Re: forwarding zone setup from a BIND slave (without recursion?)
So why doesn’t it work to make your limited server authoritative for the root and only forward the zones you want? Anything that isn’t in a forwarded zone does not exist (except the root itself). On Sat, Apr 17, 2021 at 11:07 PM Marki wrote: > > On 4/14/2021 12:44 AM, Sebby, Brian A. via bind-users wrote: > > > My situation is due to a security requirement. We have DNS servers at our > site running BIND that allow recursion, but I’ve been requested to set up > some additional DNS servers for another project that is expected to * > *only** access the data that we’re authoritative for. And of course …. > there’s a chance that it might need to look up one or two external zones. > Essentially, what I really need is a recursive whitelist that doesn’t tell > BIND what clients are allowed to do recursive lookups, but to limit BIND to > only allow recursive lookups on a very small list of allowed domains. > > > > I was trying to set up a forwarding zone to forward queries to our DNS > servers that do allow recursion, but as I discovered (and as was discussed > earlier in the thread), if recursion is not allowed, then forwarding is > also not allowed. I had tried setting the “allow-recursion” field to > “localhost” and setting up a forward zone to forward to 127.0.0.1, but that > didn’t work either. > > Hello, > > So they do _not_ only look up internal/authoritative zones, but external > ones as well. (It's always the exceptions that kill you.) > > I think we have previously established that there is not a good way to do > whitelisting using Bind, see the thread "Authority and forwarding, but not > recursion/iteration". > > If you can live with non-allowed zones returning SERVFAIL (instead of > NXDOMAIN for example), then using a recursive service with a bogus global > forwarder and static stubs pointing to the authoritative/non-recursive > service might do the trick. > > You might also be able to leverage RPZ if there are no complex conditions > associated to your rules (everyone will have the same white/blacklists). > You configure passthrough for the allowed zones and deny the rest. > > Alternatively, there is dnsdist which, while being a load-balancer, could > be considered the swiss army knife of DNS filtering. > > Finally, some firewalls like Fortigates provide a "DNS filter" that lets > you define custom white and blacklists. Palo Altos currently are not able > to whitelist AFAIK. > > Best regards, > > Marki > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone setup from a BIND slave (without recursion?)
On 4/14/2021 12:44 AM, Sebby, Brian A. via bind-users wrote: My situation is due to a security requirement. We have DNS servers at our site running BIND that allow recursion, but I’ve been requested to set up some additional DNS servers for another project that is expected to **only** access the data that we’re authoritative for. And of course …. there’s a chance that it might need to look up one or two external zones. Essentially, what I really need is a recursive whitelist that doesn’t tell BIND what clients are allowed to do recursive lookups, but to limit BIND to only allow recursive lookups on a very small list of allowed domains. I was trying to set up a forwarding zone to forward queries to our DNS servers that do allow recursion, but as I discovered (and as was discussed earlier in the thread), if recursion is not allowed, then forwarding is also not allowed. I had tried setting the “allow-recursion” field to “localhost” and setting up a forward zone to forward to 127.0.0.1, but that didn’t work either. Hello, So they do _not_ only look up internal/authoritative zones, but external ones as well. (It's always the exceptions that kill you.) I think we have previously established that there is not a good way to do whitelisting using Bind, see the thread "Authority and forwarding, but not recursion/iteration". If you can live with non-allowed zones returning SERVFAIL (instead of NXDOMAIN for example), then using a recursive service with a bogus global forwarder and static stubs pointing to the authoritative/non-recursive service might do the trick. You might also be able to leverage RPZ if there are no complex conditions associated to your rules (everyone will have the same white/blacklists). You configure passthrough for the allowed zones and deny the rest. Alternatively, there is dnsdist which, while being a load-balancer, could be considered the swiss army knife of DNS filtering. Finally, some firewalls like Fortigates provide a "DNS filter" that lets you define custom white and blacklists. Palo Altos currently are not able to whitelist AFAIK. Best regards, Marki ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone setup from a BIND slave (without recursion?)
