HPE Community
Operating System - Linux
1819803 Members
3035 Online
109607 Solutions
New Discussion юеВ

DNS forward and lookup problem

 
SOLVED
Go to solution
Kevin Liquori_1
Regular Advisor

тАО12-01-2009 01:12 PM

тАО12-01-2009 01:12 PM

DNS forward and lookup problem

I'm having a problem with some DNS lookups that are forwarded. Here's my topology:

ns1 (linux server running a DNS server)
ns2 (Windows server running DNS)
client1 (HP-UX or linux client)

I have ns1 configured with a zone with a bunch of A and CNAME records. I also have ns1 forwarding to ns2 for queries that cannot be resolved directly on ns1. Any lookup on ns1, whether it is a locally stored record or a record on ns2 works fine. From client1 a lookup for a record stored on ns1 works fine. When I try a lookup on client1 for a record stored on ns2 it fails ... initially. If I go on to ns1 and run the lookup and then go to client1 and run the same lookup it then succeeds on client1. The lookup from client1 will work for a few minutes and eventually fail. I'm assuming the record is temporarily stored in cache on ns1.

I've used nslookup, dig, and host for these lookups all with the same result. I can see the query attempts being logged on ns1 whether the query succeeds or fails.

Any ideas?

Thanks in advance.

Kevin
0 Kudos
4 REPLIES 4
Patrick Wallek
Honored Contributor

тАО12-01-2009 02:05 PM

тАО12-01-2009 02:05 PM

Solution

Re: DNS forward and lookup problem

Do you have 'recursion no' in your /etc/named.conf file? If so, that could be part of the problem.

With recursion set to no, lookups for domains the server is not authoritative for will fail.

http://www.netadmintools.com/art234.html
0 Kudos
Matti_Kurkela
Honored Contributor

тАО12-02-2009 01:54 AM

тАО12-02-2009 01:54 AM

Re: DNS forward and lookup problem

Your work-around may be similar to a DNS cache pollution attack.

If you have a zone of type "master" on ns1, then ns1 is defined as an authoritative server for that zone: it *by definition* knows everything there is to know about that zone and does not need to ask any other nameserver anything about that zone.

When an DNS server that is authoritative for a particular zone responds with "the data you're looking for does not exist", it is not simply an error message. It is more like "I am positive that it does not exist. If someone tries to tell you otherwise, that someone is a fake."

If you have some DNS data that must be maintained on ns1 and other data that must be maintained on ns2, trying to put them into the same domain is most likely a design error: you should make them either two different domains, or make one a sub-domain of the other.

MK
MK
0 Kudos
Kevin Liquori_1
Regular Advisor

тАО12-02-2009 05:34 AM

тАО12-02-2009 05:34 AM

Re: DNS forward and lookup problem

Patrick,
That was it! I had recursion set to: "localnets; localhost;". I switched it to "any" and it is now working as I had hoped.

MK,
Thanks for the info. I do have a few instances of mixed records between the two DNS servers and I need to reconsider parts of the design.

Thanks,
Kevin
0 Kudos
Kevin Liquori_1
Regular Advisor

тАО12-02-2009 08:08 AM

тАО12-02-2009 08:08 AM

Re: DNS forward and lookup problem

Closing thread. Problem solved.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.