forward option in dns server
Renzo Marengo
buckroger2011 at gmail.com
Fri Jun 28 11:54:27 UTC 2024
Ok very veri interesting,and about this doubt?
etc/resolv.conf in bind server is used only from client services ? E.g.
ping tool
I think bind9 dns service doesn't contact any /etc/resolv.conf, right?
Thanks again
Il giorno ven 28 giu 2024 alle ore 13:10 Greg Choules <
gregchoules+bindusers at googlemail.com> ha scritto:
> Hi again Renzo.
>
> In general, BIND (and other resolvers) make non-recursives (aka iterative)
> queries to authoritative servers, such as the roots and others.
>
> - Clients (laptops etc.) make recursive queries to the DCs. If the DCs
> know the answer they respond immediately; no forwarding needed.
> - If the DCs don't (currently) know the answer, they make recursive
> queries to BIND because that's what you have told them to do, using either
> global or conditional forwarding. If BIND knows the answer it responds
> immediately; no need to make queries into the Internet.
> - If BIND doesn't (currently) know the answer it makes non-recursive
> queries to anywhere it needs, to gather information to construct a response.
> It is important to note that each of these is a separate DNS conversation.
>
> Does that help?
>
> Please get another server (and a test server) and upgrade them all to
> current software.
>
> Cheers, Greg
>
> On Fri, 28 Jun 2024 at 11:58, Renzo Marengo <buckroger2011 at gmail.com>
> wrote:
>
>> Hi Greg again! :)
>>
>> > 1) This should help you understand the difference between recursive and
>> non-recursive queries.
>> I read about recursive and iterative query but I think A.B.C.D server
>> should be as recursive server for domain controllers, I ask myself the same
>> question to root servers? Or Bind9 server should have to make iterative
>> queries to root servers ?
>>
>> > I hope this server is behind a good firewall?
>> Yes
>>
>> >Do you only have one BIND server?
>> >I would recommend two at least, in case you need to take one down for
>> maintenance or it fails for some reason.
>> Yes only one server
>>
>> >> Your "allow-..." statements should look like this, with IP addresses,
>> not domain names.
>> Oh yes, this one was to explain you what servers I inserted into this
>> list.
>>
>>
>> I have another doubt, /etc/resolv.conf in bind server is used only from
>> client services ? E.g. ping tool
>> I think bind9 dns service doesn't contact any /etc/resolv.conf, right?
>>
>>
>>
>>
>>
>> Il giorno ven 28 giu 2024 alle ore 08:46 Greg Choules <
>> gregchoules+bindusers at googlemail.com> ha scritto:
>>
>>> Hi Renzo.
>>> You're welcome.
>>> 1) Correct. You don't need forwarding for a simple resolver. Take a look
>>> at the meaning of the RD flag in the BIND protocol header. This should help
>>> you understand the difference between recursive and non-recursive queries.
>>> 2) No. See 1)
>>> 3) Yes. For a standard resolver facing the Internet you do not need a
>>> hint zone.
>>>
>>> Some more thoughts occurred to me:
>>> - I hope this server is behind a good firewall?
>>> - Do you only have one BIND server? I would recommend two at least, in
>>> case you need to take one down for maintenance or it fails for some reason.
>>> - Your "allow-..." statements should look like this, with IP addresses,
>>> not domain names.
>>> allow-... {127.0.0.1; <query_source_IP_address_of_DC1>;
>>> <query_source_IP_address_of_DC2>; <any_other_source_addresses...>;}; You do
>>> not need to include this server in the list.
>>>
>>> Any changes you make should be done on a test server first, so you can
>>> be comfortable understanding what effect those changes have and only move
>>> them to production when you are certain.
>>>
>>> Cheers, Greg
>>>
>>> On Fri, 28 Jun 2024 at 07:14, Renzo Marengo <buckroger2011 at gmail.com>
>>> wrote:
>>>
>>>> Hi greg,
>>>> I thank you again for your suggestions.
>>>>
>>>> >A.B.C.D is the address of this server?
>>>> yes, It's the Bind server
>>>>
>>>> I read several documents about DNS architecture
>>>> My questions is about this configuration of bind:
>>>>
>>>> 1- according to your opinion my bind makes queries ro root server if is
>>>> set no 'forwarders' option? I'll verify It by tcpdump as you suggested
>>>> 2- Do you suggest to set some "forwarders" ?
>>>> 3-- This bind version has root server built-in? If I removed 'named.ca'
>>>> reference, Bind would use root server built-in?
>>>>
>>>> thanks
>>>>
>>>> Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules <
>>>> gregchoules+bindusers at googlemail.com> ha scritto:
>>>>
>>>>> Hi Renzo.
>>>>>
>>>>> Thank you for that. The hints look OK. A bit old, but they will work.
