Question About Recursion In A Split Horizon Setup
Tim Daneliuk
tundra at tundraware.com
Fri Apr 17 14:33:42 UTC 2020
On 4/17/20 7:26 AM, Bob Harold wrote:
>
> On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <tundra at tundraware.com <mailto:tundra at tundraware.com>> wrote:
>
> We have split horizon setup and enable our internal and trusted hosts
> to do things as follows:
>
> allow-recursion { trustedhosts; };
> allow-transfer { trustedhosts; };
>
> 'trustedhosts' includes a number of public facing IPs as well as the
> 192.168.0/24 CIDR block. It also includes the IPs of the Master and
> Slave bind servers.
>
> So here's the part that has me wondering. If I do a reverse lookup of
> an IP, it works as expected _except_ if I do it on either the Master
> or Slave machines. They will not only look up reverses on our
> own IPs, they won't do it for ANY IP and returns the warning:
>
> WARNING: recursion requested but not available
>
> This is replicable with 9.14 or 9.16 (or was until today's assert borkage)
> running on FreeBSD 11.3-STABLE. Master is on a cloud server, Slave is
> on a physical machine. Neither instance is jailed.
>
> Ideas?
>
> --
> ----------------------------------------------------------------------------
> Tim Daneliuk tundra at tundraware.com <mailto:tundra at tundraware.com>
> PGP Key: http://www.tundraware.com/PGP/
>
>
> Is 127.0.0.1 in the 'trustedhosts' list?
Yes
> Are you telling 'dig' what server to use - dig @*MailScanner warning: numerical links are often malicious:* 127.0.0.1 <http://127.0.0.1>
No. But when I do, it works properly. Doesn't dig default to localhost (in this case the host running bind)?
> What servers are listed in /etc/resolv.conf? Do they resolve the reverse zones?
There is no resolv.conf on these machines. They are the ones running the nameservers.
> Are local queries hitting the right 'view' (if you have multiple views) ?
Yes, IF I explicitly point dig to the right nameserver.
So ... what's going on is that dig appears to not be using localhost first to resolve reverses.
>
> --
> Bob Harold
>
--
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the bind-users
mailing list