<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>This is public response for the name from my connection:</p>
<p>$ dig x.bd.bcebos.com. <br>
<br>
; <<>> DiG 9.18.13 <<>> x.bd.bcebos.com.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
11566<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL:
1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
;; QUESTION SECTION:<br>
;x.bd.bcebos.com. IN A<br>
<br>
;; ANSWER SECTION:<br>
x.bd.bcebos.com. 360 IN CNAME bd.bcebos.com.<br>
bd.bcebos.com. 360 IN CNAME
bos.bd.baidubce.n.shifen.com.<br>
bos.bd.baidubce.n.shifen.com. 60 IN A 110.242.70.8<br>
</p>
<p>Now if you override just the <span style=" ; ; ; ; ; ; ; ; ; ;
; ; ; ">zone "x.bd.bcebos.com.", it asks in the forwarder. But
because the forwarder answers with name leading outside of its
own zone, named will create separate query to </span>bd.bcebos.com.
Unless that has own forward zone definition for it, it uses global
forwarders or iteration from root hints.<br>
</p>
<p>$ dig ns bd.bcebos.com.<br>
<br>
; <<>> DiG 9.18.13 <<>> ns bd.bcebos.com.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
54957<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1220<br>
; COOKIE: cae27b6bb14ffd9815d2855f642c0f8300482e9548e4bf0a (good)<br>
;; QUESTION SECTION:<br>
;bd.bcebos.com. IN NS<br>
<br>
;; ANSWER SECTION:<br>
bd.bcebos.com. 57 IN CNAME
bos.bd.baidubce.n.shifen.com.<br>
<br>
;; AUTHORITY SECTION:<br>
n.shifen.com. 206 IN SOA ns1.n.shifen.com.
baidu_dns_master.baidu.com. 2304040275 5 5 2592000 3600<br>
</p>
<p>This is some black magic, because SOA is not inside names we
asked.</p>
<p>$ dig +norec @ns1.n.shifen.com. bd.bcebos.com.<br>
<br>
; <<>> DiG 9.18.13 <<>> +norec
@ns1.n.shifen.com. bd.bcebos.com.<br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id:
6168<br>
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 1232<br>
; COOKIE: ce297c8717115be001000000642c1022251028e6f44a59cc (good)<br>
;; QUESTION SECTION:<br>
;bd.bcebos.com. IN A<br>
<br>
;; Query time: 201 msec<br>
;; SERVER: 110.242.68.39#53(ns1.n.shifen.com.) (UDP)<br>
;; WHEN: Tue Apr 04 13:55:14 CEST 2023<br>
;; MSG SIZE rcvd: 70<br>
</p>
<p>It does not allow me to even ask. So those chains are quite
strange. In any case, bind will *NOT* blindly accept any names
from forwarders for foreign zones. Its CNAME target leads outside
its defined zone, it will always fetch it using separate zone
fetches. So it will try asking bd.bcebos.com. and
bos.bd.baidubce.n.shifen.com. nameservers and only their response
is offered to end user. If there is a way to make bind trust those
responses, I don't know about it. I think it is considered bad
practice.</p>
<p>If the forwarder offers custom view, it should not override it
using CNAMEs. It should just set it different addresses directly.
This looks like not small private view to public records. I do not
think it can work like you are trying to do. Either you will have
zone not pointing to other zones, or you have to forward them all.
