No. forward only; means only it won't try to iterate from root in case
forwarder does not respond or responds with Server Failure. It would try
to get answer its own way iterating from root hints if forward first;
were used. Or forward clause were not present. It will not make bind to
blindly trust to forwarder just like dnsmasq does.
I think usually cloud provides have common zone, in which all their
hosts are. Something like akamaiedge.net. I think your cloud service
provider should be able to recommend a working way. I just guess you
would need to direct a list of their domains, which they use to host
their services. In your case I would say n.shifen.com. would be such
candidate. Just do not include x in the zone name:
# this should work for this example
zone "bd.bcebos.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
zone "shifen.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
Whatever target names your provider uses for CNAME targets would need
similar zone definiton. If they are not able to provide similar list, I
would look for more prepared company.
On 04. 04. 23 17:39, ltns wrote:
thanks for reply;
bd.bcebos.com. is provide by our Cloud service provider, it both have
Internal IP results and extra IP results;
when not forward to 10.10.10.10,just recursive from Public network,it
will get extra ip result just like you have try;
when in our inter network environment,we need forward it to
10.10.10.10, it's our Cloud service provider interdns, it will reply
CNAME bd.bcebos.com., bd.bcebos.com. A 100.67.96.26, A 100.67.96.27
records to me, and I need access the interIp service through our inter
network;
I also try dnsmasq and unbound before,just like you have say,dnsmasq
get "CNAME bd.bcebos.com., bd.bcebos.com. A 100.67.96.26, A
100.67.96.27" records,it will use A record
dnsmasq does not have ability to iterate. It blindly trust recursive
servers it uses. Such behaviour is unwanted from more serious
implementation.
unbound 's action is the same as bind named, when it get "CNAME
bd.bcebos.com., bd.bcebos.com. A 100.67.96.26, A 100.67.96.27", it do
not use A record, just try to query bd.bcebos.com again
Sure, unbound is decent resolver and would not trust foreign zones in
answers without fetching it himself. All more complex implementations
should behave the same.
what Trouble me is the definition of "forward only",i read some
Related documents,i think when use forward only, bind will just get
results from forwarders, no matter what bind get CNAME and A record,
or just A record , i think it will use A;
from now on,bind have different behaviour; when config "forward
only", it also will query cname again ;It's different from what I
thought before
No, explained above. It changes behavior only in case the reply from
forwarder were SERVFAIL. It will always chase cnames to servers
authoritative for the target name.
------------------ 原始邮件 ------------------
*发件人:* "Petr Menšík" <pemen...@redhat.com>;
*发送时间:* 2023年4月4日(星期二) 晚上8:33
*收件人:* "ltns"<wwwwwwwwww7...@qq.com>;"bind-users"<bind-users@lists.isc.org>;
*主题:* Re: BIND | Cname chain resolution using forward ( CNAME&A
returned but no use A) (#3995)
This is public response for the name from my connection:
$ dig x.bd.bcebos.com.
; <<>> DiG 9.18.13 <<>> x.bd.bcebos.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11566
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;x.bd.bcebos.com. IN A
;; ANSWER SECTION:
x.bd.bcebos.com. 360 IN CNAME bd.bcebos.com.
bd.bcebos.com. 360 IN CNAME bos.bd.baidubce.n.shifen.com.
bos.bd.baidubce.n.shifen.com. 60 IN A 110.242.70.8
Now if you override just the zone "x.bd.bcebos.com.", it asks in the
forwarder. But because the forwarder answers with name leading outside
of its own zone, named will create separate query to bd.bcebos.com.
Unless that has own forward zone definition for it, it uses global
forwarders or iteration from root hints.
$ dig ns bd.bcebos.com.
; <<>> DiG 9.18.13 <<>> ns bd.bcebos.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54957
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
; COOKIE: cae27b6bb14ffd9815d2855f642c0f8300482e9548e4bf0a (good)
;; QUESTION SECTION:
;bd.bcebos.com. IN NS
;; ANSWER SECTION:
bd.bcebos.com. 57 IN CNAME bos.bd.baidubce.n.shifen.com.
;; AUTHORITY SECTION:
n.shifen.com. 206 IN SOA ns1.n.shifen.com.
baidu_dns_master.baidu.com. 2304040275 5 5 2592000 3600
This is some black magic, because SOA is not inside names we asked.
$ dig +norec @ns1.n.shifen.com. bd.bcebos.com.
; <<>> DiG 9.18.13 <<>> +norec @ns1.n.shifen.com. bd.bcebos.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6168
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ce297c8717115be001000000642c1022251028e6f44a59cc (good)
;; QUESTION SECTION:
;bd.bcebos.com. IN A
;; Query time: 201 msec
;; SERVER: 110.242.68.39#53(ns1.n.shifen.com.) (UDP)
;; WHEN: Tue Apr 04 13:55:14 CEST 2023
;; MSG SIZE rcvd: 70
It does not allow me to even ask. So those chains are quite strange.
