Bind9 changes RCODE
Hi All, We have configured a forward zone in bind9 for e164.arpa, and we have our application to resolve e164 domain queries (NS, NAPTR, CNAME queries). But our application is sending RCODE=4 (NOT implemented) to bind9. But bind9 at their side, changing it to "ServerFail" Error. But we want on dig/dnsperf error code should come RCODE=4 only. Bind9 should not translate the original error code. Bind 9 should send the original RCODE=4 to the requester. Below are the snapshot of named/conf file. Wireshark is also attached with this mail. options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named.stats"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; !blocked; allowed; }; //allow-query { any; }; recursion yes; zone-statisticsyes; dnssec-enable yes; dnssec-validation no; // additional-from-auth no; // additional-from-cache no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; zone "e164.arpa" IN { type forward ; forwarders { 127.0.0.1 port 49153; 139.165.24.21 port 49153;}; forward only; }; Dig output:- [root@ukp2-so1mp1 admusr]# dig -t naptr 4.0.4.5.2.4.1.4.2.0.2.4.7.8.9.5.7.9.e164.arpa @localhost ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.0.2.el6_10.8 <<>> -t naptr 4.0.4.5.2.4.1.4.2.0.2.4.7.8.9.5.7.9.e164.arpa @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31801 //expecting RCODE=4 here ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4.0.4.5.2.4.1.4.2.0.2.4.7.8.9.5.7.9.e164.arpa. IN NAPTR ;; Query time: 97 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Sep 29 03:29:23 2021 ;; MSG SIZE rcvd: 63 Application Wireshark snapshot: [cid:image003.jpg@01D7B533.C16C78B0] Bind9 Wireshark:- [cid:image004.jpg@01D7B533.C16C78B0] Kindly share your views on this. Regards, Sonal RCODE_query.pcap Description: RCODE_query.pcap ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recursion setting for bind9
Hi All, Is there any option to set recursion =1 in named.conf file for the zone. I just want bind9 to do recursion only once. If bind9 receives answer from one of the forwarders then it should not do recursion (forward query) to any other forwarder IP. Below is my snapshot of my named.conf file options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named.stats"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; !blocked; allowed; }; // allow-query { localhost; }; recursion yes; zone-statisticsyes; dnssec-enable no; dnssec-validation no; auth-nxdomain no; // additional-from-auth no; // additional-from-cache no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; zone "e164.arpa" IN { type forward ; forwarders { 127.0.0.1 port 49153; 199.165.24.21 port 49153; }; forward only; }; Regards, Sonal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] : Re: CNAME query
Thanks a lot Danilo for understanding my query! This is what i was looking for! From: bind-users on behalf of Danilo Godec via bind-users Sent: Thursday, September 23, 2021 17:27 To: bind-users@lists.isc.org Subject: [External] : Re: CNAME query Don't know if that helps, but if I query my local Bind DNS for a CNAME, that doesn't exists, dig gives me the SOA record: > dig cname nonexisting.example.com @mydns ; <<>> DiG 9.16.6 <<>> cname nonexisting.example.com @mydns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22683 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;nonexisting.example.com. IN CNAME ;; AUTHORITY SECTION: example.com. 600 IN SOA mydns.example.com. hostmaster.mydns.example.com. 2020042504 86400 3600 604800 604800 ;; Query time: 0 msec ;; SERVER: mydns#53(mydns) ;; WHEN: thu sep 23 13:50:00 CEST 2021 ;; MSG SIZE rcvd: 100 Obviously I replaced my real domain with 'example.com'... Regards, Danilo On 23. 09. 21 13:36, Sonal Pahuja wrote: Can some one please help me on this ____ From: Sonal Pahuja Sent: Thursday, September 23, 2021 10:26:48 AM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> <mailto:bind-users@lists.isc.org> Subject: CNAME query Hi All, We are sending a CNAME query but currently we don’t have any CNAME record, just have NS info. What should be the Bind9 response for this CNAME query? Will it return NS Record in Authority/Answer section? Regards, Sonal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.com/v3/__https://lists.isc.org/mailman/listinfo/bind-users__;!!ACWV5N9M2RV99hQ!acNTbg45If3UvWcP3r7jHvln1xXfb2F2mjOG49F4wfJT0srEbeS11PaHt96ng0X9gxM$> to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/<https://urldefense.com/v3/__https://www.isc.org/contact/__;!!ACWV5N9M2RV99hQ!acNTbg45If3UvWcP3r7jHvln1xXfb2F2mjOG49F4wfJT0srEbeS11PaHt96nmDXkMks$> for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.com/v3/__https://lists.isc.org/mailman/listinfo/bind-users__;!!ACWV5N9M2RV99hQ!acNTbg45If3UvWcP3r7jHvln1xXfb2F2mjOG49F4wfJT0srEbeS11PaHt96ng0X9gxM$> -- Danilo Godec | Sistemska podpora / System Administration AGENDA d.o.o. | Ul. Pohorskega bataljona 49, Sl-2000 Maribor E: danilo.go...