>>>>>
>>>>> The first thing I would advise you to do as a matter of priority is to
>>>>> upgrade BIND.
>>>>> 9.11 has been end-of-life for a few years and there have been many
>>>>> security fixes since then. 9.18.27 is the current version.
>>>>> You could install that directly, or upgrade RHEL and obtain a more
>>>>> recent packaged version.
>>>>>
>>>>>
>>>>> You can check what BIND is doing by using "tcpdump". For example:
>>>>> sudo tcpdump -n -i <interface> -c 1000 port 53 and host A.B.C.D
>>>>>
>>>>> I am making some assumptions:
>>>>> A.B.C.D is the address of this server?
>>>>> <interface> is the name of the interface the server will use for
>>>>> outbound queries, according to its routeing table. I am guessing this is
>>>>> the interface with address A.B.C.D?
>>>>> -c stops the capture after 1000 packets. This is just a safety
>>>>> precaution.
>>>>> port 53 and host A.B.C.D limits the capture to only packets with port
>>>>> 53 (DNS) AND with the address of this interface, so you don't capture any
>>>>> SSH or HTTPS etc.
>>>>>
>>>>> A fresh (recently restarted) DNS resolver - any one, not just BIND -
>>>>> will make queries to the root to start with. It does this to learn where to
>>>>> go next. It stores the results of those queries in its cache so that it
>>>>> doesn't have to make them again for some time.
>>>>>
>>>>> There are many good books and articles available online to explain the
>>>>> basics of DNS. The BIND ARM (distributed with BIND and also available
>>>>> online) is the reference manual for BIND itself.
>>>>>
>>>>> I hope that helps.
>>>>> Greg
>>>>>
>>>>> On Fri, 28 Jun 2024 at 05:57, Renzo Marengo <buckroger2011 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Greg,
>>>>>> he info you required:
>>>>>>
>>>>>> 1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support
>>>>>> Version) on running on Linux x86_64 3.10.0-1160.2.2.el7.x86_64
>>>>>> 2) named.ca if file which contains root servers
>>>>>> named.ca
>>>>>> ----
>>>>>> . 518400 IN NS a.root-servers.net.
>>>>>> . 518400 IN NS b.root-servers.net.
>>>>>> . 518400 IN NS c.root-servers.net.
>>>>>> . 518400 IN NS d.root-servers.net.
>>>>>> . 518400 IN NS e.root-servers.net.
>>>>>> . 518400 IN NS f.root-servers.net.
>>>>>> . 518400 IN NS g.root-servers.net.
>>>>>> . 518400 IN NS h.root-servers.net.
>>>>>> . 518400 IN NS i.root-servers.net.
>>>>>> . 518400 IN NS j.root-servers.net.
>>>>>> . 518400 IN NS k.root-servers.net.
>>>>>> . 518400 IN NS l.root-servers.net.
>>>>>> . 518400 IN NS m.root-servers.net.
>>>>>>
>>>>>> ;; ADDITIONAL SECTION:
>>>>>> a.root-servers.net. 518400 IN A 198.41.0.4
>>>>>> b.root-servers.net. 518400 IN A 199.9.14.201
>>>>>> c.root-servers.net. 518400 IN A 192.33.4.12
>>>>>> d.root-servers.net. 518400 IN A 199.7.91.13
>>>>>> e.root-servers.net. 518400 IN A 192.203.230.10
>>>>>> f.root-servers.net. 518400 IN A 192.5.5.241
>>>>>> g.root-servers.net. 518400 IN A 192.112.36.4
>>>>>> h.root-servers.net. 518400 IN A 198.97.190.53
>>>>>> i.root-servers.net. 518400 IN A 192.36.148.17
>>>>>> j.root-servers.net. 518400 IN A 192.58.128.30
>>>>>> k.root-servers.net. 518400 IN A 193.0.14.129
>>>>>> l.root-servers.net. 518400 IN A 199.7.83.42
>>>>>> m.root-servers.net. 518400 IN A 202.12.27.33
>>>>>> a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
>>>>>> b.root-servers.net. 518400 IN AAAA 2001:500:200::b
>>>>>> c.root-servers.net. 518400 IN AAAA 2001:500:2::c
>>>>>> d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
>>>>>> e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
>>>>>> f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
>>>>>> g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
>>>>>> h.root-servers.net. 518400 IN AAAA 2001:500:1::53
>>>>>> i.root-servers.net. 518400 IN AAAA 2001:7fe::53
>>>>>> j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
>>>>>> k.root-servers.net. 518400 IN AAAA 2001:7fd::1
>>>>>> l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
>>>>>> m.root-servers.net. 518400 IN AAAA 2001:dc3::35
>>>>>> ----
>>>>>>
>>>>>> I didn't know some Bind versions had the Internet root hints built-in.