BIND won't take into account in response to what name this
response arrived. It won't let server of unrelated zones to insert
cache records for other names. It does it to protect you from
spoofing. dnsmasq will let you do that, because it does not have
proper iteration capabilities. Use that if you need such split
view. I doubt unbound, powerdns or any good recursive DNS will
allow what you are trying to do. BIND9 included.<br>
</p>
<div class="moz-cite-prefix">On 04. 04. 23 12:58, ltns wrote:<br>
</div>
<blockquote type="cite"
cite="mid:tencent_22EA854B3DDB8CEEEEBBE8C89493BC48950A@qq.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div><span style="font-size: medium;">i am very very sorry ,</span></div>
<div><span style="font-size: medium;"><b>the zone info of first
mail -> </b></span><span style="font-size: inherit;"><b>zone
"bd.baidubce.com."</b> i write wrong;</span></div>
<div><span style="font-size: inherit;">the wright is </span><b> zone
"x.bd.bcebos.com."</b></div>
<div style="position: relative;">
<div><span style=" font-size: inherit; ; ; ; ; ; ; ; ; ; ; ; ; ;
">please just see this mail, </span></div>
<div><br>
</div>
<div>
<div style=""><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Noto Sans, Ubuntu, Cantarell, Helvetica
Neue, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe
UI Symbol, Noto Color Emoji"> when i use bind-9.11 for my
interdns deviceip is 10.1.1.1, </font><span style=" ; ; ;
; ; ; ; ; ; ; ; ; ; ">i config</span></div>
<div style=""><span style=" ; ; ; ; ; ; ; ; ; ; ; ; ; "> zone
"x.bd.bcebos.com."</span></div>
<div style=""><span style=" ; ; ; ; ; ; ; ; ; ; ; ; ; "> in {
type forward ; forward only; forwarders { 10.10.10.10; };
};</span></div>
<div style=""><br>
</div>
<div style=""><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Noto Sans, Ubuntu, Cantarell, Helvetica
Neue, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe
UI Symbol, Noto Color Emoji"> 1,when i dig @10.1.1.1
x.bd.bcebos.com.</font></div>
<div style=""><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Noto Sans, Ubuntu, Cantarell, Helvetica
Neue, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe
UI Symbol, Noto Color Emoji"> 2,10.10.10.10 return record
"CNAME bd.bcebos.com., </font><span style="font-family:
-apple-system, BlinkMacSystemFont, "Segoe UI",
Roboto, "Noto Sans", Ubuntu, Cantarell,
"Helvetica Neue", sans-serif, "Apple Color
Emoji", "Segoe UI Emoji", "Segoe UI
Symbol", "Noto Color Emoji";">bd.bcebos.com. </span><font
face="-apple-system, BlinkMacSystemFont, Segoe UI, Roboto,
Noto Sans, Ubuntu, Cantarell, Helvetica Neue, sans-serif,
Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol, Noto
Color Emoji">A 100.67.96.26, A </font>100.67.96.27" to
device10.1.1.1</div>
</div>
</div>
</blockquote>
<font face="-apple-system, BlinkMacSystemFont, Segoe UI, Roboto,
Noto Sans, Ubuntu, Cantarell, Helvetica Neue, sans-serif, Apple
Color Emoji, Segoe UI Emoji, Segoe UI Symbol, Noto Color Emoji">dig
@10.1.1.1 </font><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Noto Sans, Ubuntu, Cantarell, Helvetica Neue,
sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe UI Symbol,
Noto Color Emoji">bd.bcebos.com. gives what response? That one you
should receive.</font><font face="-apple-system,
BlinkMacSystemFont, Segoe UI, Roboto, Noto Sans, Ubuntu,
Cantarell, Helvetica Neue, sans-serif, Apple Color Emoji, Segoe UI
Emoji, Segoe UI Symbol, Noto Color Emoji"></font> <span style="
; ; ; ; ; ; ; ; ; ; ; ; ; ">zone "x.bd.bcebos.com." role ended
when cname target is not under </span><span style=" ; ; ; ; ; ; ;
; ; ; ; ; ; ">x.bd.bcebos.com.</span><span style=" ; ; ; ; ; ; ; ;
; ; ; ; ; "></span>
<blockquote type="cite"
cite="mid:tencent_22EA854B3DDB8CEEEEBBE8C89493BC48950A@qq.com">
<div style="position: relative;">
<div>
<div style=""><span style=" ; ; ; ; ; ; ; ; ; ; ; ; ; "> 3,but
device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27
to me</span></div>
<div style=""><span style=" ; ; ; ; ; ; ; ; ; ; ; ; ; "> 4,device10.1.1.1
go to qurey bd.bcebos.com. recursive itself, and get </span><span
style=" ; ; ; ; ; ; ; ; ; ; ; ; ; ">another record
110.242.70.8</span></div>
<div style=""><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Noto Sans, Ubuntu, Cantarell, Helvetica
Neue, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe
UI Symbol, Noto Color Emoji"><br>
</font></div>
<div style=""><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Noto Sans, Ubuntu, Cantarell, Helvetica
Neue, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe
UI Symbol, Noto Color Emoji"> i have questions</font></div>
