Caching only nameserver fails to resolve external zones periodically

Jim Reid jim at rfc1035.com
Mon May 17 22:21:34 UTC 2004


>>>>> "Curtis" == Curtis Rempel <curtis at telus.net> writes:

    Curtis> Hi, I've got a caching name server which also handles a
    Curtis> zone (.lan) on an internal 192.168.1.0/24 network.  Both
    Curtis> internal and external lookups work fine as I have a
    Curtis> forwarder entry defined in
    Curtis> /var/named/chroot/etc/named.conf

Sigh. Too bad you didn't provide this file. We don't care about its
pathname. The contents of the file would have been helpful.

    Curtis> That is, until "something" happens which causes the
    Curtis> external lookups to fail.  The internal zone resolution
    Curtis> still works, however, it seems as far as I can tell, that
    Curtis> the forwarder entry does not respond and then it starts
    Curtis> crawling through the root name servers and eventually
    Curtis> gives up.

Get rid of the forwarding crap. Make your name server resolve
everything for itself instead of sending queries to some other server
that might be dead or unreachable from time to time. The "something"
that is happening will probably be an outage of the server(s) you're
forwarding queries to -- or maybe some transient routing problem --
and you presumably have no control over that. Welcome to the hell that
is a forwarding DNS configuration.....

A DNS setup that relies on forwarding is pretty much always broken.
In principle, forwarding is pointless, stupid and broken. Don't use
it unless there is no alternative. Which there almost always is...

What is probably going wrong is your (idiot) server is forwarding
queries for non-local names to some other name server. When that
doesn't respond, your server then tries to resolve the names for
itself. Which it could have done all along.... Ho-hum. But these
attempts fail. The tcpdump trace you supplied showed the queries being
sent but no replies coming back. Presumably this traffic will be
getting blocked by a firewall that's been configured to support this
forwarding idiocy. ie Your name server isn't allowed to get answers
from external name servers or else is prevented from sending queries
to them. However the server that it forwards to isn't blocked like
this. Sigh.

Note too that by eliminating forwarding you (a) considerably simplify
the management of both name servers; (b) eliminate an unnecessary
single point of failure; (c) reduce the number of components (and
therefore the number of failure modes) in your resolving chain; (d)
make troubleshooting DNS problems much easier; (e) avoid creating
dependencies on other servers that may not be aware you're dependent
on them.


More information about the bind-users mailing list