@example.com <mailto:danilo.go...@agenda.si> | T: +386 (0)2 421 61 31 | F: +386 (0)2 420 06 90 Agenda OpenSystems <https://urldefense.com/v3/__https://www.agenda.si/__;!!ACWV5N9M2RV99hQ!acNTbg45If3UvWcP3r7jHvln1xXfb2F2mjOG49F4wfJT0srEbeS11PaHt96nBvqVozY$> | Največji slovenski odprtokodni integrator Red Hat v Sloveniji <https://urldefense.com/v3/__http://www.redhat.si/__;!!ACWV5N9M2RV99hQ!acNTbg45If3UvWcP3r7jHvln1xXfb2F2mjOG49F4wfJT0srEbeS11PaHt96nCzP89c8$> | Red Hat Premier Business Partner ElasticBox <https://urldefense.com/v3/__http://elasticbox.eu/__;!!ACWV5N9M2RV99hQ!acNTbg45If3UvWcP3r7jHvln1xXfb2F2mjOG49F4wfJT0srEbeS11PaHt96n5r5U8NQ$> | Poslovne rešitve v oblaku [Agenda d.o.o.] <https://urldefense.com/v3/__https://www.agenda.si/__;!!ACWV5N9M2RV99hQ!acNTbg45If3UvWcP3r7jHvln1xXfb2F2mjOG49F4wfJT0srEbeS11PaHt96nBvqVozY$> Izjava o omejitvi odgovornosti / Legal disclaimer statement <https://urldefense.com/v3/__https://www.agenda.si/index.php?id=228__;!!ACWV5N9M2RV99hQ!acNTbg45If3UvWcP3r7jHvln1xXfb2F2mjOG49F4wfJT0srEbeS11PaHt96nEk6vL_A$> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME query
Can some one please help me on this From: Sonal Pahuja Sent: Thursday, September 23, 2021 10:26:48 AM To: bind-users@lists.isc.org Subject: CNAME query Hi All, We are sending a CNAME query but currently we don’t have any CNAME record, just have NS info. What should be the Bind9 response for this CNAME query? Will it return NS Record in Authority/Answer section? Regards, Sonal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind9 forwarder query
Hi All, We have configured a forward zone in bind9 for e164.arpa and in forwarders we are giving 2 IPs. Just wanted to know the mechanism/routing/ Load balancing policy by which bind9 forwarding to different IPs. I can see sometimes it routes to same IP always, sometime it forward it in round robin way. Please share your insights. zone "e164.arpa" IN { type forward ; forwarders { 127.0.0.1 port 49153; 199.165.4.21 port 49153; }; forward only; }; Regards, Sonal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CNAME query
Hi All, We are sending a CNAME query but currently we don't have any CNAME record, just have NS info. What should be the Bind9 response for this CNAME query? Will it return NS Record in Authority/Answer section? Regards, Sonal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: [External] : Re: NS query on bind9
Hi Mark, Thanks for the response. Now NS query is working fine!! But I have one more query- we have our application to resolve e164 domain queries i.e NS, NAPTR and CNAME queries only. If user give any other query type then application sends RCODE=4(NOT_IMPLEMENTED) in response. But bind9 is rejecting our response and sends SERVFAIL. Attached is the PCAP. Please share your views again on this. Thanks in advance! Regards, Sonal -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Wednesday, September 15, 2021 1:51 AM To: Sonal Pahuja Cc: bind-users@lists.isc.org Subject: [External] : Re: NS query on bind9 Named is very picky about returned SOA records in negative responses. If it has followed/seen a delegation then the returned SOA record in the response needs to be at or below that point. I suspect that named has a cached NS RRset between e164.arpa and 4.0.4.5.2.4.1.4.2.0.2.4.e164.arpa which is causing the returned response to be rejected. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org 15sep_RCODE=4.pcap Description: 15sep_RCODE=4.pcap ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: NS query on bind9
Hello All, Currently we are facing below issue:- We have built a response for NS query and sending it to bind9. But however bind9 is rejecting and getting server fail error. NAPTR and CNAME queries are working fine. Wireshark of response built by our application: [cid:image003.jpg@01D7A8A4.B454D3C0] Above messages is getting received by bind9, bind 9 is rejecting it and sending server fail message to sender In named.run getting below output:- error (FORMERR) resolving [cid:image004.jpg@01D7A8A4.B454D3C0] Kindly let us know what can be issue here. Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
NS query on bind9
Hello All, Currently we are facing below issue:- We have built a response for NS query and sending it to bind9. But however bind9 is rejecting and getting server fail error In named.run getting below output:- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users