Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bind not forwarding all requests
2,723 views
Skip to first unread message
Romgo
Dec 7, 2012, 12:05:22 PM12/7/12
to bind-...@lists.isc.org
Hello,
I am currently running two bind9 server on Debian Squeeze.
1:9.7.3.dfsg-1~squeeze8
Server 1 is internal dns server and serve some local zone. This server should forward all unknown requests to our public DNS server. So I configured this server as follow :
/etc/bind/named.conf.options
forward only;
forwarders {
ip_server_2;
};
The second server is allowed to do DNS request on the internet, so there is no forwarder configured.
The issue is that I see on my firewall that server1 is trying to do DNS requests on DNS ROOT server.
Any idea why I do have this issue ? wrong configuration ?
Regards,
I am currently running two bind9 server on Debian Squeeze.
1:9.7.3.dfsg-1~squeeze8
Server 1 is internal dns server and serve some local zone. This server should forward all unknown requests to our public DNS server. So I configured this server as follow :
/etc/bind/named.conf.options
forward only;
forwarders {
ip_server_2;
};
The second server is allowed to do DNS request on the internet, so there is no forwarder configured.
The issue is that I see on my firewall that server1 is trying to do DNS requests on DNS ROOT server.
Any idea why I do have this issue ? wrong configuration ?
Regards,
Ben Croswell
Dec 7, 2012, 12:10:52 PM12/7/12
to Romgo, bind-...@lists.isc.org
It is probably related to forward first versus forward only. Forward first is default but will fall back to no forwarding if the forwarders fail.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Romgo
Dec 7, 2012, 1:20:43 PM12/7/12
to Ben Croswell, bind-...@lists.isc.org
Yes that was my first idea by reading the documentation.
But has my configuration is clearly using forward only, I don't understand.
Could this be a bug ?
But has my configuration is clearly using forward only, I don't understand.
Could this be a bug ?
Romgo
Dec 9, 2012, 7:32:49 AM12/9/12
to bind-...@lists.isc.org
Hello,
yes I have a db.root file which contains Root servers.
/etc/resolv.conf is configured to ask to him self.
Forward is not configured at zone level, it is specified in named.conf.options
In an option{} block, so I guess this should apply for all, if not specify at the zone level.
Here is my conf for root zone :
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
should I try to force forwarders in zone "." ?
yes I have a db.root file which contains Root servers.
/etc/resolv.conf is configured to ask to him self.
Forward is not configured at zone level, it is specified in named.conf.options
In an option{} block, so I guess this should apply for all, if not specify at the zone level.
Here is my conf for root zone :
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
should I try to force forwarders in zone "." ?
On 8 December 2012 20:22, Romgo <ro...@free.fr> wrote:
Hello,
yes I have a db.root file which contains Root servers.
/etc/resolv.conf is configured to ask to him self.
Forward is not configured at zone level, it is specified in named.conf.options
In an option{} block, so I guess this should apply for all, if not specify at the zone level.
Here is my conf for root zone :
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
should I try to force forwarders in zone "." ?
On 8 December 2012 00:26, Leonard Mills <le...@yahoo.com> wrote:Which zone(s) have that forward clause? To do what I think you want to do, the zone should be the root (dot and only the dot in the zone name)Your named will use the builtin roots for any non-local lookups. Forwarding "." will send all non-local traffic to your edge daemon.
Len
From: Romgo <ro...@free.fr>
To: bind-...@lists.isc.org
Sent: Friday, December 7, 2012 9:05 AM
Subject: Bind not forwarding all requests
Romgo
Dec 10, 2012, 5:52:08 AM12/10/12
to bind-...@lists.isc.org
Hello all,
I tried to add the forwarders in the root zone :
/etc/bind/named.conf:9: option 'forward' is not allowed in 'hint' zone '.'
/etc/bind/named.conf:10: option 'forwarders' is not allowed in 'hint' zone '.'
/etc/bind/named.conf:10: option 'forwarders' is not allowed in 'hint' zone '.'
So I really don't understand the behaviour...
Is there a bug tracker for Bind ?
Regards
Romgo
Dec 10, 2012, 6:36:10 AM12/10/12
to Romgo, bind-...@lists.isc.org
Hello,
I found the issue :
I had 2 old zone with forwarders configured, the forwarders was down.
One equipment was still using one of this zone, so bind wasn't able to contact the forwarders and fall back to root zone.
I don't really why it try the root zone but since I delete those old zone I don't have any new queries to the root zone.
According to what I read about "forward only" :
"it doesn't try to contact other name servers to find information if the forwarders don't give it an answer."
I had exactly opposite behaviour.
Thank you for the help !
I found the issue :
I had 2 old zone with forwarders configured, the forwarders was down.
One equipment was still using one of this zone, so bind wasn't able to contact the forwarders and fall back to root zone.
I don't really why it try the root zone but since I delete those old zone I don't have any new queries to the root zone.
According to what I read about "forward only" :
"it doesn't try to contact other name servers to find information if the forwarders don't give it an answer."
I had exactly opposite behaviour.
Thank you for the help !
WBr...@e1b.org
Dec 10, 2012, 8:26:01 AM12/10/12
to Romgo, bind-users-bounc...@lists.isc.org, bind-...@lists.isc.org
Romgo wrote on 12/10/2012 06:36:10 AM:
> I had 2 old zone with forwarders configured, the forwarders was down.
> One equipment was still using one of this zone, so bind wasn't able
> to contact the forwarders and fall back to root zone.
>
> I don't really why it try the root zone but since I delete those old
> zone I don't have any new queries to the root zone.
>
> According to what I read about "forward only" :
>
> "it doesn't try to contact other name servers to find information if
> the forwarders don't give it an answer."
>
> I had exactly opposite behaviour.
Actually, it was operating as designed. The zones with forwarders defined
> I had 2 old zone with forwarders configured, the forwarders was down.
> One equipment was still using one of this zone, so bind wasn't able
> to contact the forwarders and fall back to root zone.
>
> I don't really why it try the root zone but since I delete those old
> zone I don't have any new queries to the root zone.
>
> According to what I read about "forward only" :
>
> "it doesn't try to contact other name servers to find information if
> the forwarders don't give it an answer."
>
> I had exactly opposite behaviour.
were overriding the global option to forward only.
Try taking down (or block access to) the target of your forward only
statement and see if you get any resolution. Everything that you are not
authoritative for should fail.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
0 new messages