BIND 9 and BIND 8 issue
Dear all bind users, I am new to manage 3 BIND 9 servers, lately, I got some complains about users cannot connect to some websites while they use our BIND 9 servers, this issue will be solved if they use other ISP's BIND 8 servers, one example is as below. Can we modify any configurations of BIND 9 server to solve this issue so that users don't need to change anything? Sincerly, Bradon Kuo from Taiwan, Taipei, lserver 168.95.1.1 Default Server: dns.hinet.net Address: 168.95.1.1 www.hangan.org.tw Server: dns.hinet.net Address: 168.95.1.1 Non-authoritative answer: Name:www.hangan.org.tw Address: 211.21.92.25 lserver 163.21.249.166 Default Server: dns.tp.edu.tw Address: 163.21.249.166 www.hangan.org.tw Server: dns.tp.edu.tw Address: 163.21.249.166 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to dns.tp.edu.tw timed-out 台北市教育網路中心 郭春吉 電話:2722-3004 傳真:2722-3574___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 and BIND 8 issue
On Fri, Feb 27, 2009 at 11:39:40AM +0800, bradonkuo wrote:
Dear all bind users,
Hi Brandon,
I am new to manage 3 BIND 9 servers, lately, I got some complains about users
cannot connect to
some websites while they use our BIND 9 servers, this issue will be solved if
they use other
ISP's BIND 8 servers, one example is as below. Can we modify any
configurations of BIND 9 server to
solve this issue so that users don't need to change anything?
I can only take wild guesses here as i don't know about the
configuration of your BIND9 servers but let me assure you that you won't
need to downgrade to BIND8 in order to provide recursive DNS to your
users, BIND9 is totally capable of that but there has been a change in
the default configuration meaning that it no longer does allow recursive
queries by default. You would have to enable that in your configuration
via the following statements:
options {
recursion yes;
allow-query {
0.0.0.0/0;
# is most likely what you want here
# as per its name your server
# looks very much like its also an authoritative
# nameserver.
};
allow-recursion {
192.168.0.0/16;
# or substitute/add this by the network ranges your
# institution uses for its clients
}
};
Please let me stress on some things:
- It is best current practice to separate your recursive Nameservice
from your authoritative Nameservice, its just more tidy and sane. [1]
So what you really _should_ do is urge your users to use a separate
recursive [3] DNS Server you provide them with instead of your
authoritative. [4]
- BIND8 is deprecated and _should_ be rolled out of production wherever
possible. [2]
[1] http://cr.yp.to/djbdns/separation.html
[2] https://www.isc.org/software/bind/security
[3] http://en.wikipedia.org/wiki/Domain_name_system#DNS_resolvers
[4] http://en.wikipedia.org/wiki/Name_server#Authoritative_name_server
Stefan
--
printk(CARDNAME: Bad Craziness - sent packet while busy.\n );
linux-2.6.6/drivers/net/smc9194.c
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 and BIND 8 issue
In message 397019c15b5a45899bb02b1b212e1...@bradon, bradonkuo writes: Dear all bind users, I am new to manage 3 BIND 9 servers, lately, I got some complains about = users cannot connect to=20 some websites while they use our BIND 9 servers, this issue will be = solved if they use other ISP's BIND 8 servers, one example is as below. Can we modify any = configurations of BIND 9 server to solve this issue so that users don't need to change anything? Sincerly, Bradon Kuo from Taiwan, Taipei, lserver 168.95.1.1 Default Server: dns.hinet.net Address: 168.95.1.1 www.hangan.org.tw Server: dns.hinet.net Address: 168.95.1.1 Non-authoritative answer: Name:www.hangan.org.tw Address: 211.21.92.25 lserver 163.21.249.166 Default Server: dns.tp.edu.tw Address: 163.21.249.166 www.hangan.org.tw Server: dns.tp.edu.tw Address: 163.21.249.166 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to dns.tp.edu.tw timed-out Depending apon how old the BIND 8 server is it may be promoting the glue below to answer. I can't get any reponse out of the nameserver itself. tcpdump shows queries going out and no responses coming back. Either the nameserver is dead or it is firewalled off. Try asking for the mx record at both servers and see if you get a response. This requires the other ISP to query the nameserver rather than rely on glue. Mark ; DiG 9.7.0pre-alpha www.hangan.org.tw @c.twnic.net.tw ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34204 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.hangan.org.tw. IN A ;; AUTHORITY SECTION: hangan.org.tw. 86400 IN NS www.hangan.org.tw. hangan.org.tw. 86400 IN NS mail.hangan.org.tw. ;; ADDITIONAL SECTION: www.hangan.org.tw. 86400 IN A 211.21.92.25 mail.hangan.org.tw. 86400 IN A 211.21.92.25 ;; Query time: 359 msec ;; SERVER: 168.95.192.10#53(168.95.192.10) ;; WHEN: Wed Mar 4 07:36:47 2009 ;; MSG SIZE rcvd: 100 ; DiG 9.3.6-P1 www.hangan.org.tw @211.21.92.25 ;; global options: printcmd ;; connection timed out; no servers could be reached 07:38:43.523517 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) 07:38:48.543936 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) 07:38:53.566828 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 and BIND 8 issue
hangan.org.tw is delegated to www.hangan.org.tw and mail.hangan.org.tw, the glue records that are provided resolve both of those names to the address 211.21.92.25. I believe BIND 8 considers a glue record to be good enough to serve as an answer, so it returns the glue record. BIND 9, however, is more diligent about trying to get a *better* answer directly from the authoritative servers. I can't get any kind of response from the nameserver at 211.21.92.25, can anyone else (tried with both EDNS0 on and off)? Having both delegated nameservers resolve to the same address is, of course, very bad architecture; it means you have a single point of failure for your entire domain. I'm somewhat surprised that the .tw registry even allows this. - Kevin bradonkuo wrote: Dear all bind users, I am new to manage 3 BIND 9 servers, lately, I got some complains about users cannot connect to some websites while they use our BIND 9 servers, this issue will be solved if they use other ISP's BIND 8 servers, one example is as below. Can we modify any configurations of BIND 9 server to solve this issue so that users don't need to change anything? Sincerly, Bradon Kuo from Taiwan, Taipei, lserver 168.95.1.1 Default Server: dns.hinet.net Address: 168.95.1.1 www.hangan.org.tw http://www.hangan.org.tw Server: dns.hinet.net Address: 168.95.1.1 Non-authoritative answer: Name: www.hangan.org.tw http://www.hangan.org.tw Address: 211.21.92.25 lserver 163.21.249.166 Default Server: dns.tp.edu.tw Address: 163.21.249.166 www.hangan.org.tw http://www.hangan.org.tw Server: dns.tp.edu.tw Address: 163.21.249.166 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to dns.tp.edu.tw timed-out 台北市教育網路中心 郭春吉 電話:2722-3004 傳真:2722-3574 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
