parent dns answers the ARR of child dns
kcd at chrysler.com
Mon Dec 7 23:10:22 UTC 2009
Tech W. wrote:
> --- On Fri, 4/12/09, Kevin Darcy <kcd at chrysler.com> wrote:
>> From: Kevin Darcy <kcd at chrysler.com>
>> Subject: Re: parent dns answers the ARR of child dns
>> To: bind-users at lists.isc.org
>> Received: Friday, 4 December, 2009, 1:56 AM
>> Not only that, but DNS.gduf.edu.cn is
>> performing recursion, while not
>> setting RA in, and not copying RD into, the header of the
>> % dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
>> ; <<>> DiG 9.3.0 <<>>
>> www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
>> id: 593
>> ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1,
>> ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;www.smartip.gduf.edu.cn. IN A
>> ;; ANSWER SECTION:
>> www.smartip.gduf.edu.cn. 30 IN A 18.104.22.168
>> www.smartip.gduf.edu.cn. 30 IN A 22.214.171.124
>> www.smartip.gduf.edu.cn. 30 IN A 126.96.36.199
>> I suspect this is YABDLBD (Yet Another Brain-Damaged
>> Device). Or a defective DNS proxy.
> Thanks for your answers.
> But DNS.gduf.edu.cn is a Windows DNS Server running on MS Advanced Server,
> not a proxy or load-balancer.
>> While the cache is populated with these records, even
>> queries will be given this answer directly, instead of a
>> referral. Once
>> the records time out, referrals are given again.
> Yes I am also confused by this behavior.
> So do you have any suggestion how to resolve it?
> I want, any query to the subzone should be answered by subzone's NS server, not by the parent one.
This can't happen as long as the parent nameserver keeps on recursing
queries and then responding with cached answers to those
This isn't a Microsoft DNS mailing list, and I'm not that familiar with
Microsoft DNS, so about the only advice I can give you is look through
the config and see where to turn off recursion completely. If that's not
possible, because the server also needs to act as a resolver for some
set of clients, then I don't know how such requirements are met, if at
all, by Microsoft DNS. I don't think that product has a "view" feature,
Even if Microsoft provides fine-grained control of who can recurse and
who can't, that alone still might not solve your problem, since you can
never control if and when one or more of its "authorized" clients may
look up www.smartip.gduf.edu.cn and then that answer will be cached for
some period of time. You'd also need, at a bare minimum, fine-grained
control over who can query the cache (e.g. something analogous to
allow-query-cache), in order to really pull that off.
More information about the bind-users