<div style=""><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Noto Sans, Ubuntu, Cantarell, Helvetica
Neue, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe
UI Symbol, Noto Color Emoji">1,why config is forward only,
bind get CNAME & A records from forwarders, but bind
do not </font><span style=" ; ; ; ; ; ; ; ; ; ; ; ; ; ">return
A record to me?and query cname domain recursive again
itself?</span></div>
<div style=""><font face="-apple-system, BlinkMacSystemFont,
Segoe UI, Roboto, Noto Sans, Ubuntu, Cantarell, Helvetica
Neue, sans-serif, Apple Color Emoji, Segoe UI Emoji, Segoe
UI Symbol, Noto Color Emoji"> thanks</font></div>
</div>
<div><span style=" font-size: inherit; ; ; ; ; ; ; ; ; ; ; ; ; ;
"><br>
</span></div>
<div><span style=" font-size: inherit; ; ; ; ; ; ; ; ; ; ; ; ; ;
"><br>
</span></div>
<div><span style=" font-size: inherit; ; ; ; ; ; ; ; ; ; ; ; ; ;
"><br>
</span></div>
<div><span style=" font-size: inherit; ; ; ; ; ; ; ; ; ; ; ; ; ;
"><br>
</span></div>
<div><span style=" font-size: inherit; ; ; ; ; ; ; ; ; ; ; ; ; ;
"><br>
</span></div>
<div><span style=" font-size: inherit; ; ; ; ; ; ; ; ; ; ; ; ; ;
"><br>
</span></div>
<div style="position: relative;"><br>
Message: 3<br>
Date: Tue, 4 Apr 2023 12:05:04 +0200<br>
From: Petr Men??k <a class="moz-txt-link-rfc2396E" href="mailto:pemensik@redhat.com"><pemensik@redhat.com></a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
Subject: Re: BIND | Cname chain resolution using forward (
CNAME&A<br>
returned but no use A) (#3995)<br>
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:e54b9e63-f17c-ac84-eb58-3ee4cfd88550@redhat.com"><e54b9e63-f17c-ac84-eb58-3ee4cfd88550@redhat.com></a><br>
Content-Type: text/plain; charset="utf-8"; Format="flowed"<br>
<br>
That is because forwarder is supposed to handle only zone <br>
"bd.baidubce.com.", but addresses response is from
bd.bcebos.com zone. <br>
Therefore it queries contents of that according to global
forwarders or <br>
iteratively. BIND9 attempts to deliver the most authoritative
answer it <br>
can, so it ignores hints from server not authoritative for it.
I do not <br>
know a way to disable such behavior. Dns caches such as
dnsmasq would <br>
forward the reply as it is, but bind uses zones with
authoritative <br>
servers preferred. It does so to prevent unrelated servers
pushing <br>
invalid answers into your cache.<br>
<br>
Workaround might be to forward also bd.bcebos.com. zone to the
same <br>
server. Can you share why should it return different addresses
than the <br>
authoritative servers offers?<br>
<br>
I think if you need to override some addresses, RPZ might help
you. At <br>
least you would have a list of rules where the answer is
modified. I <br>
think most proper servers do it this way without ability to
change the <br>
behavior.<br>
<br>
Just my 2 cents.<br>
<br>
Regards,<br>
Petr<br>
<br>
On 04. 04. 23 8:08, Yang via bind-users wrote:<br>
><br>
> hi?bind admin,<br>
><br>
> ?when i use bind-9.11 for my interdns? deviceip is
10.1.1.1,<br>
><br>
> i config<br>
><br>
> zone "bd.baidubce.com."<br>
><br>
> ?in?{ type forward ; forward only; forwarders {
10.10.10.10; }; };<br>
><br>
><br>
> 1?when i dig @10.1.1.1 x.bd.bcebos.com.<br>
><br>
> 2?10.10.10.10 return record "CNAME bd.bcebos.com., A
100.67.96.26, A <br>
> 100.67.96.27" to device10.1.1.1<br>
><br>
> 3?but device10.1.1.1 not return A 100.67.96.26, A
100.67.96.27 to me<br>
><br>
> 4?device10.1.1.1 go to qurey bd.bcebos.com. recursive
itself?and get <br>
> another record 110.242.70.8<br>
><br>
> i have questions<br>
><br>
> 1?why config is forward only? but bind get CNAME &
A?bind do not <br>
> return A to me?and query cname again itself?<br>
><br>
> ?thanks<br>
><br>
><br>
-- <br>
Petr Men??k<br>
Software Engineer, RHEL<br>
Red Hat,<a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a><br>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL:
<a class="moz-txt-link-rfc2396E" href="https://lists.isc.org/pipermail/bind-users/attachments/20230404/42996e1b/attachment.htm"><https://lists.isc.org/pipermail/bind-users/attachments/20230404/42996e1b/attachment.htm></a><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
ISC funds the development of this software with paid support
subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for
more information.<br>
<br>
bind-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of bind-users Digest, Vol 4219, Issue 1<br>
*******************************************</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer, RHEL
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>