>>>>>> About my configuration I understand that bind makes always queries to
>>>>>> root servers ? Right?
>>>>>> I'd like to re-check configuration of bind
>>>>>>
>>>>>>
>>>>>> Il giorno gio 27 giu 2024 alle ore 22:15 Greg Choules <
>>>>>> gregchoules+bindusers at googlemail.com> ha scritto:
>>>>>>
>>>>>>> Hi Renzo.
>>>>>>> Ah OK, I had it the wrong way round. AD DNS needs to resolve names
>>>>>>> in the Internet on behalf of its clients, so it forwards to BIND.
>>>>>>>
>>>>>>> In that case, two questions:
>>>>>>> 1) What version of BIND are you running? You can get this with
>>>>>>> "named -V"
>>>>>>> 2) What is in the file "named.ca"?
>>>>>>> For a long time (which is why I need to know the version) BIND has
>>>>>>> had the Internet root hints built in, so you don't need a hint zone
>>>>>>> anymore. Unless you are defining different roots for some reason. Hence why
>>>>>>> I need to know the contents of that file.
>>>>>>>
>>>>>>> Thanks, Greg
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, 27 Jun 2024 at 18:06, Renzo Marengo <buckroger2011 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> Hi Greg,
>>>>>>>>
>>>>>>>> thank you very much for your explanation.
>>>>>>>>
>>>>>>>> Let’s supposte AD domain was ‘my domain.it’ and I have 6000
>>>>>>>> computers of government institute.
>>>>>>>>
>>>>>>>> Here my bind configuration:
>>>>>>>>
>>>>>>>>
>>>>>>>> named.conf
>>>>>>>>
>>>>>>>> ———
>>>>>>>>
>>>>>>>> include “…. named.conf.options" ;
>>>>>>>>
>>>>>>>> zone "." IN {
>>>>>>>>
>>>>>>>> type hint;
>>>>>>>>
>>>>>>>> file "named.ca";
>>>>>>>>
>>>>>>>> };
>>>>>>>>
>>>>>>>> include “…. named.rfc1912.zones";
>>>>>>>>
>>>>>>>> include “…. named.root.key";
>>>>>>>>
>>>>>>>> ———
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> named.conf.options
>>>>>>>>
>>>>>>>> ———
>>>>>>>>
>>>>>>>> logging {
>>>>>>>>
>>>>>>>> channel named_debug {
>>>>>>>>
>>>>>>>> syslog local6;
>>>>>>>>
>>>>>>>> severity debug 1;
>>>>>>>>
>>>>>>>> print-category yes;
>>>>>>>>
>>>>>>>> print-severity yes;
>>>>>>>>
>>>>>>>> print-time yes;
>>>>>>>>
>>>>>>>> };
>>>>>>>>
>>>>>>>> category default { named_debug; };
>>>>>>>>
>>>>>>>> };
>>>>>>>>
>>>>>>>>
>>>>>>>> options {
>>>>>>>>
>>>>>>>> auth-nxdomain no; # conform to RFC1035
>>>>>>>>
>>>>>>>> allow-recursion {127.0.0.1; A.B.C.D; dc1.mydomain.it;
>>>>>>>> dc2.mydomain.it; ….. } ;
>>>>>>>>
>>>>>>>> allow-query {127.0.0.1; A.B.C.D; dc1.mydomain.it;
>>>>>>>> dc2.mydomain.it; ….. } ;
>>>>>>>>
>>>>>>>> recursive-clients 3000;
>>>>>>>>
>>>>>>>> allow-query-cache {127.0.0.1; A.B.C.D; dc1.mydomain.it;
>>>>>>>> dc2.mydomain.it; ….. } ; ;
>>>>>>>>
>>>>>>>>
>>>>>>>> listen-on port 53 { 127.0.0.1; A.B.C.D; };
>>>>>>>>
>>>>>>>> directory “….. named";
>>>>>>>>
>>>>>>>> dump-file “….. cache_dump.db";
>>>>>>>>
>>>>>>>> statistics-file “….. named_stats.txt";
>>>>>>>>
>>>>>>>> memstatistics-file “…. named_mem_stats.txt";
>>>>>>>>
>>>>>>>> recursing-file “… named.recursing";
>>>>>>>>
>>>>>>>> secroots-file “… named.secroots";
>>>>>>>>
>>>>>>>> recursion yes;
>>>>>>>>
>>>>>>>> dnssec-enable no;
>>>>>>>>
>>>>>>>> dnssec-validation no;
>>>>>>>>
>>>>>>>>
>>>>>>>> bindkeys-file "….. named.iscdlv.key";
>>>>>>>>
>>>>>>>> managed-keys-directory "….. dynamic";
>>>>>>>>
>>>>>>>> pid-file "….. named.pid";
>>>>>>>>
>>>>>>>> session-keyfile "….. session.key";
>>>>>>>>
>>>>>>>> ———
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> >Thirdly, I would not forward to AD DNS, unless the AD servers also
>>>>>>>> recurse and can provide >resolution for delegated names below the AD domain
>>>>>>>>
>>>>>>>> >that are not hosted on the AD servers themselves.
