why? It does what you want. That's the flexibility of BIND. You don't want
to have to do it the MS way and only the MS way.


> >>If a recursive query is used, Microsoft Windows 2000 DNS server uses =
> >>the
> >>delegation information in the local zone foo.com.
> >>It actively queries the DNS server hosting test.foo.com and returns the
> >>result of this query.
> >>
> >>
>
>
>This is the actual difference in the behaviour between Microsoft Windows
>2000 DNS server and BIND. BIND would ignore the delegation information in
>the zone and makes use of the forwarder, whereas Microsoft makes use of it
>and does not involve forwarding. As far as i have seen, this behaviour of
>Microsoft DNS is also true for the Windows NT 4.0 version.

No it isn't. You told BIND how to react to requests and that's what it's doing.
Noone knows what you told MS DNS to do.

>Please keep in mind, that the configuration of both type of DNS servers is
>identical.

No they are not.


> >>I have not found any document or RFC, which states how a DNS server has =
> >>to
> >>react in this situation, so i would like to ask you for your opinion.
> >>I personally believe, that Microsoft's DNS server behaviour is more
> >>reasonable, but i would like to know your opinion.
> >
> >You told BIND to behave that way. It's not a matter of what's more
>reasonable.
> >In fact, Microsoft's behavior may be wrong if you didn't explicitly tell it
>not
> >to forward for the subdomain.
>
>
>There is no way in Microsoft DNS (including the Windows 2000 DNS server
>version) to configure conditional/zone based forwarding. This will earliest
>be available in the .Net version.

That's not what you're testing so it's irrelevent.

>You exactly hit the point. Is "may be wrong" correct because the expected
>DNS server behaviour is not standardized or is "is wrong" the better
>wording, because the Microsoft DNS server violates a standard or does not
>follow the quasi standards which have been set by BIND.

Neither is wrong. They are doing what you are telling them to do.

>Interestingly, Microsoft has not documented the behaviour of its DNS server
>under these conditions anywhere, neither in the documentation of its DNS
>server, nor in its Knowlege base.

I'm sure if you look on Microsoft's Web site you'll find White Papers on this.
There are also books on Microsoft's DNS.

Danny

>So my question is if a standard is present, describing how a DNS server
>should behave under these conditions or if the way how the DNS server has to
>react is not standardized and thus up to the programmers who implemented the
>DNS server.
>
>
>Thank you for spending your time,
>
>Sven
>
> >

More information about the bind-users mailing list