On 4/17/20 7:26 AM, Bob Harold wrote: > > On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <tun...@tundraware.com > <mailto:tun...@tundraware.com>> wrote: > > We have split horizon setup and enable our internal and trusted hosts > to do things as follows: > > allow-recursion { trustedhosts; }; > allow-transfer { trustedhosts; }; > > 'trustedhosts' includes a number of public facing IPs as well as the > 192.168.0/24 CIDR block. It also includes the IPs of the Master and > Slave bind servers. > > So here's the part that has me wondering. If I do a reverse lookup of > an IP, it works as expected _except_ if I do it on either the Master > or Slave machines. They will not only look up reverses on our > own IPs, they won't do it for ANY IP and returns the warning: > > WARNING: recursion requested but not available > > This is replicable with 9.14 or 9.16 (or was until today's assert borkage) > running on FreeBSD 11.3-STABLE. Master is on a cloud server, Slave is > on a physical machine. Neither instance is jailed. > > Ideas? > > -- > > ---------------------------------------------------------------------------- > Tim Daneliuk tun...@tundraware.com <mailto:tun...@tundraware.com> > PGP Key: http://www.tundraware.com/PGP/ > > > Is 127.0.0.1 in the 'trustedhosts' list?
Yes > Are you telling 'dig' what server to use - dig @*MailScanner warning: > numerical links are often malicious:* 127.0.0.1 <http://127.0.0.1> No. But when I do, it works properly. Doesn't dig default to localhost (in this case the host running bind)? > What servers are listed in /etc/resolv.conf? Do they resolve the reverse > zones? There is no resolv.conf on these machines. They are the ones running the nameservers. > Are local queries hitting the right 'view' (if you have multiple views) ? Yes, IF I explicitly point dig to the right nameserver. So ... what's going on is that dig appears to not be using localhost first to resolve reverses. > > -- > Bob Harold > -- ---------------------------------------------------------------------------- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users