HPE Community
Operating System - HP-UX
1833012 Members
2852 Online
110048 Solutions
New Discussion

How to make DNS check another server if the first serfer cannot resolve the ip address

 
Gary Cooper_1
Esteemed Contributor

‎12-15-2005 02:59 AM

‎12-15-2005 02:59 AM

How to make DNS check another server if the first serfer cannot resolve the ip address

I've got a single subnet that is not connected to the outside world. DNS is provided by HP-UX for aaa.com (e.g). I've now put a Windows 2003 SBS machine on the network, which is serving several PCs. Because SBS2003 is really keen on doing it's own DNS (Active Directory and all that), I've created a subdomain called windows.aaa.com which my SBS server handles the DNS for.

As it is, if I do a forward lookup of a PC on my unix machines, they return the correct IP address (Non-authoritative answer). However, they are unable to do a reverse lookup of the PCs (No hostname information is available for aaa.bbb.ccc.ddd).

On my unix maxhines, if I do:

# nslookup aaa.bbb.ccc.ddd

it works OK.

Is there anyway I can configure my unix DNS server to try another server (my sbsserver) if it can't resolve the ip addess itself?

I don't want to redesign my DNS scheme, so if there's no simple answer, I can work around this, but my workaround is pretty inelegant.

Thanks,

Gary
0 Kudos
4 REPLIES 4
Geoff Wild
Honored Contributor

‎12-15-2005 03:18 AM

‎12-15-2005 03:18 AM

Re: How to make DNS check another server if the first serfer cannot resolve the ip address

Add the sbsserver as second ip in /etc/resolv.conf

Though - I'm not positive that it will work...

Best is to integrate Windows with your DNS...

2 choices - make Windows Primary for all your domains (yuck) and Unix scondary - or make Unix primary and Windows secondary.

If the latter - turn on dynamic updates in Bind...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
rick jones
Honored Contributor

‎12-15-2005 01:08 PM

‎12-15-2005 01:08 PM

Re: How to make DNS check another server if the first serfer cannot resolve the ip address

Indeed, just adding the line to resolv.conf will not cause it to check another server if the first query returns not found. it will only go to the second (or third, and really there _should_ be two servers configured...) if there is no response (IIRC).

So, making one secondary to the other is probably the only way to go, or find some way to convince the windows box it really should defer.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Bill Hassell
Honored Contributor

‎12-15-2005 02:48 PM

‎12-15-2005 02:48 PM

Re: How to make DNS check another server if the first serfer cannot resolve the ip address

Your Windows server is simply misconfigured. Reverse DNS is a very common way to improve security. But if your DNS admins can't be persuaded to add the appropriate records, then you can bypass the server completely for selected addresses. You do this by putting the required hostname/IP lines in /etc/hosts, then change the default /etc/nsswitch.conf hosts line to resolve through files first (/etc/hosts) then consult the DNS servers. The line would look like this:

hosts: files [NOTFOUND=continue TRYAGAIN=continue] dns [NOTFOUND=continue]

This is actually the most desirable configuration for a production machine. When a DNS server has problems, it wreaks havoc on the machines that depend on the server. For HP-UX, each dead (non-responding) DNS server requires about 20 seconds to determine that the server is not working. Then the next server is tried, and so on up to 3 DNS server attempts. This is for *EVERY* network activity, from login to ftp to any gethostbyname() (and similar) library call. A server can be almost disabled with a loss of the primary DNS server.

Now contrary to common belief, the 2nd and 3rd DNS servers are not consulted unless the nsswitch.conf file specifies [NOTFOUND=continue]. This means that if the first server is working and says "no such entry", that is the final answer. By specifying [NOTFOUND=continue], the next item in the list will be consulted. Check out the man page for nsswitch.conf.


Bill Hassell, sysadmin
0 Kudos
Gary Cooper_1
Esteemed Contributor

‎12-16-2005 01:10 AM

‎12-16-2005 01:10 AM

Re: How to make DNS check another server if the first serfer cannot resolve the ip address

Thanks for the postings guys. For a minute there I got quite excited. I don't really want to make any major changes to my DNS at the moment and as I've got around a dozen HP-UX boxes, the hosts file approach has too much overhead (I used to use hosts files several years ago, but switched to DNS to reduce the amount of admin required).

I think I'll go with my ineligant solution.

Once again, thanks for your help.

Gary
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.