Question About Recursion In A Split Horizon Setup

Tim Daneliuk tundra at tundraware.com
Fri Apr 17 14:33:42 UTC 2020


On 4/17/20 7:26 AM, Bob Harold wrote:
> 
> On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <tundra at tundraware.com <mailto:tundra at tundraware.com>> wrote:
> 
>     We have split horizon setup and enable our internal and trusted hosts
>     to do things as follows:
> 
>         allow-recursion { trustedhosts; };
>         allow-transfer  { trustedhosts; };
> 
>     'trustedhosts' includes a number of public facing IPs as well as the
>     192.168.0/24 CIDR block.  It also includes the IPs of the Master and
>     Slave bind servers.
> 
>     So here's the part that has me wondering.  If I do a reverse lookup of
>     an IP, it works as expected _except_ if I do it on either the Master
>     or Slave machines. They will not only look up reverses on our
>     own IPs, they won't do it for ANY IP and returns the warning:
> 
>         WARNING: recursion requested but not available
> 
>     This is replicable with 9.14 or 9.16 (or was until today's assert borkage)
>     running on FreeBSD 11.3-STABLE.  Master is on a cloud server, Slave is
>     on a physical machine.  Neither instance is jailed.
> 
>     Ideas?
> 
>     -- 
>     ----------------------------------------------------------------------------
>     Tim Daneliuk     tundra at tundraware.com <mailto:tundra at tundraware.com>
>     PGP Key:         http://www.tundraware.com/PGP/
> 
> 
> Is 127.0.0.1 in the 'trustedhosts' list?

Yes

> Are you telling 'dig' what server to use  - dig @*MailScanner warning: numerical links are often malicious:* 127.0.0.1 <http://127.0.0.1>

No.  But when I do, it works properly.  Doesn't dig default to localhost (in this case the host running bind)?

> What servers are listed in /etc/resolv.conf?  Do they resolve the reverse zones?

There is no resolv.conf on these machines.  They are the ones running the nameservers.

> Are local queries hitting the right 'view' (if you have multiple views) ?

Yes, IF I explicitly point dig to the right nameserver.


So ... what's going on is that dig appears to not be using localhost first to resolve reverses.



> 
> -- 
> Bob Harold
> 


-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/



More information about the bind-users mailing list