Hi all,
we are running BIND in linux servers. We are using release
bind-9.9.4-51.el7_4.1.x86_64
We are not using BIND in an standard Internet environment. Instead, we are
using BIND in a mobile network environment, in which DNS Root service is
provided by service providers. Therefore, we are no using built-in root
servers. So, we have customized the content of db.root file to include IP
addresses of DNS servers belonging to our service provider. In our case we have
configuration similar to the following one (we have omitted real server names
and IP addresses):
. 3600000 IN NS SERVER1.grx.
SERVER1.grx. 3600000 IN A 10.10.10.1
. 3600000 IN NS SERVER2.grx.
SERVER2.grx. 3600000 IN A 10.10.20.1
. 3600000 IN NS SERVER3.grx.
SERVER3.grx. 3600000 IN A 10.10.30.1
. 3600000 IN NS SERVER4.grx.
SERVER4.grx. 3600000 IN A 10.10.40.1
. 3600000 IN NS SERVER5.grx.
SERVER5.grx. 3600000 IN A 10.10.50.1
. 3600000 IN NS SERVER6.grx.
SERVER6.grx. 3600000 IN A 10.10.60.1
We have noticed that each query forwarded towards root servers creates an extra
NS ROOT query. We have been reading about "root priming", so were expecting
this NS ROOT query upon server restart. However, we are seeing this kind of
query for each query that has to be resolved with root servers assistance. We
believed that "root priming" was supposed to happen once a day or upon ROOT
SERVER TTL, which in our case is 3600, i.e., our root servers are replying with
TTL 3600 to NS ROOT queries.
In addition, we have also tested with DNSSEC disabled as follows:
dnssec-enable no;
dnssec-validation no;
Disabling DNSSEC has not made any difference.
How can we stop/limit these massive NS ROOT queries?
In addition, we are going to configure a second provider that has warned us on
they do not reply to NS ROOT queries. Could this pose a problem for our DNS
servers? Is it possible to instruct our DNS servers not to perform root priming?
Thanks for your help.
Kind regards,
Antonio.
P.S. Below you can find the structure of our named.conf file
acl "ExternalACL" {any;};
acl "InternalACL" {10.10.100.1/32;10.10.200.1/32; };
options {
allow-recursion {10.10.100.1/32;10.10.200.1/32;};
directory "/var/named";
};
view "InternalView" IN {
match-clients {InternalACL;};
allow-recursion {10.10.100.1/32;10.10.200.1/32;};
zone "." IN {
type hint;
file "db.root";
};
# Master Zone(s):
MASTER ZONES
};
view "ExternalView" IN {
allow-recursion {127.0.0.1;};
allow-transfer {none;};
match-clients {key
gibraltar-externalview-smkey;!gibraltar-externalview-other-smkeys;ExternalACL;};
zone "." IN {
type hint;
file "db.root";
};
# Master Zone(s):
MASTER ZONES
};
Antonio Medina Ortega
Analyst
Broadband & Transport Networks
Gibtelecom
Mob: +350 58008261
Fax: +350 20071673
Email: [email protected]<mailto:[email protected]>
Web: www.gibtele.com<http://www.gibtele.com/>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
