Question About Recursion In A Split Horizon Setup

Bob Harold rharolde at umich.edu
Fri Apr 17 14:50:55 UTC 2020


On Fri, Apr 17, 2020 at 10:34 AM Tim Daneliuk <tundra at tundraware.com> wrote:

> On 4/17/20 7:26 AM, Bob Harold wrote:
> >
> > On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <tundra at tundraware.com
> <mailto:tundra at tundraware.com>> wrote:
> >
> >     We have split horizon setup and enable our internal and trusted hosts
> >     to do things as follows:
> >
> >         allow-recursion { trustedhosts; };
> >         allow-transfer  { trustedhosts; };
> >
> >     'trustedhosts' includes a number of public facing IPs as well as the
> >     192.168.0/24 CIDR block.  It also includes the IPs of the Master and
> >     Slave bind servers.
> >
> >     So here's the part that has me wondering.  If I do a reverse lookup
> of
> >     an IP, it works as expected _except_ if I do it on either the Master
> >     or Slave machines. They will not only look up reverses on our
> >     own IPs, they won't do it for ANY IP and returns the warning:
> >
> >         WARNING: recursion requested but not available
> >
> >     This is replicable with 9.14 or 9.16 (or was until today's assert
> borkage)
> >     running on FreeBSD 11.3-STABLE.  Master is on a cloud server, Slave
> is
> >     on a physical machine.  Neither instance is jailed.
> >
> >     Ideas?
> >
> >     --
> >
>  ----------------------------------------------------------------------------
> >     Tim Daneliuk     tundra at tundraware.com <mailto:tundra at tundraware.com
> >
> >     PGP Key:         http://www.tundraware.com/PGP/
> >
> >
> > Is 127.0.0.1 in the 'trustedhosts' list?
>
> Yes
>
> > Are you telling 'dig' what server to use  - dig @*MailScanner warning:
> numerical links are often malicious:* 127.0.0.1 <http://127.0.0.1>
>
> No.  But when I do, it works properly.  Doesn't dig default to localhost
> (in this case the host running bind)?
>
> > What servers are listed in /etc/resolv.conf?  Do they resolve the
> reverse zones?
>
> There is no resolv.conf on these machines.  They are the ones running the
> nameservers.
>
> > Are local queries hitting the right 'view' (if you have multiple views) ?
>
> Yes, IF I explicitly point dig to the right nameserver.
>
>
> So ... what's going on is that dig appears to not be using localhost first
> to resolve reverses.
>
>
Agree, that's odd, and not what the man page says.  Any chance that there
is some other DNS helper running, like resolved, nscd, dnsmasq, etc?
'dig' should tell you what address it used, at the bottom of the output -
what does it say?

-- 
Bob Harold


> >
> > --
> > Bob Harold
> >
>
>
> --
>
> ----------------------------------------------------------------------------
> Tim Daneliuk     tundra at tundraware.com
> PGP Key:         http://www.tundraware.com/PGP/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200417/acf9ccd6/attachment.htm>


More information about the bind-users mailing list