In any case, bind will *NOT* blindly accept any names from forwarders
for foreign zones. Its CNAME target leads outside its defined zone, it
will always fetch it using separate zone fetches. So it will try
asking bd.bcebos.com. and bos.bd.baidubce.n.shifen.com. nameservers
and only their response is offered to end user. If there is a way to
make bind trust those responses, I don't know about it. I think it is
considered bad practice.
If the forwarder offers custom view, it should not override it using
CNAMEs. It should just set it different addresses directly. This looks
like not small private view to public records. I do not think it can
work like you are trying to do. Either you will have zone not pointing
to other zones, or you have to forward them all. BIND won't take into
account in response to what name this response arrived. It won't let
server of unrelated zones to insert cache records for other names. It
does it to protect you from spoofing. dnsmasq will let you do that,
because it does not have proper iteration capabilities. Use that if
you need such split view. I doubt unbound, powerdns or any good
recursive DNS will allow what you are trying to do. BIND9 included.
On 04. 04. 23 12:58, ltns wrote:
i am very very sorry ,
*the zone info of first mail -> **zone "bd.baidubce.com."* i write
wrong;
the wright is * zone "x.bd.bcebos.com."*
please just see this mail,
when i use bind-9.11 for my interdns deviceip is 10.1.1.1, i config
zone "x.bd.bcebos.com."
in { type forward ; forward only; forwarders { 10.10.10.10; }; };
1,when i dig @10.1.1.1 x.bd.bcebos.com.
2,10.10.10.10 return record "CNAME bd.bcebos.com., bd.bcebos.com. A
100.67.96.26, A 100.67.96.27" to device10.1.1.1
dig @10.1.1.1 bd.bcebos.com. gives what response? That one you should
receive. zone "x.bd.bcebos.com." role ended when cname target is not
under x.bd.bcebos.com.
3,but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
4,device10.1.1.1 go to qurey bd.bcebos.com. recursive itself, and
get another record 110.242.70.8
i have questions
1,why config is forward only, bind get CNAME & A records from
forwarders, but bind do not return A record to me?and query cname
domain recursive again itself?
thanks
Message: 3
Date: Tue, 4 Apr 2023 12:05:04 +0200
From: Petr Men??k <pemen...@redhat.com>
To: bind-users@lists.isc.org
Subject: Re: BIND | Cname chain resolution using forward ( CNAME&A
returned but no use A) (#3995)
Message-ID: <e54b9e63-f17c-ac84-eb58-3ee4cfd88...@redhat.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
That is because forwarder is supposed to handle only zone
"bd.baidubce.com.", but addresses response is from bd.bcebos.com zone.
Therefore it queries contents of that according to global forwarders or
iteratively. BIND9 attempts to deliver the most authoritative answer it
can, so it ignores hints from server not authoritative for it. I do not
know a way to disable such behavior. Dns caches such as dnsmasq would
forward the reply as it is, but bind uses zones with authoritative
servers preferred. It does so to prevent unrelated servers pushing
invalid answers into your cache.
Workaround might be to forward also bd.bcebos.com. zone to the same
server. Can you share why should it return different addresses than the
authoritative servers offers?
I think if you need to override some addresses, RPZ might help you. At
least you would have a list of rules where the answer is modified. I
think most proper servers do it this way without ability to change the
behavior.
Just my 2 cents.
Regards,
Petr
On 04. 04. 23 8:08, Yang via bind-users wrote:
>
> hi?bind admin,
>
> ?when i use bind-9.11 for my interdns? deviceip is 10.1.1.1,
>
> i config
>
> zone "bd.baidubce.com."
>
> ?in?{ type forward ; forward only; forwarders { 10.10.10.10; }; };
>
>
> 1?when i dig @10.1.1.1 x.bd.bcebos.com.
>
> 2?10.10.10.10 return record "CNAME bd.bcebos.com., A 100.67.96.26, A
> 100.67.96.27" to device10.1.1.1
>
> 3?but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
>
> 4?device10.1.1.1 go to qurey bd.bcebos.com. recursive itself?and get
> another record 110.242.70.8
>
> i have questions
>
> 1?why config is forward only? but bind get CNAME & A?bind do not
> return A to me?and query cname again itself?
>
> ?thanks
>
>
--
Petr Men??k
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20230404/42996e1b/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
------------------------------
End of bind-users Digest, Vol 4219, Issue 1
*******************************************
--
Petr Menšík
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Petr Menšík
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
