Answers from cache or authority section?
clists at buxtonfamily.us
Tue Jun 25 16:52:15 UTC 2013
On Jun 25, 2013, at 7:32 AM, John Horne <john.horne at plymouth.ac.uk> wrote:
> I am having a bit of trouble understanding what happens when, in this
> instance, a DNS reverse lookup occurs. Our site has the class-C
> 220.127.116.11 address range. If I perform reverse lookups from inside or
> outside our site, then they seem to work fine. However, we are currently
> investigating a problem an external site has with reverse lookups of our
> IP addresses.
> If I run (externally):
> dig 141.in-addr.arpa ns
> then 6 NS records are returned. If I query any one of those using:
> dig +norecurse 163.141.in-addr.arpa ns @tinnie.arin.net
> (using 'tinnie' in this example) then I get our 4 NS records relating to
> our local and remote name servers:
> ;; AUTHORITY SECTION:
> 163.141.in-addr.arpa. 172800 IN NS dns2.cis.strath.ac.uk.
> 163.141.in-addr.arpa. 172800 IN NS dns1.cis.strath.ac.uk.
> 163.141.in-addr.arpa. 172800 IN NS dns1.plymouth.ac.uk.
> 163.141.in-addr.arpa. 172800 IN NS dns0.plymouth.ac.uk.
> There is no ANSWER section, but a referral to the servers listed in the
> AUTHORITY section.
> So, I assume that at this point the name server used by a resolver will
> now cache those NS records. As such, any subsequent reverse lookup for a
> 141.163.x.x address should use one of the above cached name servers and
> get an answer.
Your assumption is incorrect. The delegation will only be cached until a more reliable rrset is found -- the NS records returned by your servers (more reliable because of the 'aa' flag).
You already know the solution. Don't publish internal-only name servers to the public. You can do any of the following to fix this:
- Turn on minimal responses on all 4 name servers listed in the referral from ARIN (but this can have undesirable side effects)
- Use two views (but this can cause lots of extra work)
- Publish your external name servers internally (but this can require firewall changes)
- Make your internal name servers reachable from the Internet
More information about the bind-users