type forward with no recursive flag "rd -" --> Does it work?

Mark Andrews marka at isc.org
Thu Oct 30 11:23:45 UTC 2014


In message <C84E9BC18F8D074983FE0DCB8525DB2B33159033 at COLUMBA02.user.uu.se>, =?i
so-8859-1?Q?Fredrik_Lys=E9n?= writes:
> I do agree with you regarding the security perspective. I've tried both
> scenarios you describe.
> The "slaving" part throwing me error in bind, and today we only have
> 5000 clients in dns "windns.mycompany.se" within a year we'll have
> ~15000 dynamic clients.
> That is why I'm looking for a other solution not being a "slave".
>
> This is a snippet from the logfile in bind:
> Sep 16 13:06:37 scopus named[10172]: error: transfer of
> 'windns.mycompany.se/IN/internal' from 1.1.2.2#53: failed while
> receiving responses: not exact

Use exactly one address in the master's clause to avoid this.  MSDNS
doesn't maintain the SOA serial <-> zone contents mapping.

> My biggest concern is how this will scale, maybe I can ignore the error?

named will for a axfr to recover.

> In a perfect world I would take care of the windows clients native in
> bind, but this is not a perfect world this is a university :-)
>
> Brgd
> Fredrik
>
> On 10/29/2014 08:51 PM, Mark Andrews wrote:
> > Firstly people over think DNS.  99.99% of times there is no need
> > to have a internal zone at all.  Hiding internal hostnames and
> > addresses has almost no security benefit at all.
> >
> > acl internal { .... };
> >
> > view internal {
> >     match-clients { internal; };
> >     zone mycompany.se  {  ... };
> >     zone windns.mycompany.se  { type slave; masters { windows server };
>  ...};
> > };
> >
> > view external {
> >     match-clients { any; };
> >     zone mycompany.se  { .... };
> >     zone windns.mycompany.se  { type master; file
> "windns.mycompany.se.db"; };
> > };
> >
> > Where windns.mycompany.se.db is consists of SOA and NS records which
> match
> > those of mycompany.se.  It is a empty zone.
> >
> > @	SOA ...
> > @	NS ...
> > @	NS ...
> >
> > Or you can even do it without a views
> >
> > acl internal { .... };
> > zone mycompany.se  { .... };
> > zone windns.mycompany.se  {
> >     type slave;
> >     masters { windows server };
> >     file "windns.mycompany.se.bk"'
> >     allow-query { internal; };
> >     allow-transfer { internal; };
> > };
> >
> > In message
> <C84E9BC18F8D074983FE0DCB8525DB2B331578F6 at COLUMBA02.user.uu.se>, =?i
> > so-8859-1?Q?Fredrik_Lys=E9n?= writes:
> >> Thanks Mark for rapid response,
> >> To have a working solution for both clients and resolvers with "type
> >> forward" statement, you also have to delegate and declare NS on the
> same
> >> tree level?
> >>
> >> Problem:
> >> I take advantage of slit-dns having view "internal" and "external". Our
> >> zone "windns.mycompany.se" are strictly an internal matter, and only
> >> appear in view "internal". Zone  mycompany.se are in the view
> "external",
> >> I don't like populating NS records to my internal zone
> >> "windns.mycompany.se"!
> >>
> >> I don know if there is an internal client or internal resolver asking
> my
> >> DNS questions, I can only see if the RD bit are set or not and if the
> >> query are from "my trusted network" (view "internal").
> >>
> >> Regards
> >> Fredrik
> >>
> >> On 10/27/2014 09:21 PM, Mark Andrews wrote:
> >>
> >>
> >> Just delegate windns.mycompany.se.  Add something like this to
> >> mycompany.se.
> >>
> >>         windns.mycompany.se NS nameserver
> >>         windns.mycompany.se NS nameserver
> >>
> >> As as to the answer to your question, no.   Forward zones redirect
> >> recursive from the nameserver queries.
> >>
> >> Mark
> >>
> >> In message
> >>
> <C84E9BC18F8D074983FE0DCB8525DB2B331522BC at COLUMBA02.user.uu.se><mailto:C84
> >> E9BC18F8D074983FE0DCB8525DB2B331522BC at COLUMBA02.user.uu.se>, =?i
> >> so-8859-1?Q?Fredrik_Lys=E9n?= writes:
> >>
> >>
> >> Hi,
> >> When having one zone "windns.mycompany.se" hosted and handled by an
> >> other nameserver (Windows AD) declared as:
> >> zone "windns.mycompany.se" {
> >>         type forward;
> >>         forward only;
> >>         forwarders {10.0.0.1; 10.0.0.2;};
> >> };
> >>
> >> Rest of the zones exist on our primary BIND dns caching nameserver.
> >>
> >> Client looking for "windns.mycompany.se" will have an answer because
> the
> >> recursive flag rd (+) are stated and query will be resolved via
> >> forwarders.
> >> When a resolver looking for same information, resolver will send
> >> recursive rd (-), and the resolver will never get information regarding
> >> zone  "windns.mycompany.se".
> >>
> >> Question:
> >> Shouldn't "Asking the forwarders" be prioritized before the "recursive
> >> rd (-)" flag are taken into consideration? Otherwise I can't see how a
> >> resolver ever will find information in the forward zone
> >> "windns.mycompany.se".
> >>
> >> Cheers
> >> Fredrik Lys=E9n =
> >>
> >> _______________________________________________
> >> bind-workers mailing list
> >> bind-workers at lists.isc.org<mailto:bind-workers at lists.isc.org>
> >> https://lists.isc.org/mailman/listinfo/bind-workers
> >>
> >>
> >>
> >>
> >>
> >>
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-workers mailing list