I have been banging my head against the wall regarding this very topic and then found this thread from last week. I’m also looking for a solution to this problem, and wondered if anyone may have some suggestions (including potential alternatives). My situation is due to a security requirement. We have DNS servers at our site running BIND that allow recursion, but I’ve been requested to set up some additional DNS servers for another project that is expected to *only* access the data that we’re authoritative for. And of course …. there’s a chance that it might need to look up one or two external zones. Essentially, what I really need is a recursive whitelist that doesn’t tell BIND what clients are allowed to do recursive lookups, but to limit BIND to only allow recursive lookups on a very small list of allowed domains. I was trying to set up a forwarding zone to forward queries to our DNS servers that do allow recursion, but as I discovered (and as was discussed earlier in the thread), if recursion is not allowed, then forwarding is also not allowed. I had tried setting the “allow-recursion” field to “localhost” and setting up a forward zone to forward to 127.0.0.1, but that didn’t work either. Is there any potential workaround for this, or do I just need to tell the person who requested this that they can only get all or nothing for recursive queries? We’re still running BIND 9.11, but I was wondering if there may be new features in BIND 9.16 or 17 that I’m not aware of. Thanks, Brian -- Brian Sebby (he/him/his) | Lead Systems Engineer Email: se...@anl.gov<mailto:se...@anl.gov> | Information Technology Infrastructure Phone: +1 630.252.9935| Business Information Services Cell: +1 630.921.4305| Argonne National Laboratory From: bind-users on behalf of RK K Date: Wednesday, April 7, 2021 at 7:40 PM To: "bind-users@lists.isc.org" Subject: Re: forwarding zone setup from a BIND slave (without recursion?) Hello Marki, Matus, Thank you for the insights on this topic. Answering Marki's question about why the secondary-authoritative (slaves) are used for lookups is some-what history and there was no need to be recursive (until now) as all the queries are authoritatively answered or refused. May be security is another reason. Much appreciated your ideas Thank you Kind Regards RK On Wed, Apr 7, 2021 at 8:01 AM mailto:bind-users-requ...@lists.isc.org>> wrote: Send bind-users mailing list submissions to bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org> You can reach the person managing the list at bind-users-ow...@lists.isc.org<mailto:bind-users-ow...@lists.isc.org> When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..." Today's Topics: 1. forwarding zone setup from a BIND slave (without recursion?) (RK K) 2. Re: forwarding zone setup from a BIND slave (without recursion?) (Matus UHLAR - fantomas) 3. Re: forwarding zone setup from a BIND slave (without recursion?) (Marki) -- Message: 1 Date: Tue, 6 Apr 2021 22:47:23 -0400 From: RK K mailto:rvk...@gmail.com>> To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: forwarding zone setup from a BIND slave (without recursion?) Message-ID: mailto:caotbjrubejlxc6-uff5kgkd_ignoytg_ku2pkdxbhpovyzs...@mail.gmail.com>> Content-Type: text/plain; charset="utf-8" All, We have a set of BIND primary servers (MASTERs) and a set of secondary servers (slaves to the MASTERs). The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *) in the global options. All the applications/systems do use secondary DNS servers for name resolution. Now there is a need to configure a forwarding zone in the "secondary DNS servers" to an external DNS server. In this scenario, in-order for the secondary server to forward the DNS query to an external DNS server, is it required to enable the recursion in the global options on the secondary servers? Based on reference material, I did not see such a requirement. But my observation is the query is not getting forwarded ( tried to check using the packet trace) When recursion is enabled, the query is getting forwarded. The BIND version I am using is 9.11.2.x. Appreciate your ideas and help. Thank you Kind Regards, Ravi Kota -- next part -- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210406/15bb6cad/attachment-0001.ht
Re: forwarding zone setup from a BIND slave (without recursion?)
Mark Andrews wrote: > > On 8 Apr 2021, at 00:37, Tony Finch wrote: > > > > Forward zones require the upstream server to be recursive too. > > More correctly, the upstream server has to serve the entire namespace being > forwarded if it does not off recursion to the client for forwarding to > work. I thought forwarding expected the target server to resolve CNAMEs? If so, any out-of-zone CNAMEs in the target namespace would cause problems. Tony. -- f.anthony.n.finchhttps://dotat.at/ Cape Wrath to Rattray Head including Orkney: Southwesterly 6 to gale 8, occasionally 5 at first in east, then veering westerly or northwesterly 7 to severe gale 9 later. Moderate or rough, becoming very rough or high in north. Rain at times, squally snow showers later. Moderate or good, occasionally very poor later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone setup from a BIND slave (without recursion?)
