Re: BIND | Cname chain resolution using forward ( CNAME&A returned but no use A) (#3995)

Tue, 04 Apr 2023 03:06:05 -0700

That is because forwarder is supposed to handle only zone "bd.baidubce.com.", but addresses response is from bd.bcebos.com zone. Therefore it queries contents of that according to global forwarders or iteratively. BIND9 attempts to deliver the most authoritative answer it can, so it ignores hints from server not authoritative for it. I do not know a way to disable such behavior. Dns caches such as dnsmasq would forward the reply as it is, but bind uses zones with authoritative servers preferred. It does so to prevent unrelated servers pushing invalid answers into your cache.
Workaround might be to forward also bd.bcebos.com. zone to the same server. Can you share why should it return different addresses than the authoritative servers offers? 


I think if you need to override some addresses, RPZ might help you. At 
least you would have a list of rules where the answer is modified. I 
think most proper servers do it this way without ability to change the 
behavior.


Just my 2 cents.

Regards,
Petr

On 04. 04. 23 8:08, Yang via bind-users wrote:


hi bind admin,

 when i use bind-9.11 for my interdns, deviceip is 10.1.1.1,

i config

zone "bd.baidubce.com."

 in { type forward ; forward only; forwarders { 10.10.10.10; }; };


1、when i dig @10.1.1.1 x.bd.bcebos.com.


2、10.10.10.10 return record "CNAME bd.bcebos.com., A 100.67.96.26, A 
100.67.96.27" to device10.1.1.1


3、but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me


4、device10.1.1.1 go to qurey bd.bcebos.com. recursive itself,and get 
another record 110.242.70.8


i have questions


1、why config is forward only, but bind get CNAME & A,bind do not 
return A to me,and query cname again itself?


 thanks



--
Petr Menšík
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to