Queries using forwarders
Hello all, I was trying to follow the thread on the NXDOMAIN and got lost. :) I have a question about using forwarders. If the DNS that is using forwarders receives a query for a zone it's not authoritative for even if it's in the same network, does it go to the forwarders for zone information? I'm trying to get my head around what was discussed in the NXDOMAIN thread. What makes a DNS authoritative for a zone? == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries using forwarders
If the records which are being requested are in the DNS server's cache then it may return the records directly from cache (depends on your configuration). If the record isn't in the cache it will attempt to fetch it and return it to the client, it will then be placed in the cache so subsequent queries for that data will be returned direct from cache. A response will be returned as authoritative when the server is an authority for that zone, as in it has been configured to serve the zone*. Steve * Whether you actually have the right to serve that zone as authoritative is another matter, for example I could easily create a zone called microsoft.com and serve it out to my local clients and they would be none the wiser (well other than it's not the real microsoft.com), if you tried to serve it externally to the Internet though it would be ignored as the DNS hierarchy for microsoft.com goes no where near your server and points at Microsoft's DNS servers. On 3 June 2013 20:36, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was trying to follow the thread on the NXDOMAIN and got lost. :) I have a question about using forwarders. If the DNS that is using forwarders receives a query for a zone it's not authoritative for even if it's in the same network, does it go to the forwarders for zone information? I'm trying to get my head around what was discussed in the NXDOMAIN thread. What makes a DNS authoritative for a zone? == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries using forwarders
Hi Mike, To keep my answer simple, if BIND is set up to allow recursion, and gets a recursive query for a zone it's not authoritative for, it'll: 1) Answer from cache 2) pass the query off to the configured forwarders 3) If the forwarders are unavailable, follow delegation itself to answer the query. BIND is only authoritative for a zone if there's a zone {} block for it (or its parent zone). As Steven mentioned, you can set BIND up to act as authoritative for a domain you don't own (e.g. malware.site.tld) so that your users get a false answer to their queries. It's a pretty common anti-malware/anti-spam practice, and also gets used (for example) in wifi captive portals. John On 06/03/2013 03:36 PM, Ward, Mike S wrote: Hello all, I was trying to follow the thread on the NXDOMAIN and got lost. :) I have a question about using forwarders. If the DNS that is using forwarders receives a query for a zone it's not authoritative for even if it's in the same network, does it go to the forwarders for zone information? I'm trying to get my head around what was discussed in the NXDOMAIN thread. What makes a DNS authoritative for a zone? == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries using forwarders
The point of being authoritative is to have a full copy of the zone, so that one is basically autonomous, not dependent on anyone else to resolve names in the zone. In BIND terms, that means type master or type slave. That's why authoritative zones override forwarding, since forwarding is a relationship of dependency. One can't be autonomous and dependent, for the same zone, at the same time. A slave nameserver is, of course, dependent, in a sense, on getting the latest version of the zone from its master(s). But that's not a real-time dependency, since it can always (providing that it hasn't been so long that the zone has expired) answer queries from the latest version of the zone it happens to possess. - Kevin On 6/3/2013 3:36 PM, Ward, Mike S wrote: Hello all, I was trying to follow the thread on the NXDOMAIN and got lost. :) I have a question about using forwarders. If the DNS that is using forwarders receives a query for a zone it's not authoritative for even if it's in the same network, does it go to the forwarders for zone information? I'm trying to get my head around what was discussed in the NXDOMAIN thread. What makes a DNS authoritative for a zone? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries using forwarders
On Jun 3, 2013, at 4:31 PM, John Miller johnm...@brandeis.edu wrote: Hi Mike, To keep my answer simple, if BIND is set up to allow recursion, and gets a recursive query for a zone it's not authoritative for, it'll: 1) Answer from cache 2) pass the query off to the configured forwarders 3) If the forwarders are unavailable, follow delegation itself to answer the query. BIND is only authoritative for a zone if there's a zone {} block for it (or its parent zone). Weeelll, mostly. built-in empty zones… W As Steven mentioned, you can set BIND up to act as authoritative for a domain you don't own (e.g. malware.site.tld) so that your users get a false answer to their queries. It's a pretty common anti-malware/anti-spam practice, and also gets used (for example) in wifi captive portals. John On 06/03/2013 03:36 PM, Ward, Mike S wrote: Hello all, I was trying to follow the thread on the NXDOMAIN and got lost. :) I have a question about using forwarders. If the DNS that is using forwarders receives a query for a zone it's not authoritative for even if it's in the same network, does it go to the forwarders for zone information? I'm trying to get my head around what was discussed in the NXDOMAIN thread. What makes a DNS authoritative for a zone? == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- It is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead. -- E.W Dijkstra, 1930-2002 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users