<div dir="ltr"><div dir="ltr"><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 17, 2020 at 10:34 AM Tim Daneliuk <<a href="mailto:tundra@tundraware.com">tundra@tundraware.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 4/17/20 7:26 AM, Bob Harold wrote:<br>
> <br>
> On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <<a href="mailto:tundra@tundraware.com" target="_blank">tundra@tundraware.com</a> <mailto:<a href="mailto:tundra@tundraware.com" target="_blank">tundra@tundraware.com</a>>> wrote:<br>
> <br>
> We have split horizon setup and enable our internal and trusted hosts<br>
> to do things as follows:<br>
> <br>
> allow-recursion { trustedhosts; };<br>
> allow-transfer { trustedhosts; };<br>
> <br>
> 'trustedhosts' includes a number of public facing IPs as well as the<br>
> 192.168.0/24 CIDR block. It also includes the IPs of the Master and<br>
> Slave bind servers.<br>
> <br>
> So here's the part that has me wondering. If I do a reverse lookup of<br>
> an IP, it works as expected _except_ if I do it on either the Master<br>
> or Slave machines. They will not only look up reverses on our<br>
> own IPs, they won't do it for ANY IP and returns the warning:<br>
> <br>
> WARNING: recursion requested but not available<br>
> <br>
> This is replicable with 9.14 or 9.16 (or was until today's assert borkage)<br>
> running on FreeBSD 11.3-STABLE. Master is on a cloud server, Slave is<br>
> on a physical machine. Neither instance is jailed.<br>
> <br>
> Ideas?<br>
> <br>
> -- <br>
> ----------------------------------------------------------------------------<br>
> Tim Daneliuk <a href="mailto:tundra@tundraware.com" target="_blank">tundra@tundraware.com</a> <mailto:<a href="mailto:tundra@tundraware.com" target="_blank">tundra@tundraware.com</a>><br>
> PGP Key: <a href="http://www.tundraware.com/PGP/" rel="noreferrer" target="_blank">http://www.tundraware.com/PGP/</a><br>
> <br>
> <br>
> Is 127.0.0.1 in the 'trustedhosts' list?<br>
<br>
Yes<br>
<br>
> Are you telling 'dig' what server to use - dig @*MailScanner warning: numerical links are often malicious:* 127.0.0.1 <<a href="http://127.0.0.1" rel="noreferrer" target="_blank">http://127.0.0.1</a>><br>
<br>
No. But when I do, it works properly. Doesn't dig default to localhost (in this case the host running bind)?<br>
<br>
> What servers are listed in /etc/resolv.conf? Do they resolve the reverse zones?<br>
<br>
There is no resolv.conf on these machines. They are the ones running the nameservers.<br>
<br>
> Are local queries hitting the right 'view' (if you have multiple views) ?<br>
<br>
Yes, IF I explicitly point dig to the right nameserver.<br>
<br>
<br>
So ... what's going on is that dig appears to not be using localhost first to resolve reverses.<br><br></blockquote><div><br></div><div>Agree, that's odd, and not what the man page says. Any chance that there is some other DNS helper running, like resolved, nscd, dnsmasq, etc?</div><div>'dig' should tell you what address it used, at the bottom of the output - what does it say?</div><div><br></div><div>-- </div><div>Bob Harold</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> <br>
> -- <br>
> Bob Harold<br>
> <br>
<br>
<br>
-- <br>
----------------------------------------------------------------------------<br>
Tim Daneliuk <a href="mailto:tundra@tundraware.com" target="_blank">tundra@tundraware.com</a><br>
PGP Key: <a href="http://www.tundraware.com/PGP/" rel="noreferrer" target="_blank">http://www.tundraware.com/PGP/</a><br>
</blockquote></div></div>