Re: forward option in dns server
yes this helped me. thanks Il giorno 28 giu 2024, alle ore 13:10, Greg Choules ha scritto:Does that help?Cheers, GregOn Fri, 28 Jun 2024 at 11:58, Renzo Marengowrote:Hi Greg again! :)> 1) This should help you understand the difference between recursive and non-recursive queries. I read about recursive and iterative query but I think A.B.C.D server should be as recursive server for domain controllers, I ask myself the same question to root servers? Or Bind9 server should have to make iterative queries to root servers ? > I hope this server is behind a good firewall?Yes>Do you only have one BIND server? >I would recommend two at least, in case you need to take one down for maintenance or it fails for some reason.Yes only one server>> Your "allow-..." statements should look like this, with IP addresses, not domain names.Oh yes, this one was to explain you what servers I inserted into this list. I have another doubt, /etc/resolv.conf in bind server is used only from client services ? E.g. ping toolI think bind9 dns service doesn't contact any /etc/resolv.conf, right? Il giorno ven 28 giu 2024 alle ore 08:46 Greg Choules ha scritto:Hi Renzo.You're welcome.1) Correct. You don't need forwarding for a simple resolver. Take a look at the meaning of the RD flag in the BIND protocol header. This should help you understand the difference between recursive and non-recursive queries.2) No. See 1)3) Yes. For a standard resolver facing the Internet you do not need a hint zone.Some more thoughts occurred to me:- I hope this server is behind a good firewall?- Do you only have one BIND server? I would recommend two at least, in case you need to take one down for maintenance or it fails for some reason.- Your "allow-..." statements should look like this, with IP addresses, not domain names. allow-... {127.0.0.1; ; ; ;}; You do not need to include this server in the list.Any changes you make should be done on a test server first, so you can be comfortable understanding what effect those changes have and only move them to production when you are certain.Cheers, GregOn Fri, 28 Jun 2024 at 07:14, Renzo Marengo wrote:Hi greg,I thank you again for your suggestions.>A.B.C.D is the address of this server? yes, It's the Bind serverI read several documents about DNS architectureMy questions is about this configuration of bind:1- according to your opinion my bind makes queries ro root server if is set no 'forwarders' option? I'll verify It by tcpdump as you suggested2- Do you suggest to set some "forwarders" ?3-- This bind version has root server built-in? If I removed 'named.ca' reference, Bind would use root server built-in?thanksIl giorno ven 28 giu 2024 alle ore 07:51 Greg Choules ha scritto:Hi Renzo.Thank you for that. The hints look OK. A bit old, but they will work. The first thing I would advise you to do as a matter of priority is to upgrade BIND.9.11 has been end-of-life for a few years and there have been many security fixes since then. 9.18.27 is the current version.You could install that directly, or upgrade RHEL and obtain a more recent packaged version.You can check what BIND is doing by using "tcpdump". For example:sudo tcpdump -n -i -c 1000 port 53 and host A.B.C.DI am making some assumptions:A.B.C.D is the address of this server? is the name of the interface the server will use for outbound queries, according to its routeing table. I am guessing this is the interface with address A.B.C.D?-c stops the capture after 1000 packets. This is just a safety precaution.port 53 and host A.B.C.D limits the capture to only packets with port 53 (DNS) AND with the address of this interface, so you don't capture any SSH or HTTPS etc.A fresh (recently restarted) DNS resolver - any one, not just BIND - will make queries to the root to start with. It does this to learn where to go next. It stores the results of those queries in its cache so that it doesn't have to make them again for some time.There are many good books and articles available online to explain the basics of DNS. The BIND ARM (distributed with BIND and also available online) is the reference manual for BIND itself.I hope that helps.GregOn Fri, 28 Jun 2024 at 05:57, Renzo Marengo wrote:Hi Greg,he info you required:1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support Version) on running on Linux x86_64 3.10.0-1160.2.2.el7.x86_642) named.ca if file which contains root serversnamed.ca. 518400 IN NS a.root-servers.net.. 518400 IN NS b.root-servers.net.. 518400 IN NS c.root-servers.net.. 518400 IN NS d.root-servers.net.. 518400 IN NS e.root-servers.net.. 518400 IN NS f.root-servers.net..
