Discussion:
BIND 8 forwarding question
Lemman, Paul
2001-10-06 00:12:53 UTC
Permalink
Hi,
I'm setting up a forwarder in BIND 8.2.4 that I don't want to be able to answer questions about internal hosts by asking our external view nameservers. I tried the suggestion in the DNS and BIND book to set up a stub zone with an empty forwarders list but the forwarder still queries our external view servers. I tried adding a "forward only" directive to the zone declaration but that didn't seem to help. Neither did declaring the zone of type forwarder and giving it an empty forwarders list in the zone declaration. Can anyone see where I'm going wrong?

Thanks,

paul


options {
directory "/cache";
pid-file "/var/run/named.pid";
// Created by SIGINT or ndc dumpdb
dump-file "/var/tmp/dump.db";
// Created by SIGILL or ndc stats
statistics-file "/var/tmp/stats";
statistics-interval 60;
listen-on { 147.34.97.130; };
recursion yes;
fetch-glue yes;
query-source address 147.34.97.130 port 53;
version "Surely you're joking, Mr. Feynman.";
allow-query { localhost; E2; internal-roots; mentor-nets; };
use-id-pool yes;
};

zone "." {
type hint;
file "db.cache";
};


zone "mentorg.com" {
type stub;
masters { 147.34.22.13; 147.34.96.122; 137.202.21.21; 137.202.93.16; };
file "stub.mentorg.com";
forward only;
forwarders {};
};

paul lemman V: 503.685.1554
IT Computer Services www.mentor.com
Mentor Graphics Corporation
Cricket Liu
2001-10-06 01:56:13 UTC
Permalink
Post by Lemman, Paul
I'm setting up a forwarder in BIND 8.2.4 that I don't want to be able to
answer questions
Post by Lemman, Paul
about internal hosts by asking our external view nameservers.
I can't parse this sentence at all. You want to prevent it from querying
your external name
servers for internal domain names?
Post by Lemman, Paul
I tried the suggestion in the DNS and BIND book to set up a stub zone with
an empty
Post by Lemman, Paul
forwarders list but the forwarder still queries our external view servers.
For which domain names? Those ending in mentorg.com?
Post by Lemman, Paul
I tried adding a "forward only" directive to the zone declaration but that
didn't seem to help.
Post by Lemman, Paul
Neither did declaring the zone of type forwarder and giving it an empty
forwarders list in
Post by Lemman, Paul
the zone declaration. Can anyone see where I'm going wrong?
options {
directory "/cache";
pid-file "/var/run/named.pid";
// Created by SIGINT or ndc dumpdb
dump-file "/var/tmp/dump.db";
// Created by SIGILL or ndc stats
statistics-file "/var/tmp/stats";
statistics-interval 60;
listen-on { 147.34.97.130; };
recursion yes;
fetch-glue yes;
query-source address 147.34.97.130 port 53;
version "Surely you're joking, Mr. Feynman.";
allow-query { localhost; E2; internal-roots; mentor-nets; };
use-id-pool yes;
};
zone "." {
type hint;
file "db.cache";
};
zone "mentorg.com" {
type stub;
masters { 147.34.22.13; 147.34.96.122; 137.202.21.21; 137.202.93.16; };
file "stub.mentorg.com";
forward only;
forwarders {};
};
This zone statement would override forwarding for domain names ending in
mentorg.com, *if this name server were configured to use forwarders*.
But it's not, so I'm not sure what you're expecting to happen.

Also, it doesn't make any sense to specify "forward only" when you're
specifying not to use forwarders for mentorg.com domain names.

cricket

Men & Mice
DNS Software & Services
www.menandmice.com
Lemman, Paul
2001-10-08 18:13:44 UTC
Permalink
Sorry I wasn't clear.
Cricket Liu
2001-10-08 18:21:44 UTC
Permalink
Post by Lemman, Paul
Sorry I wasn't clear.
Cricket Liu [mailto:]
1970-01-01 00:00:00 UTC
Permalink
Thanks,

paul

paul lemman V: 503.685.1554
IT Computer Services www.mentor.com
Mentor Graphics Corporation


