info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
DNS resolver issue
1 view
Skip to first unread message
Bhasker C V
Jan 24, 2022, 5:20:05 AM1/24/22
to
Hi all,
Please could someone help me with what I am doing wrong ?
I am running example.local domain on my interface(192.168.2.1) (bind9)
The domain is resolving fine. However I want to use 1.1.1.1 public DNS server for looking up other domains (external domains)
Hence I have put both servers in /etc/resolv.conf
``` nameserver 1.1.1.1
nameserver 192.168.2.1
search example.local```
nameserver 192.168.2.1
search example.local```
However dig stops after it gets a null result from 1.1.1.1 and does not proceed to 192.168.2.1 to ask for server.example.local
i.e
```
$ dig server.example.local
; <<>> DiG 9.17.21-1-Debian <<>> server.example.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11268
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;server.example.local. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022012400 1800 900 604800 86400
;; Query time: 103 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Jan 24 10:03:50 GMT 2022
;; MSG SIZE rcvd: 124
```
; <<>> DiG 9.17.21-1-Debian <<>> server.example.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11268
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;server.example.local. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022012400 1800 900 604800 86400
;; Query time: 103 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Jan 24 10:03:50 GMT 2022
;; MSG SIZE rcvd: 124
```
WHEREAS if I switch the resolv.conf to have my DNS first (and then 1.1.1.1) , the local resolution works whereas external resolution does not work
```
nameserver 192.168.2.1
nameserver 1.1.1.1
search example.local```
nameserver 192.168.2.1
nameserver 1.1.1.1
search example.local```
$ dig +short server.example.local
192.168.2.2
192.168.2.2
<other local domain on other servers does not work anymore>
Now, isnt the lookup supposed to fall back to next server if first one doesnt have an answer ? How does multiple DNS servers entry work in resolv.conf ?
My nsswitch.conf is :
hosts: files dns [NOTFOUND=merge]
Please help.
Regards
Bhasker
Reco
Jan 24, 2022, 6:10:11 AM1/24/22
to
Hi.
On Mon, Jan 24, 2022 at 10:14:23AM +0000, Bhasker C V wrote:
> $ dig +short server.example.local
> 192.168.2.2
Just in case, using ".local" domain that way violates RFC 6762. There
are numerous ways to name your private domain, but ".local" is not a
proper name for that.
> Now, isnt the lookup supposed to fall back to next server if first one
> doesnt have an answer ?
Only if the first DNS is unreachable or returning SERVFAIL.
Your is returning NXDOMAIN, so this behaviour is expected.
> How does multiple DNS servers entry work in resolv.conf ?
Barring "options rotate", always try first nameserver specified for any
query, switch to the second if timeout (5 seconds by default, according
to resolv.conf(5), 30 seconds in practice) is reached.
Easiest way to solve your problem would be specify an public resolver
(1.1.1.1) in your bind configuration for anything but your domain, and
then use only 192.168.2.1 in your resolv.conf.
Reco
On Mon, Jan 24, 2022 at 10:14:23AM +0000, Bhasker C V wrote:
> $ dig +short server.example.local
> 192.168.2.2
are numerous ways to name your private domain, but ".local" is not a
proper name for that.
> Now, isnt the lookup supposed to fall back to next server if first one
> doesnt have an answer ?
Your is returning NXDOMAIN, so this behaviour is expected.
> How does multiple DNS servers entry work in resolv.conf ?
query, switch to the second if timeout (5 seconds by default, according
to resolv.conf(5), 30 seconds in practice) is reached.
Easiest way to solve your problem would be specify an public resolver
(1.1.1.1) in your bind configuration for anything but your domain, and
then use only 192.168.2.1 in your resolv.conf.
Reco
Henning Follmann
Jan 24, 2022, 7:10:06 AM1/24/22
to
On Mon, Jan 24, 2022 at 10:14:23AM +0000, Bhasker C V wrote:
> Hi all,
>
> Please could someone help me with what I am doing wrong ?
>
> I am running example.local domain on my interface(192.168.2.1) (bind9)
> The domain is resolving fine. However I want to use 1.1.1.1 public DNS
> server for looking up other domains (external domains)
> Hence I have put both servers in /etc/resolv.conf
>
> ``` nameserver 1.1.1.1
> nameserver 192.168.2.1
> search example.local```
>
[...]
>
> Please could someone help me with what I am doing wrong ?
>
> I am running example.local domain on my interface(192.168.2.1) (bind9)
> The domain is resolving fine. However I want to use 1.1.1.1 public DNS
> server for looking up other domains (external domains)
> Hence I have put both servers in /etc/resolv.conf
>
> ``` nameserver 1.1.1.1
> nameserver 192.168.2.1
> search example.local```
>
If you already are using bind, wouldn't it be the simplest way
to put 1.1.1.1 as a forward in your configuration and
then just use 192.168.2.1 as your recursive resolver?
-H
--
Henning Follmann | hfol...@itcfollmann.com
Greg Wooledge
Jan 24, 2022, 8:00:05 AM1/24/22
to
On Mon, Jan 24, 2022 at 07:05:27AM -0500, Henning Follmann wrote:
> On Mon, Jan 24, 2022 at 10:14:23AM +0000, Bhasker C V wrote:
> > I am running example.local domain on my interface(192.168.2.1) (bind9)
> > The domain is resolving fine. However I want to use 1.1.1.1 public DNS
> > server for looking up other domains (external domains)
> > Hence I have put both servers in /etc/resolv.conf
> >
> > ``` nameserver 1.1.1.1
> > nameserver 192.168.2.1
> > search example.local```
This is fundamentally wrong. All of the nameservers are treated equally.
> On Mon, Jan 24, 2022 at 10:14:23AM +0000, Bhasker C V wrote:
> > I am running example.local domain on my interface(192.168.2.1) (bind9)
> > The domain is resolving fine. However I want to use 1.1.1.1 public DNS
> > server for looking up other domains (external domains)
> > Hence I have put both servers in /etc/resolv.conf
> >
> > ``` nameserver 1.1.1.1
> > nameserver 192.168.2.1
> > search example.local```
It's not a "try one, and if that says no such domain, try another" thing.
It only tries another one if the first one doesn't give any response at
all.
> If you already are using bind, wouldn't it be the simplest way
> to put 1.1.1.1 as a forward in your configuration and
> then just use 192.168.2.1 as your recursive resolver?
need to configure whatever software is running on that IP address to
forward non-local requests out to the public DNS resolver(s) of your
choice. That'll be configured within the DNS software, not in the
/etc/resolv.conf file.
0 new messages