Chuck, Tony, Thank you all for sharing the ideas.. very much appreciated. Thank you Kind Regards, Ravi Kota On Wed, Apr 7, 2021 at 7:25 PM wrote: > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of bind-users digest..." > > > Today's Topics: > >1. Re: forwarding zone setup from a BIND slave (without > recursion?) (Chuck Aurora) >2. Re: forwarding zone setup from a BIND slave (without > recursion?) (Tony Finch) >3. Re: rndc stops listening (John Thurston) > 4. Re: rndc stops listening (Ond?ej Sur?) >5. Re: forwarding zone setup from a BIND slave (without > recursion?) (Mark Andrews) > > > -- > > Message: 1 > Date: Wed, 07 Apr 2021 07:53:01 -0500 > From: Chuck Aurora > To: bind-users@lists.isc.org > Subject: Re: forwarding zone setup from a BIND slave (without > recursion?) > Message-ID: > Content-Type: text/plain; charset=US-ASCII; format=flowed > > On 2021-04-07 03:59, Marki wrote: > > To elaborate a little bit on that... Indeed that is how it works, > > unfortunately. When you start using forwarders or stubs, recursion > > needs to be enabled because you're no longer looking for your own > > authoritative data only. > > A stub or static-stub zone would not require recursion. In that case > named is asking for authoritative data from upstream. But type > forward zones indeed cannot work if recursion is disabled. > > > What I've learned from this list is that you should split > > authoritative and recursive service. > > I would suggest that as a general best practice, but not an absolute > one. There's nothing wrong with having internal-only authoritative > zones on your recursive resolver. The potential problem comes when > you're a globally-published NS for your zones; having recursion > enabled can make you vulnerable to more possible attacks. > > I'd say it depends more who/what you are. Small-timers are not at so > much risk for this than large sites and ISPs. But there too, the > paranoid would go for two instances of named, authoritative and > recursive, on a small hosted server even where it's only offering > recursion to itself. > > > May I ask what is the reasoning behind your current setup (pointing > > your users to the non-recursive service)? What would you like to > > achieve? What would you like to prevent? > > Agreed, that is strange. It does not seem that an authoritative-only > named can be very useful for end users. > > > -- > > Message: 2 > Date: Wed, 7 Apr 2021 15:37:33 +0100 > From: Tony Finch > To: Chuck Aurora > Cc: bind-users@lists.isc.org > Subject: Re: forwarding zone setup from a BIND slave (without > recursion?) > Message-ID: > Content-Type: text/plain; charset=US-ASCII > > Chuck Aurora wrote: > > > > A stub or static-stub zone would not require recursion. In that case > > named is asking for authoritative data from upstream. But type > > forward zones indeed cannot work if recursion is disabled. > > Be careful in this kind of situation to be very clear about which client > or server is doing what: in this case, it isn't clear what doesn't require > recursion for stub or static stub. > > All three types of zone configuration (stub, static stub, and forward) > are only useful on a server that is providing recursive service. > > Forward zones require the upstream server to be recursive too. > > Stub and static-stub expect the upstream server to be authoritative; > the stub server list is a hint that gets replaced by the authoritative > server list from the zone (a bit like the root hints) whereas static-stub > only uses the configured upstream servers. > > > > What I've learned from this list is that you should split > > > authoritative and recursive service. > > > > I would suggest that as a general best practice, but not an absolute > > one. There's nothing wrong with having internal-only authoritative > > zones on your recursive resolver. The potential problem comes when > > you're a globally-published NS for your zones; having recursion > > enabled can make you vulnera
Re: forwarding zone setup from a BIND slave (without recursion?)
Hello Marki, Matus, Thank you for the insights on this topic. Answering Marki's question about why the secondary-authoritative (slaves) are used for lookups is some-what history and there was no need to be recursive (until now) as all the queries are authoritatively answered or refused. May be security is another reason. Much appreciated your ideas Thank you Kind Regards RK On Wed, Apr 7, 2021 at 8:01 AM wrote: > Send bind-users mailing list submissions to > bind-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.isc.org/mailman/listinfo/bind-users > or, via email, send a message with subject or body 'help' to > bind-users-requ...@lists.isc.org > > You can reach the person managing the list at > bind-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of bind-users digest..." > > > Today's Topics: > > 1. forwarding zone setup from a BIND slave (without recursion?) > (RK K) >2. Re: forwarding zone setup from a BIND slave (without > recursion?) (Matus UHLAR - fantomas) > 3. Re: forwarding zone setup from a BIND slave (without > recursion?) (Marki) > > > -- > > Message: 1 > Date: Tue, 6 Apr 2021 22:47:23 -0400 > From: RK K > To: bind-users@lists.isc.org > Subject: forwarding zone setup from a BIND slave (without recursion?) > Message-ID: > < > caotbjrubejlxc6-uff5kgkd_ignoytg_ku2pkdxbhpovyzs...