-----Original Message-----
From: Cricket Liu [mailto:***@menandmice.com]
Sent: Friday, October 05, 2001 6:56 PM
To: Lemman, Paul; bind-***@isc.org
Subject: Re: BIND 8 forwarding question
Post by Lemman, Paul
I'm setting up a forwarder in BIND 8.2.4 that I don't want to be able to
answer questions
Post by Lemman, Paul
about internal hosts by asking our external view nameservers.
I can't parse this sentence at all. You want to prevent it from querying
your external name
servers for internal domain names?
Post by Lemman, Paul
I tried the suggestion in the DNS and BIND book to set up a stub zone with
an empty
Post by Lemman, Paul
forwarders list but the forwarder still queries our external view servers.
For which domain names? Those ending in mentorg.com?
Post by Lemman, Paul
I tried adding a "forward only" directive to the zone declaration but that
didn't seem to help.
Post by Lemman, Paul
Neither did declaring the zone of type forwarder and giving it an empty
forwarders list in
Post by Lemman, Paul
the zone declaration. Can anyone see where I'm going wrong?
options {
directory "/cache";
pid-file "/var/run/named.pid";
// Created by SIGINT or ndc dumpdb
dump-file "/var/tmp/dump.db";
// Created by SIGILL or ndc stats
statistics-file "/var/tmp/stats";
statistics-interval 60;
listen-on { 147.34.97.130; };
recursion yes;
fetch-glue yes;
query-source address 147.34.97.130 port 53;
version "Surely you're joking, Mr. Feynman.";
allow-query { localhost; E2; internal-roots; mentor-nets; };
use-id-pool yes;
};
zone "." {
type hint;
file "db.cache";
};
zone "mentorg.com" {
type stub;
masters { 147.34.22.13; 147.34.96.122; 137.202.21.21; 137.202.93.16; };
file "stub.mentorg.com";
forward only;
forwarders {};
};
This zone statement would override forwarding for domain names ending in
mentorg.com, *if this name server were configured to use forwarders*.
But it's not, so I'm not sure what you're expecting to happen.

Also, it doesn't make any sense to specify "forward only" when you're
specifying not to use forwarders for mentorg.com domain names.

cricket

Men & Mice
DNS Software & Services
www.menandmice.com
Lemman, Paul
2001-10-08 19:16:51 UTC
Permalink
I'd thought about just making the mentorg.com zone declaration a stub zone as you suggest. The problem is that the site is connected to our internal roots via a VPN. If the VPN goes down, I don't want the forwarder to then ask the Internet roots which winds up pulling data from our external view (we run a split horizon DNS) servers. These machines will return some RNAT addresses which would then be cached when the VPN comes back up and cause problems.

It sounds like what you're suggesting would work since even if the VPN goes down, the forwarder would just be unable to talk to the internal root nameservers and return a failure.

Thanks,

paul


paul lemman V: 503.685.1554
IT Computer Services www.mentor.com
Mentor Graphics Corporation


-----Original Message-----
From: Cricket Liu [mailto:***@menandmice.com]
Sent: Monday, October 08, 2001 11:22 AM
To: Lemman, Paul; bind-***@isc.org
Subject: Re: BIND 8 forwarding question
Post by Lemman, Paul
Sorry I wasn't clear.
Lemman, Paul
2001-10-10 14:08:02 UTC
Permalink
Cricket,
Yes, I'm sure that we run internal root servers. What kind of indications were you looking for?

paul

paul lemman V: 503.685.1554
IT Computer Services www.mentor.com
Mentor Graphics Corporation


-----Original Message-----
From: Cricket Liu [mailto:***@menandmice.com]
Sent: Monday, October 08, 2001 4:10 PM
To: Lemman, Paul; bind-***@isc.org
Subject: Re: BIND 8 forwarding question
Post by Lemman, Paul
I'd thought about just making the mentorg.com zone declaration a stub zone
as you suggest.
Post by Lemman, Paul
The problem is that the site is connected to our internal roots via a VPN.
If the VPN goes
Post by Lemman, Paul
down, I don't want the forwarder to then ask the Internet roots which
winds up pulling data
Post by Lemman, Paul
from our external view (we run a split horizon DNS) servers. These
machines will return
Post by Lemman, Paul
some RNAT addresses which would then be cached when the VPN comes back up
and
Post by Lemman, Paul
cause problems.
As long as the local name server has the NS RRs for mentorg.com cached, it
won't query
the root name servers for domain names that end in mentorg.com.
Post by Lemman, Paul
It sounds like what you're suggesting would work since even if the VPN
goes down, the
Post by Lemman, Paul
forwarder would just be unable to talk to the internal root nameservers
and return a failure.

Are you sure you have internal root name servers? Not just internal
mentorg.com name
servers? Because there's no indication that this name server is part of an
internal root
environment at all.

cricket

Men & Mice
DNS Software & Services
www.menandmice.com
Cricket Liu
2001-10-10 19:07:59 UTC
Permalink
Post by Lemman, Paul
Yes, I'm sure that we run internal root servers. What
kind of indications were you looking for?
If the name server whose named.conf file you posted uses
internal root name servers, it has no way to resolve
Internet domain names.

cricket

Men & Mice
DNS Software & Services
www.menandmice.com
M***@radianz.com
2001-10-11 09:34:06 UTC
Permalink
Paul,
Show us your db.cache, you show me yours, and I'll show you mine :-)
I for one am pretty confused about what you are trying to acheive here.
rgds
Marc TXK




"Cricket Liu"
<***@menand To: "Lemman, Paul" <***@mentorg.com>, <bind-***@isc.org>
mice.com> cc:
Sent by: Subject: Re: BIND 8 forwarding question
bind-users-boun
***@isc.org


10/10/2001
20:07
Post by Lemman, Paul
Yes, I'm sure that we run internal root servers. What
kind of indications were you looking for?
If the name server whose named.conf file you posted uses
internal root name servers, it has no way to resolve
Internet domain names.

cricket

Men & Mice
DNS Software & Services
www.menandmice.com

Continue reading on narkive:
Loading...