Re: forward option in dns server
I have a similar setup, and I do it the way that Greg Choules suggests. I could probably dig up the exact way I have BIND configured, but the function is like this: Clients query the non-AD BIND servers, for *all* queries. For the AD zone, we use something like this; Our first level domain, lets assume is example.com. All domain resources are in ad.example.com. So we configure the non AD BIND servers to send queries for *.ad.example.com to the AD servers. So, in this way, the non-AD BIND servers handle all queries, but they forward queries for ad.example,com to the AD name servers and return the results. I can't tell from the OP if they are using Samba or something else - but we're using Samba in the example above. Samba has a couple of options for their name server, an "internal" name server and a BIND version. Both can be configured to forward any queries they aren't authoritative for to another server. However, IIRC, at least the internal one can't handle large loads. And while we'd probably be fine using it as our "primary" name server, it seems needlessly risky. I'd much rather have a well understood and mainstream BIND server as the "front-line" server and then only forward queries for the AD zones to the AD servers. (If you have some odd issue with a query outside the AD server you can have a much larger support base, here, to help understand and fix the issue.) YMMV, but this was the way we decided to handle it after quite a bit of consideration. I hope that's helpful, though perhaps straying slightly off-topic for the list. On Thu, Jun 27, 2024 at 1:16 PM Greg Choules via bind-users < bind-users@lists.isc.org> wrote: > Hi Renzo. > Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the > Internet on behalf of its clients, so it forwards to BIND. > > In that case, two questions: > 1) What version of BIND are you running? You can get this with "named -V" > 2) What is in the file "named.ca"? > For a long time (which is why I need to know the version) BIND has had the > Internet root hints built in, so you don't need a hint zone anymore. Unless > you are defining different roots for some reason. Hence why I need to know > the contents of that file. > > Thanks, Greg > > > > On Thu, 27 Jun 2024 at 18:06, Renzo Marengo > wrote: > >> >> Hi Greg, >> >> thank you very much for your explanation. >> >> Let’s supposte AD domain was ‘my domain.it’ and I have 6000 computers >> of government institute. >> >> Here my bind configuration: >> >> >> named.conf >> >> ——— >> >> include “…. named.conf.options" ; >> >> zone "." IN { >> >> type hint; >> >> file "named.ca"; >> >> }; >> >> include “…. named.rfc1912.zones"; >> >> include “…. named.root.key"; >> >> ——— >> >> >> >> named.conf.options >> >> ——— >> >> logging { >> >> channel named_debug { >> >> syslog local6; >> >> severity debug 1; >> >> print-category yes; >> >> print-severity yes; >> >> print-time yes; >> >> }; >> >> category default { named_debug; }; >> >> }; >> >> >> options { >> >> auth-nxdomain no;# conform to RFC1035 >> >> allow-recursion {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; >> ….. } ; >> >> allow-query {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; >> ….. } ; >> >> recursive-clients 3000; >> >> allow-query-cache {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; >> ….. } ; ; >> >> >> listen-on port 53 { 127.0.0.1; A.B.C.D; }; >> >> directory “….. named"; >> >> dump-file “….. cache_dump.db"; >> >> statistics-file “….. named_stats.txt"; >> >> memstatistics-file “…. named_mem_stats.txt"; >> >> recursing-file “… named.recursing"; >> >> secroots-file “… named.secroots"; >> >> recursion yes; >> >> dnssec-enable no; >> >> dnssec-validation no; >> >> >> bindkeys-file "….. named.iscdlv.key"; >> >> managed-keys-directory "….. dynamic"; >> >> pid-file "….. named.pid"; >> >> session-keyfile "….. session.key"; >> >> ——— >> >> >> >> >Thirdly, I would not forward to AD DNS, unless the AD servers also >> recurse and can provide >resolution for delegated names below the AD domain >> >> >that are not hosted on the AD servers themselves. >> >> >> There is no forward option to AD DNS. Forward is enable from AD DNS to >> A.B.C.D. bind9 server. >> >> >> >> >> All clients are using AD DNS infact every query, about name of ‘ >> mydomain.it,’ is resolved from AD DNS. >> >> When client asks an external domain, e.g. www.google.it, AD server >> forward query to A.B.C.D. server. (Forward option is set on every domain >> controller) >> >> Only AD DNS make queries to A.B.C.D server and it’s necessary only to >> solve external domains. >> >> A.B.C.D. server never makes queries to AD server. A.B.C.D. is next dns >> server which partecipates when it’s necessary to resolve an external domain >> >> >> I hope to have explained right. >> >> I thought A.B.C.D server made query to root s
Re: forward option in dns server
Although I see listen-on in your named.conf snippet, I don't see query-source. You can listen on a different interface / address than the one you issue queries from. If you need to issue queries selectively on different interfaces, see the server stanza and put query-source in there. -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forward option in dns server
