Forward first showing odd behavior BIND 9.11.36-RedHat-9.11.36-16.el8_10.4 (Extended Support Version) <id:68dbd5b>

Petr Menšík pemensik at redhat.com
Fri Nov 7 19:24:47 UTC 2025 

Just out of curiosity, is there any specific reason, why you use 
dnssec-enable no; in this configuration? It prevents dnssec validation 
of any client of this machine. I suggest to change it to yes. Disabled 
validation is enough.


I have seen empty /dev/null hints used by my tester. It should mean it 
will do forward only; anyway, because it does not use built-in or 
explicitly provided root hints. Maybe with extra logged errors in 
addition. Choose what you want. If you delete hints definition, build-in 
would be used. But empty hints file means no root servers. Does not make 
sense with forward first;


edns-udp-size 4096 is not recommended, unless you know very well why do 
have it there.


On 05/09/2025 20:30, Reynolds, David wrote:
>
> Greetings all,
>
> I stumbled across an oddity in BIND that may be due to my ignorance or 
> some other environmental factor.
>
> We have a pair of caching resolvers in a datacenter that ended up with 
> the following in the configuration:
>
>         forwarders {
>
> // Cloudflare
>
> 1.1.1.1;
>
> 1.0.0.1;
>
> // Quad9
>
> 9.9.9.9;
>
> 149.112.112.112;
>
> //Cisco OpenDNS
>
> 208.67.222.222;
>
> 208.67.220.220;
>
> };
>
> forward first;
>
>  dnssec-enable no;
>
> dnssec-validation no;
>
> empty-zones-enable no;
>
> };
>
> zone "." IN {
>
> type hint;
>
> file "/dev/null";
>
> };
>
>
>
> In this configuration, the forward always fails.  Not only does it 
> fail, we see no traffic leaving the server (tcpdump port 53)!
>
> And since we don’t want these following the full recursion out to the 
> internet, root hints are intentionally disabled (we’re hoping for at 
> least some data hygiene by using these specific forwarders).
>
> Setting it to ‘forward only’ resolved the issue.
>
> Do I have something misconfigured?
>
> More detail of named.conf (removed logging and internal zones):
>
> options {
>
> listen-on port 53 {
>
> any;
>
> };
>
> directory       "/var/named";
>
> dump-file       "/opt/named/cache_dump.db";
>
> statistics-file "/var/named/data/named_stats.txt";
>
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> recursing-file  "/var/named/data/named.recursing";
>
> secroots-file   "/var/named/data/named.secroots";
>
> allow-query     { any; };
>
> querylog yes;
>
> recursion yes;
>
> recursive-clients 50000;
>
> tcp-clients 50000;
>
> edns-udp-size 4096;
>
> max-udp-size 4096;
>
> bindkeys-file "/etc/named.root.key";
>
> managed-keys-directory "/var/named/dynamic";
>
> pid-file "/run/named/named.pid";
>
> session-keyfile "/run/named/session.key";
>
> forwarders {
>
> 1.1.1.1;
>
> 1.0.0.1;
>
> 9.9.9.9;
>
> 149.112.112.112;
>
> 208.67.222.222;
>
> 208.67.220.220;
>
> };
>
> forward first;
>
> dnssec-enable no;
>
>  dnssec-validation no;
>
> empty-zones-enable no;
>
> };
>
> zone "." IN {
>
> type hint;
>
> file "/dev/null";
>
> };
>
> include "/etc/named.rfc1912.zones";
>
> include "/etc/named.root.key";
>
> OS details:
> # cat /etc/*release
>
> NAME="Red Hat Enterprise Linux"
>
> VERSION="8.10 (Ootpa)"
>
> ID="rhel"
>
> ID_LIKE="fedora"
>
> VERSION_ID="8.10"
>
> PLATFORM_ID="platform:el8"
>
> PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
>
> ANSI_COLOR="0;31"
>
> CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
>
> HOME_URL=https://www.redhat.com/ <https://www.redhat.com/>
>
> DOCUMENTATION_URL=https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8 
> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8>
>
> BUG_REPORT_URL=https://issues.redhat.com/ <https://issues.redhat.com/>
>
> REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
>
> REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
>
> REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
>
> REDHAT_SUPPORT_PRODUCT_VERSION="8.10"
>
> Red Hat Enterprise Linux release 8.10 (Ootpa)
>
> Red Hat Enterprise Linux release 8.10 (Ootpa)
>
> BIND details:
>
> BIND 9.11.36-RedHat-9.11.36-16.el8_10.4 (Extended Support Version) 
> <id:68dbd5b>
> running on Linux x86_64 4.18.0-553.56.1.el8_10.x86_64 #1 SMP Mon Jun 2 
> 12:33:13 EDT 2025
> built by make with '--build=x86_64-redhat-linux-gnu' 
> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' 
> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' 
> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' 
> '--datadir=/usr/share' '--includedir=/usr/include' 
> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
> '--infodir=/usr/share/info' 
> '--with-python=/usr/libexec/platform-python' '--with-libtool' 
> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' 
> '--enable-filter-aaaa' '--with-pic' '--disable-static' 
> '--includedir=/usr/include/bind9' '--with-tuning=large' 
> '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' 
> '--enable-native-pkcs11' 
> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' 
> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' 
> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' 
> '--disable-isc-spnego' '--with-lmdb=no' '--with-libjson' 
> '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' 
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 
> '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 
> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall 
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 
> -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong 
> -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic 
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 
> 'LDFLAGS=-Wl,-z,relro -Wl,-z,now 
> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= 
> -DDIG_SIGCHASE' 
> 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
> compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-23)
> compiled with OpenSSL version: OpenSSL 1.1.1k  FIPS 25 Mar 2021
> linked to OpenSSL version: OpenSSL 1.1.1k  FIPS 25 Mar 2021
> compiled with libxml2 version: 2.9.7
> linked to libxml2 version: 20907
> compiled with libjson-c version: 0.13.1
> linked to libjson-c version: 0.13.1
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> linked to maxminddb version: 1.2.0
> compiled with protobuf-c version: 1.3.0
> linked to protobuf-c version: 1.3.0
> threads support is enabled
>
> default paths:
>   named configuration:  /etc/named.conf
>   rndc configuration:   /etc/rndc.conf
>   DNSSEC root key:      /etc/bind.keys
>   nsupdate session key: /var/run/named/session.key
>   named PID file:       /var/run/named/named.pid
>   named lock file:      /var/run/named/named.lock
>   geoip-directory:      /usr/share/GeoIP
>
> *David Reynolds*
>
> Epiq | Linux Support
>
> Portland, OR 97227
>
> Mobile: 503 457-2262
>
> Email: dreynolds at epiqglobal.com <mailto:dreynolds at epiqglobal.com>
>
> *People. **Partnership. Performance.*
>
> www.epiqglobal.com <http://www.epiqglobal.com/>
>
>
> This communication (including any attachment(s)) is intended solely 
> for the recipient(s) named above and may contain information that is 
> confidential, privileged or legally protected. Any unauthorized use or 
> dissemination of this communication is strictly prohibited. If you 
> have received this communication in error, please immediately notify 
> the sender by return e-mail message and delete all copies of the 
> original communication to include any copy that may reside in your 
> sent box. Thank you for your cooperation.
>
-- 
Petr Menšík
Senior Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20251107/9a170f7b/attachment-0001.htm>

More information about the bind-users mailing list