3rd party CNAMEs and open recursion

btb at bitrate.net btb at bitrate.net
Tue Mar 5 02:24:04 UTC 2013


On Mar 4, 2013, at 15.26, Verne Britton <verne at wvnet.edu> wrote:

> 
> On 3/4/2013 2:45 PM, Barry Margolin wrote:
>> In article <mailman.1592.1362422631.11945.bind-users at lists.isc.org>,
>>  Verne Britton <verne at wvnet.edu> wrote:
>> 
>>> I have been testing and testing and either just don't see what I'm doing
>>> wrong, or have a learning block  :-)
>>> 
>>> current thinking is that a open recursion DNS server is bad, so we want to
>>> implement an allow-recursion clause; perhaps even make some views so our
>>> local users still recurse while the general public cannot ...
>>> 
>>> but I am running into a roadblock with our Google Apps cname:
>>> 
>>>    gmail.wvstateu.edu is a cname to ghs.google.com
>>> 
>>> and bind wants recursion turned on in order to translate it.
>> 
>> What's the problem?
>> 
>> If the query comes from a local user, recursion will be allowed, and the
>> CNAME will be resolved.
>> 
>> If the query comes from a remote resolver, recursion shouldn't even be
>> requested. You'll respond with the CNAME, and the remote resolver will
>> then do its own lookup of that.
>> 
> 
> Barry asks whats my problem ...  
> 
> 
> *****  it doesn't work   :-)    :-)

"it doesn't work" is not a helpful problem description.  where is the demonstration of "it doesn't work"?  at this stage, that would likely be more useful than pages of configs.  also, given a reasonably current version of bind, named-checkconf -p would probably be a more effective way to share your config.

> for some reason my server wants to do the CNAME resolution itself instead of just returning the CNAME alone ... perhaps I have something configured wrong.   Don't know if I'm being hit with queries from other DNS servers or from end users ...

this is easy to determine by inspecting the logs.  it may be necessary to enable query logging.

> HEY ... maybe thats the answer ... perhaps all my testing and all my complaints are from staff who go home and use their campus configs at home ... and try to use the public authoritative server as their personal resolving (recursing) server

are dns servers being statically set on clients rather than via dhcp [or such]?

-ben


More information about the bind-users mailing list