>>>>>>>>
>>>>>>>>
>>>>>>>> There is no forward option to AD DNS. Forward is enable from AD DNS
>>>>>>>> to A.B.C.D. bind9 server.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> All clients are using AD DNS infact every query, about name of ‘
>>>>>>>> mydomain.it,’ is resolved from AD DNS.
>>>>>>>>
>>>>>>>> When client asks an external domain, e.g. www.google.it, AD server
>>>>>>>> forward query to A.B.C.D. server. (Forward option is set on every domain
>>>>>>>> controller)
>>>>>>>>
>>>>>>>> Only AD DNS make queries to A.B.C.D server and it’s necessary
>>>>>>>> only to solve external domains.
>>>>>>>>
>>>>>>>> A.B.C.D. server never makes queries to AD server. A.B.C.D. is next
>>>>>>>> dns server which partecipates when it’s necessary to resolve an external
>>>>>>>> domain
>>>>>>>>
>>>>>>>>
>>>>>>>> I hope to have explained right.
>>>>>>>>
>>>>>>>> I thought A.B.C.D server made query to root server because into
>>>>>>>> configuration there is no reference to forward option, because I thought to
>>>>>>>> set as DNS forward a government dns of my country. What do you think?
>>>>>>>>
>>>>>>>> I have doubts about recursive and iterative queries options too.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>>
>>>>>>>> Il giorno gio 27 giu 2024 alle ore 13:24 Greg Choules <
>>>>>>>> gregchoules+bindusers at googlemail.com> ha scritto:
>>>>>>>>
>>>>>>>>> Hi Renzo.
>>>>>>>>> Firstly, please can we see your BIND configuration and have the
>>>>>>>>> actual AD domain name.
>>>>>>>>>
>>>>>>>>> Secondly, BIND, or any other recursive DNS server, does not
>>>>>>>>> 'forward' to the root servers, unless you have configured it explicitly to
>>>>>>>>> do so, which would be a bad idea and not work anyway. It will recurse
>>>>>>>>> (paradoxically, perform non-recursive aka iterative queries) to the roots
>>>>>>>>> and other authoritative servers. It is an important distinction to be aware
>>>>>>>>> of.
>>>>>>>>>
>>>>>>>>> Thirdly, I would not forward to AD DNS, unless the AD servers also
>>>>>>>>> recurse and can provide resolution for delegated names below the AD domain
>>>>>>>>> that are not hosted on the AD servers themselves. Personally I would use a
>>>>>>>>> stub or static-stub zone in BIND to refer to the AD domain.
>>>>>>>>>
>>>>>>>>> In general, decide which DNS is going to do the resolving and make
>>>>>>>>> that the control point, fetching data from wherever it needs to (e.g. AD
>>>>>>>>> DNS) - using non-recursive queries - and using that data to construct
>>>>>>>>> answers for its clients.
>>>>>>>>>
>>>>>>>>> I hope that helps.
>>>>>>>>> Cheers, Greg
>>>>>>>>>
>>>>>>>>> On Thu, 27 Jun 2024 at 12:02, Renzo Marengo <
>>>>>>>>> buckroger2011 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> I have Active Directory domain ( 'mydomain.it' ) with 8 domain
>>>>>>>>>> controllers to manage 8000 computers. Every Domain controller acts as dns
>>>>>>>>>> service and resolve internal domain names while forward queries about
>>>>>>>>>> external domains to another server, which Bind9 dns server (It's inside my
>>>>>>>>>> company)
>>>>>>>>>> I'm checking this Bind9 configuration (Centos server) and I see
>>>>>>>>>> no forward servers so I think It makes bind9 forward queries directly to
>>>>>>>>>> root servers. What do you think ?
>>>>>>>>>> According your opinion this Bind9 server should have to forward
>>>>>>>>>> requests to one or more dns server by forward option?
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>>>>>>>> unsubscribe from this list
>>>>>>>>>>
>>>>>>>>>> ISC funds the development of this software with paid support
>>>>>>>>>> subscriptions. Contact us at https://www.isc.org/contact/ for
>>>>>>>>>> more information.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> bind-users mailing list
>>>>>>>>>> bind-users at lists.isc.org
>>>>>>>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>>>>>>>
>>>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240628/f2c9a6db/attachment-0001.htm>
More information about the bind-users
mailing list