topic Re: DNS forward and lookup problem in Operating System - Linux

DNS forward and lookup problem

Kevin Liquori_1 — Tue, 01 Dec 2009 21:12:04 GMT

I'm having a problem with some DNS lookups that are forwarded. Here's my topology:

ns1 (linux server running a DNS server)
ns2 (Windows server running DNS)
client1 (HP-UX or linux client)

I have ns1 configured with a zone with a bunch of A and CNAME records. I also have ns1 forwarding to ns2 for queries that cannot be resolved directly on ns1. Any lookup on ns1, whether it is a locally stored record or a record on ns2 works fine. From client1 a lookup for a record stored on ns1 works fine. When I try a lookup on client1 for a record stored on ns2 it fails ... initially. If I go on to ns1 and run the lookup and then go to client1 and run the same lookup it then succeeds on client1. The lookup from client1 will work for a few minutes and eventually fail. I'm assuming the record is temporarily stored in cache on ns1.

I've used nslookup, dig, and host for these lookups all with the same result. I can see the query attempts being logged on ns1 whether the query succeeds or fails.

Any ideas?

Thanks in advance.

Kevin

Re: DNS forward and lookup problem

Patrick Wallek — Tue, 01 Dec 2009 22:05:12 GMT

Do you have 'recursion no' in your /etc/named.conf file? If so, that could be part of the problem.

With recursion set to no, lookups for domains the server is not authoritative for will fail.

http://www.netadmintools.com/art234.html

Re: DNS forward and lookup problem

Matti_Kurkela — Wed, 02 Dec 2009 09:54:52 GMT

Your work-around may be similar to a DNS cache pollution attack.

If you have a zone of type "master" on ns1, then ns1 is defined as an authoritative server for that zone: it *by definition* knows everything there is to know about that zone and does not need to ask any other nameserver anything about that zone.

When an DNS server that is authoritative for a particular zone responds with "the data you're looking for does not exist", it is not simply an error message. It is more like "I am positive that it does not exist. If someone tries to tell you otherwise, that someone is a fake."

If you have some DNS data that must be maintained on ns1 and other data that must be maintained on ns2, trying to put them into the same domain is most likely a design error: you should make them either two different domains, or make one a sub-domain of the other.

MK

Re: DNS forward and lookup problem

Kevin Liquori_1 — Wed, 02 Dec 2009 13:34:27 GMT

Patrick,
That was it! I had recursion set to: "localnets; localhost;". I switched it to "any" and it is now working as I had hoped.

MK,
Thanks for the info. I do have a few instances of mixed records between the two DNS servers and I need to reconsider parts of the design.

Thanks,
Kevin

Re: DNS forward and lookup problem

Kevin Liquori_1 — Wed, 02 Dec 2009 16:08:42 GMT

Closing thread. Problem solved.