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > All, > > We have a set of BIND primary servers (MASTERs) and a set of secondary > servers (slaves to the MASTERs). > The secondary BIND DNS servers disabled recursion ( with "*recursion no;" > *) > in the global options. > All the applications/systems do use secondary DNS servers for name > resolution. > > Now there is a need to configure a forwarding zone in the "secondary DNS > servers" to an external DNS server. > > In this scenario, in-order for the secondary server to forward the DNS > query to an external DNS server, is it required to enable the recursion in > the global options on the secondary servers? > Based on reference material, I did not see such a requirement. But my > observation is the query is not getting forwarded ( tried to check using > the packet trace) > When recursion is enabled, the query is getting forwarded. > > The BIND version I am using is 9.11.2.x. > > Appreciate your ideas and help. > > Thank you > Kind Regards, > Ravi Kota > -- next part -- > An HTML attachment was scrubbed... > URL: < > https://lists.isc.org/pipermail/bind-users/attachments/20210406/15bb6cad/attachment-0001.htm > > > > -- > > Message: 2 > Date: Wed, 7 Apr 2021 10:35:12 +0200 > From: Matus UHLAR - fantomas > To: bind-users@lists.isc.org > Subject: Re: forwarding zone setup from a BIND slave (without > recursion?) > Message-ID: <20210407083512.ga19...@fantomas.sk> > Content-Type: text/plain; charset=us-ascii; format=flowed > > On 06.04.21 22:47, RK K wrote: > >We have a set of BIND primary servers (MASTERs) and a set of secondary > >servers (slaves to the MASTERs). > >The secondary BIND DNS servers disabled recursion ( with "*recursion no;" > *) > >in the global options. > >All the applications/systems do use secondary DNS servers for name > >resolution. > > > >Now there is a need to configure a forwarding zone in the "secondary DNS > >servers" to an external DNS server. > > > >In this scenario, in-order for the secondary server to forward the DNS > >query to an external DNS server, is it required to enable the recursion in > >the global options on the secondary servers? > > yes. > > >Based on reference material, I did not see such a requirement. But my > >observation is the query is not getting forwarded ( tried to check using > >the packet trace) > >When recursion is enabled, the query is getting forwarded. > > > >The BIND version I am using is 9.11.2.x. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > It's now safe to throw off your computer. > > > -- > > Message: 3 > Date: Wed, 7 Apr 2021 10:59:30 +0200 > From: Marki > To: bind-users@lists.isc.org > Subj
Re: forwarding zone setup from a BIND slave (without recursion?)
> On 8 Apr 2021, at 00:37, Tony Finch wrote: > > Chuck Aurora wrote: >> >> A stub or static-stub zone would not require recursion. In that case >> named is asking for authoritative data from upstream. But type >> forward zones indeed cannot work if recursion is disabled. > > Be careful in this kind of situation to be very clear about which client > or server is doing what: in this case, it isn't clear what doesn't require > recursion for stub or static stub. > > All three types of zone configuration (stub, static stub, and forward) > are only useful on a server that is providing recursive service. > > Forward zones require the upstream server to be recursive too. More correctly, the upstream server has to serve the entire namespace being forwarded if it does not off recursion to the client for forwarding to work. > Stub and static-stub expect the upstream server to be authoritative; > the stub server list is a hint that gets replaced by the authoritative > server list from the zone (a bit like the root hints) whereas static-stub > only uses the configured upstream servers. > >>> What I've learned from this list is that you should split >>> authoritative and recursive service. >> >> I would suggest that as a general best practice, but not an absolute >> one. There's nothing wrong with having internal-only authoritative >> zones on your recursive resolver. The potential problem comes when >> you're a globally-published NS for your zones; having recursion >> enabled can make you vulnerable to more possible attacks. > > Right: the rule is that authoritative servers listed as targets of NS > records should be authoritative-only; it's OK if recursive servers have > authoritative copies of zones: it can make them more resilient to outages, > though it does slightly weird things to DNSSEC validation. > > Tony. > -- > f.anthony.n.finchhttps://dotat.at/ > Whitby to Gibraltar Point: Northwest 4 to 6 becoming variable 2 to 4, > then southwest 4 to 6 later. Very rough at first in north, otherwise > moderate or rough. Snow showers, then rain for a time later. Good, > occasionally very poor at first. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone setup from a BIND slave (without recursion?)
