ISP caching server setup

Mark Andrews marka at isc.org
Wed Aug 6 23:28:45 UTC 2014 

In message <3A1EBFDB-A033-4E07-BE61-9F6BA6916406 at zitomedia.com>, Jared Empson w
rites:
>
> I manage a small group of cache only servers for an ISP.  We run Bind 9.7

You run BIND 9.7.0 and haven't applied any of the maintainence releases
to BIND 9.7. 

> and have noticed that several domains our customers would like to access
> are unavailable from our cache servers.  These same domains work on other
> provider networks such as Verizon or Google.

In BIND 9.7.0 we restored the code to skip to non authorative answers
from supposedly authorative servers having fixed a bug in named.
Unfortunately there are some zones for which all the servers are
broken and don't return authorative (aa=1) answers.

BIND 9.7.1 reversed the change to skip non authorative answers
despite it being technically correct.

> What I have found is that these domains all have misconfigured glue
> records.  This could be cause by a recent change of registrar or a
> misconfigured zone file pointing to NS records that no longer exist as
> glue records.  Because of this any query of a host from these domains
> receive a non-authoratative response and are dropped by our cache servers.
>
> How do I configure the cache server to accept the non-authoritative
> response to provide our customers access to these domains with out
> forwarding to Google's caching servers?


> An example domain is losscontrol360.com.
> What our customers receive:
> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;losscontrol360.com.		IN	A
>
> ;; Query time: 1380 msec
> ;; SERVER: 10.100.2.11#53(10.100.2.11)
> ;; WHEN: Wed Aug  6 16:00:55 2014
> ;; MSG SIZE  rcvd: 36
>
> What our cache server receives:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  38342
> ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1280
> ;; QUESTION SECTION:
> ;losscontrol360.com.		IN	A
>
> ;; ANSWER SECTION:
> losscontrol360.com.	173	IN	A	74.208.98.80
>
> What Google provides:
> ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;losscontrol360.com.		IN	A
>
> ;; ANSWER SECTION:
> losscontrol360.com.	586	IN	A	74.208.98.80
>
> ;; Query time: 174 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Aug  6 16:01:07 2014
> ;; MSG SIZE  rcvd: 52
>
> Jared Empson
> Systems Administrator
> Zito Media

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list