Hi Renzo. Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the Internet on behalf of its clients, so it forwards to BIND.
In that case, two questions: 1) What version of BIND are you running? You can get this with "named -V" 2) What is in the file "named.ca"? For a long time (which is why I need to know the version) BIND has had the Internet root hints built in, so you don't need a hint zone anymore. Unless you are defining different roots for some reason. Hence why I need to know the contents of that file. Thanks, Greg On Thu, 27 Jun 2024 at 18:06, Renzo Marengo <buckroger2...@gmail.com> wrote: > > Hi Greg, > > thank you very much for your explanation. > > Let’s supposte AD domain was ‘my domain.it’ and I have 6000 computers of > government institute. > > Here my bind configuration: > > > named.conf > > ——— > > include “…. named.conf.options" ; > > zone "." IN { > > type hint; > > file "named.ca"; > > }; > > include “…. named.rfc1912.zones"; > > include “…. named.root.key"; > > ——— > > > > named.conf.options > > ——— > > logging { > > channel named_debug { > > syslog local6; > > severity debug 1; > > print-category yes; > > print-severity yes; > > print-time yes; > > }; > > category default { named_debug; }; > > }; > > > options { > > auth-nxdomain no; # conform to RFC1035 > > allow-recursion {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; > ….. } ; > > allow-query {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; > ….. } ; > > recursive-clients 3000; > > allow-query-cache {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; > ….. } ; ; > > > listen-on port 53 { 127.0.0.1; A.B.C.D; }; > > directory “….. named"; > > dump-file “….. cache_dump.db"; > > statistics-file “….. named_stats.txt"; > > memstatistics-file “…. named_mem_stats.txt"; > > recursing-file “… named.recursing"; > > secroots-file “… named.secroots"; > > recursion yes; > > dnssec-enable no; > > dnssec-validation no; > > > bindkeys-file "….. named.iscdlv.key"; > > managed-keys-directory "….. dynamic"; > > pid-file "….. named.pid"; > > session-keyfile "….. session.key"; > > ——— > > > > >Thirdly, I would not forward to AD DNS, unless the AD servers also > recurse and can provide >resolution for delegated names below the AD domain > > >that are not hosted on the AD servers themselves. > > > There is no forward option to AD DNS. Forward is enable from AD DNS to > A.B.C.D. bind9 server. > > > > > All clients are using AD DNS infact every query, about name of ‘ > mydomain.it,’ is resolved from AD DNS. > > When client asks an external domain, e.g. www.google.it, AD server > forward query to A.B.C.D. server. (Forward option is set on every domain > controller) > > Only AD DNS make queries to A.B.C.D server and it’s necessary only to > solve external domains. > > A.B.C.D. server never makes queries to AD server. A.B.C.D. is next dns > server which partecipates when it’s necessary to resolve an external domain > > > I hope to have explained right. > > I thought A.B.C.D server made query to root server because into > configuration there is no reference to forward option, because I thought to > set as DNS forward a government dns of my country. What do you think? > > I have doubts about recursive and iterative queries options too. > > Thanks > > > Il giorno gio 27 giu 2024 alle ore 13:24 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi Renzo. >> Firstly, please can we see your BIND configuration and have the actual AD >> domain name. >> >> Secondly, BIND, or any other recursive DNS server, does not 'forward' to >> the root servers, unless you have configured it explicitly to do so, which >> would be a bad idea and not work anyway. It will recurse (paradoxically, >> perform non-recursive aka iterative queries) to the roots and other >> authoritative servers. It is an important distinction to be aware of. >> >> Thirdly, I would not forward to AD DNS, unless the AD servers also >> recurse and can provide resolution for delegated names below the AD domain >> that are not hosted on the AD servers themselves. Personally I would use a >> stub or static-stub zone in BIND to refer to the AD domain. >> >> In general, decide which DNS is going to do the resolving and make that >> the control point, fetching data from wherever it needs to (e.g. AD DNS) - >> using non-recursive queries - and using that data to construct answers for >> its clients. >> >> I hope that helps. >> Cheers, Greg >> >> On Thu, 27 Jun 2024 at 12:02, Renzo Marengo <buckroger2...@gmail.com> >> wrote: >> >>> I have Active Directory domain ( 'mydomain.it' ) with 8 domain >>> controllers to manage 8000 computers. Every Domain controller acts as dns >>> service and resolve internal domain names while forward queries about >>> external domains to another server, which Bind9 dns server (It's inside my >>> company) >>> I'm checking this Bind9 configuration (Centos server) and I see no >>> forward servers so I think It makes bind9 forward queries directly to root >>> servers. What do you think ? >>> According your opinion this Bind9 server should have to forward requests >>> to one or more dns server by forward option? >>> >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>> from this list >>> >>> ISC funds the development of this software with paid support >>> subscriptions. Contact us at https://www.isc.org/contact/ for more >>> information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >>
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users