Just out of curiosity, is there any specific reason, why you use
dnssec-enable no; in this configuration? It prevents dnssec validation
of any client of this machine. I suggest to change it to yes. Disabled
validation is enough.
I have seen empty /dev/null hints used by my tester. It should mean it
will do forward only; anyway, because it does not use built-in or
explicitly provided root hints. Maybe with extra logged errors in
addition. Choose what you want. If you delete hints definition, build-in
would be used. But empty hints file means no root servers. Does not make
sense with forward first;
edns-udp-size 4096 is not recommended, unless you know very well why do
have it there.
On 05/09/2025 20:30, Reynolds, David wrote:
Greetings all,
I stumbled across an oddity in BIND that may be due to my ignorance or
some other environmental factor.
We have a pair of caching resolvers in a datacenter that ended up with
the following in the configuration:
forwarders {
// Cloudflare
1.1.1.1;
1.0.0.1;
// Quad9
9.9.9.9;
149.112.112.112;
//Cisco OpenDNS
208.67.222.222;
208.67.220.220;
};
forward first;
dnssec-enable no;
dnssec-validation no;
empty-zones-enable no;
};
zone "." IN {
type hint;
file "/dev/null";
};
In this configuration, the forward always fails. Not only does it
fail, we see no traffic leaving the server (tcpdump port 53)!
And since we don’t want these following the full recursion out to the
internet, root hints are intentionally disabled (we’re hoping for at
least some data hygiene by using these specific forwarders).
Setting it to ‘forward only’ resolved the issue.
Do I have something misconfigured?
More detail of named.conf (removed logging and internal zones):
options {
listen-on port 53 {
any;
};
directory "/var/named";
dump-file "/opt/named/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
querylog yes;
recursion yes;
recursive-clients 50000;
tcp-clients 50000;
edns-udp-size 4096;
max-udp-size 4096;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
forwarders {
1.1.1.1;
1.0.0.1;
9.9.9.9;
149.112.112.112;
208.67.222.222;
208.67.220.220;
};
forward first;
dnssec-enable no;
dnssec-validation no;
empty-zones-enable no;
};
zone "." IN {
type hint;
file "/dev/null";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
OS details:
# cat /etc/*release
NAME="Red Hat Enterprise Linux"
VERSION="8.10 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.10"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL=https://www.redhat.com/ <https://www.redhat.com/>
DOCUMENTATION_URL=https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8>
BUG_REPORT_URL=https://issues.redhat.com/ <https://issues.redhat.com/>
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.10"
Red Hat Enterprise Linux release 8.10 (Ootpa)
Red Hat Enterprise Linux release 8.10 (Ootpa)
BIND details:
BIND 9.11.36-RedHat-9.11.36-16.el8_10.4 (Extended Support Version)
<id:68dbd5b>
running on Linux x86_64 4.18.0-553.56.1.el8_10.x86_64 #1 SMP Mon Jun 2
12:33:13 EDT 2025
built by make with '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info'
'--with-python=/usr/libexec/platform-python' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6'
'--enable-filter-aaaa' '--with-pic' '--disable-static'
'--includedir=/usr/include/bind9' '--with-tuning=large'
'--with-libidn2' '--enable-openssl-hash' '--with-geoip2'
'--enable-native-pkcs11'
'--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
'--disable-isc-spnego' '--with-lmdb=no' '--with-libjson'
'--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS=
-DDIG_SIGCHASE'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-23)
compiled with OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.2.0
compiled with protobuf-c version: 1.3.0
linked to protobuf-c version: 1.3.0
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
*David Reynolds*
Epiq | Linux Support
Portland, OR 97227
Mobile: 503 457-2262
Email: [email protected] <mailto:[email protected]>
*People. **Partnership. Performance.*
www.epiqglobal.com <http://www.epiqglobal.com/>
This communication (including any attachment(s)) is intended solely
for the recipient(s) named above and may contain information that is
confidential, privileged or legally protected. Any unauthorized use or
dissemination of this communication is strictly prohibited. If you
have received this communication in error, please immediately notify
the sender by return e-mail message and delete all copies of the
original communication to include any copy that may reside in your
sent box. Thank you for your cooperation.
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