Chuck Aurora wrote: > > A stub or static-stub zone would not require recursion. In that case > named is asking for authoritative data from upstream. But type > forward zones indeed cannot work if recursion is disabled. Be careful in this kind of situation to be very clear about which client or server is doing what: in this case, it isn't clear what doesn't require recursion for stub or static stub. All three types of zone configuration (stub, static stub, and forward) are only useful on a server that is providing recursive service. Forward zones require the upstream server to be recursive too. Stub and static-stub expect the upstream server to be authoritative; the stub server list is a hint that gets replaced by the authoritative server list from the zone (a bit like the root hints) whereas static-stub only uses the configured upstream servers. > > What I've learned from this list is that you should split > > authoritative and recursive service. > > I would suggest that as a general best practice, but not an absolute > one. There's nothing wrong with having internal-only authoritative > zones on your recursive resolver. The potential problem comes when > you're a globally-published NS for your zones; having recursion > enabled can make you vulnerable to more possible attacks. Right: the rule is that authoritative servers listed as targets of NS records should be authoritative-only; it's OK if recursive servers have authoritative copies of zones: it can make them more resilient to outages, though it does slightly weird things to DNSSEC validation. Tony. -- f.anthony.n.finchhttps://dotat.at/ Whitby to Gibraltar Point: Northwest 4 to 6 becoming variable 2 to 4, then southwest 4 to 6 later. Very rough at first in north, otherwise moderate or rough. Snow showers, then rain for a time later. Good, occasionally very poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone setup from a BIND slave (without recursion?)
On 2021-04-07 03:59, Marki wrote: To elaborate a little bit on that... Indeed that is how it works, unfortunately. When you start using forwarders or stubs, recursion needs to be enabled because you're no longer looking for your own authoritative data only. A stub or static-stub zone would not require recursion. In that case named is asking for authoritative data from upstream. But type forward zones indeed cannot work if recursion is disabled. What I've learned from this list is that you should split authoritative and recursive service. I would suggest that as a general best practice, but not an absolute one. There's nothing wrong with having internal-only authoritative zones on your recursive resolver. The potential problem comes when you're a globally-published NS for your zones; having recursion enabled can make you vulnerable to more possible attacks. I'd say it depends more who/what you are. Small-timers are not at so much risk for this than large sites and ISPs. But there too, the paranoid would go for two instances of named, authoritative and recursive, on a small hosted server even where it's only offering recursion to itself. May I ask what is the reasoning behind your current setup (pointing your users to the non-recursive service)? What would you like to achieve? What would you like to prevent? Agreed, that is strange. It does not seem that an authoritative-only named can be very useful for end users. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone setup from a BIND slave (without recursion?)
Hello, On 4/7/2021 10:35 AM, Matus UHLAR - fantomas wrote: On 06.04.21 22:47, RK K wrote: In this scenario, in-order for the secondary server to forward the DNS query to an external DNS server, is it required to enable the recursion in the global options on the secondary servers? yes. To elaborate a little bit on that... Indeed that is how it works, unfortunately. When you start using forwarders or stubs, recursion needs to be enabled because you're no longer looking for your own authoritative data only. What I've learned from this list is that you should split authoritative and recursive service. In other words, you need two types of servers: 1) A non-recursive one in the backend containing your authoritative zones only. This can be a hidden master setup, somewhat like what you are using now. 2) The one your users access has recursion enabled, and contains stubs to the authoritative service. Obviously, it can also contain stubs (or forwarders) to anywhere else. At the same time it is performing full recursive service unless you take authority for the root zone. May I ask what is the reasoning behind your current setup (pointing your users to the non-recursive service)? What would you like to achieve? What would you like to prevent? Bye, Marki ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone setup from a BIND slave (without recursion?)
On 06.04.21 22:47, RK K wrote: We have a set of BIND primary servers (MASTERs) and a set of secondary servers (slaves to the MASTERs). The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *) in the global options. All the applications/systems do use secondary DNS servers for name resolution. Now there is a need to configure a forwarding zone in the "secondary DNS servers" to an external DNS server. In this scenario, in-order for the secondary server to forward the DNS query to an external DNS server, is it required to enable the recursion in the global options on the secondary servers? yes. Based on reference material, I did not see such a requirement. But my observation is the query is not getting forwarded ( tried to check using the packet trace) When recursion is enabled, the query is getting forwarded. The BIND version I am using is 9.11.2.x. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarding zone setup from a BIND slave (without recursion?)
All, We have a set of BIND primary servers (MASTERs) and a set of secondary servers (slaves to the MASTERs). The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *) in the global options. All the applications/systems do use secondary DNS servers for name resolution. Now there is a need to configure a forwarding zone in the "secondary DNS servers" to an external DNS server. In this scenario, in-order for the secondary server to forward the DNS query to an external DNS server, is it required to enable the recursion in the global options on the secondary servers? Based on reference material, I did not see such a requirement. But my observation is the query is not getting forwarded ( tried to check using the packet trace) When recursion is enabled, the query is getting forwarded. The BIND version I am using is 9.11.2.x. Appreciate your ideas and help. Thank you Kind Regards, Ravi Kota ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users