Caching name server setup problems
Kevin Darcy
kcd at chrysler.com
Tue Jul 15 20:32:42 UTC 2008
Michael Varre wrote:
>
>> -----Original Message-----
>> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
>> Behalf Of Kevin Darcy
>> Sent: Tuesday, July 15, 2008 3:44 PM
>> To: bind-users at isc.org
>> Subject: Re: Caching name server setup problems
>>
>>
> snipped> >>
>
>>> [Michael P. Varre]
>>>
>>> Thanks Chris that all makes perfect sense and I would agree that I
>>>
>> might as
>>
>>> well keep my upstream ISP servers out of the loop. It would just add
>>>
>> an
>>
>>> extra place for something to fail.
>>>
>>> I do have some issues with this working in practice however. I stress
>>>
>> that
>>
>>> there is no firewall in between these, just a wide open point to
>>>
>> point vpn
>>
>>> tunnel. Port 53 is wide open and talking correctly and there are no
>>>
>> views
>>
>>> created except for the default "single view".
>>>
>>> I have recursion turned on, NO views (just the default of course). I
>>>
>> don't
>>
>>> have any forwarders listed at all. And I have several local test
>>>
>> zones
>>
>>> added for this server to be authoritative for.
>>>
>>> ****When I dig @localhost.com publicdomain.com from the mynsserver, I
>>>
>> get
>>
>>> the proper answer and it is cached.
>>>
>>> ****When I dig @mynsserver publicdomain.com from a server on the same
>>>
>> 172
>>
>>> subnet as mynsserver I get the right answer and it gets cached.
>>>
>>> ****when I dig @mynsserver publicdomain.com from a machine on a
>>>
>> different
>>
>>> subnet, yet still internal, and no firewall in between, I get:
>>>
>>> ; <<>> DiG 9.3.2 <<>> @172.16.0.60 dumb.com a
>>> ; (1 server found)
>>> ;; global options: printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2022
>>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;dumb.com. IN A
>>>
>>> ;; Query time: 17 msec
>>> ;; SERVER: 172.16.0.60#53(172.16.0.60)
>>> ;; WHEN: Tue Jul 15 14:30:42 2008
>>> ;; MSG SIZE rcvd: 26
>>>
>>>
>>> ****but when I dig @mynsserver localzone-on-mynssserver I get the
>>>
>> correct
>>
>>> address.
>>>
>>>
>> What version of BIND? They recently (9.4) changed the default for
>> answering queries from cache. See "allow-query-cache" in the ARM.
>>
>> If you're running something older than 9.4, do you have any
>> "allow-query"s in effect?
>>
>> - Kevin
>>
>>
>>
> [Michael P. Varre]
>
>
> I'm currently running BIND 9.4.2-P1. I'm not familiar with
> allow-query-cache. I don't have this directive applied in my config. By
> default now with my version am I required to explicitly allow "any" hosts
> lookups to be added to the cache? If this were the case, I would imagine
> that even with this directive not set, recursion=on should at least give me
> an answer to publicdomain.com lookup.
>
Here's how they interrelate (from the ARM):
*allow-query*
Specifies which hosts are allowed to ask ordinary DNS questions.
*allow-query* may also be specified in the *zone* statement, in
which case it overrides the *options allow-query* statement. If not
specified, the default is to allow queries from all hosts.
Note
*allow-query-cache* is now used to specify access to the cache.
*allow-query-cache*
Specifies which hosts are allowed to get answers from the cache. If
*allow-query-cache* is not set then *allow-recursion* is used if
set, otherwise *allow-query* is used if set, otherwise the default
(*localnets;* *localhost;*) is used.
*allow-recursion*
Specifies which hosts are allowed to make recursive queries through
this server. If *allow-recursion* is not set then
*allow-query-cache* is used if set, otherwise *allow-query* is used
if set, otherwise the default (*localnets;* *localhost;*) is used
- Kevin
More information about the bind-users
mailing list