ISP caching server setup
Mark Andrews
marka at isc.org
Wed Aug 6 23:28:45 UTC 2014
In message <3A1EBFDB-A033-4E07-BE61-9F6BA6916406 at zitomedia.com>, Jared Empson w
rites:
>
> I manage a small group of cache only servers for an ISP. We run Bind 9.7
You run BIND 9.7.0 and haven't applied any of the maintainence releases
to BIND 9.7.
> and have noticed that several domains our customers would like to access
> are unavailable from our cache servers. These same domains work on other
> provider networks such as Verizon or Google.
In BIND 9.7.0 we restored the code to skip to non authorative answers
from supposedly authorative servers having fixed a bug in named.
Unfortunately there are some zones for which all the servers are
broken and don't return authorative (aa=1) answers.
BIND 9.7.1 reversed the change to skip non authorative answers
despite it being technically correct.
> What I have found is that these domains all have misconfigured glue
> records. This could be cause by a recent change of registrar or a
> misconfigured zone file pointing to NS records that no longer exist as
> glue records. Because of this any query of a host from these domains
> receive a non-authoratative response and are dropped by our cache servers.
>
> How do I configure the cache server to accept the non-authoritative
> response to provide our customers access to these domains with out
> forwarding to Google's caching servers?
> An example domain is losscontrol360.com.
> What our customers receive:
> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;losscontrol360.com. IN A
>
> ;; Query time: 1380 msec
> ;; SERVER: 10.100.2.11#53(10.100.2.11)
> ;; WHEN: Wed Aug 6 16:00:55 2014
> ;; MSG SIZE rcvd: 36
>
> What our cache server receives:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38342
> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1280
> ;; QUESTION SECTION:
> ;losscontrol360.com. IN A
>
> ;; ANSWER SECTION:
> losscontrol360.com. 173 IN A 74.208.98.80
>
> What Google provides:
> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;losscontrol360.com. IN A
>
> ;; ANSWER SECTION:
> losscontrol360.com. 586 IN A 74.208.98.80
>
> ;; Query time: 174 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Aug 6 16:01:07 2014
> ;; MSG SIZE rcvd: 52
>
> Jared Empson
> Systems Administrator
> Zito Media
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list