Answers from cache or authority section?

Chris Buxton clists at buxtonfamily.us
Tue Jun 25 16:52:15 UTC 2013


On Jun 25, 2013, at 7:32 AM, John Horne <john.horne at plymouth.ac.uk> wrote:

> Hello,
> 
> I am having a bit of trouble understanding what happens when, in this
> instance, a DNS reverse lookup occurs. Our site has the class-C
> 141.163.0.0 address range. If I perform reverse lookups from inside or
> outside our site, then they seem to work fine. However, we are currently
> investigating a problem an external site has with reverse lookups of our
> IP addresses.
> 
> If I run (externally):
> 
>    dig 141.in-addr.arpa ns
> 
> then 6 NS records are returned. If I query any one of those using:
> 
>   dig +norecurse 163.141.in-addr.arpa ns @tinnie.arin.net
> 
> (using 'tinnie' in this example) then I get our 4 NS records relating to
> our local and remote name servers:
> 
> ==============
> ;; AUTHORITY SECTION:
> 163.141.in-addr.arpa.   172800  IN      NS      dns2.cis.strath.ac.uk.
> 163.141.in-addr.arpa.   172800  IN      NS      dns1.cis.strath.ac.uk.
> 163.141.in-addr.arpa.   172800  IN      NS      dns1.plymouth.ac.uk.
> 163.141.in-addr.arpa.   172800  IN      NS      dns0.plymouth.ac.uk.
> ==============
> 
> There is no ANSWER section, but a referral to the servers listed in the
> AUTHORITY section.
> 
> So, I assume that at this point the name server used by a resolver will
> now cache those NS records. As such, any subsequent reverse lookup for a
> 141.163.x.x address should use one of the above cached name servers and
> get an answer.

Your assumption is incorrect. The delegation will only be cached until a more reliable rrset is found -- the NS records returned by your servers (more reliable because of the 'aa' flag).

You already know the solution. Don't publish internal-only name servers to the public. You can do any of the following to fix this:

- Turn on minimal responses on all 4 name servers listed in the referral from ARIN (but this can have undesirable side effects)
- Use two views (but this can cause lots of extra work)
- Publish your external name servers internally (but this can require firewall changes)
- Make your internal name servers reachable from the Internet

Regards,
Chris Buxton
BLUECAT


More information about the bind-users mailing list