Correct. On Fri, 28 Jun 2024, 12:54 Renzo Marengo, wrote: > Ok very veri interesting,and about this doubt? > > etc/resolv.conf in bind server is used only from client services ? E.g. > ping tool > I think bind9 dns service doesn't contact any /etc/resolv.conf, right? > > Thanks again > > Il giorno ven 28 giu 2024 alle ore 13:10 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi again Renzo. >> >> In general, BIND (and other resolvers) make non-recursives (aka >> iterative) queries to authoritative servers, such as the roots and others. >> >> - Clients (laptops etc.) make recursive queries to the DCs. If the DCs >> know the answer they respond immediately; no forwarding needed. >> - If the DCs don't (currently) know the answer, they make recursive >> queries to BIND because that's what you have told them to do, using either >> global or conditional forwarding. If BIND knows the answer it responds >> immediately; no need to make queries into the Internet. >> - If BIND doesn't (currently) know the answer it makes non-recursive >> queries to anywhere it needs, to gather information to construct a response. >> It is important to note that each of these is a separate DNS conversation. >> >> Does that help? >> >> Please get another server (and a test server) and upgrade them all to >> current software. >> >> Cheers, Greg >> >> On Fri, 28 Jun 2024 at 11:58, Renzo Marengo >> wrote: >> >>> Hi Greg again! :) >>> >>> > 1) This should help you understand the difference between recursive >>> and non-recursive queries. >>> I read about recursive and iterative query but I think A.B.C.D server >>> should be as recursive server for domain controllers, I ask myself the same >>> question to root servers? Or Bind9 server should have to make iterative >>> queries to root servers ? >>> >>> > I hope this server is behind a good firewall? >>> Yes >>> >>> >Do you only have one BIND server? >>> >I would recommend two at least, in case you need to take one down for >>> maintenance or it fails for some reason. >>> Yes only one server >>> >>> >> Your "allow-..." statements should look like this, with IP addresses, >>> not domain names. >>> Oh yes, this one was to explain you what servers I inserted into this >>> list. >>> >>> >>> I have another doubt, /etc/resolv.conf in bind server is used only from >>> client services ? E.g. ping tool >>> I think bind9 dns service doesn't contact any /etc/resolv.conf, right? >>> >>> >>> >>> >>> >>> Il giorno ven 28 giu 2024 alle ore 08:46 Greg Choules < >>> gregchoules+bindus...@googlemail.com> ha scritto: >>> Hi Renzo. You're welcome. 1) Correct. You don't need forwarding for a simple resolver. Take a look at the meaning of the RD flag in the BIND protocol header. This should help you understand the difference between recursive and non-recursive queries. 2) No. See 1) 3) Yes. For a standard resolver facing the Internet you do not need a hint zone. Some more thoughts occurred to me: - I hope this server is behind a good firewall? - Do you only have one BIND server? I would recommend two at least, in case you need to take one down for maintenance or it fails for some reason. - Your "allow-..." statements should look like this, with IP addresses, not domain names. allow-... {127.0.0.1; ; ; ;}; You do not need to include this server in the list. Any changes you make should be done on a test server first, so you can be comfortable understanding what effect those changes have and only move them to production when you are certain. Cheers, Greg On Fri, 28 Jun 2024 at 07:14, Renzo Marengo wrote: > Hi greg, > I thank you again for your suggestions. > > >A.B.C.D is the address of this server? > yes, It's the Bind server > > I read several documents about DNS architecture > My questions is about this configuration of bind: > > 1- according to your opinion my bind makes queries ro root server if > is set no 'forwarders' option? I'll verify It by tcpdump as you suggested > 2- Do you suggest to set some "forwarders" ? > 3-- This bind version has root server built-in? If I removed 'named.ca' > reference, Bind would use root server built-in? > > thanks > > Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi Renzo. >> >> Thank you for that. The hints look OK. A bit old, but they will work. >> >> The first thing I would advise you to do as a matter of priority is >> to upgrade BIND. >> 9.11 has been end-of-life for a few years and there have been many >> security fixes since then. 9.18.27 is the current version. >> You could install that directly, or upgrade RHEL and obtain a more >> recent packaged version. >> >> >> You can check what BIND is doing by
Re: forward option in dns server
Ok very veri interesting,and about this doubt? etc/resolv.conf in bind server is used only from client services ? E.g. ping tool I think bind9 dns service doesn't contact any /etc/resolv.conf, right? Thanks again Il giorno ven 28 giu 2024 alle ore 13:10 Greg Choules < gregchoules+bindus...@googlemail.com> ha scritto: > Hi again Renzo. > > In general, BIND (and other resolvers) make non-recursives (aka iterative) > queries to authoritative servers, such as the roots and others. > > - Clients (laptops etc.) make recursive queries to the DCs. If the DCs > know the answer they respond immediately; no forwarding needed. > - If the DCs don't (currently) know the answer, they make recursive > queries to BIND because that's what you have told them to do, using either > global or conditional forwarding. If BIND knows the answer it responds > immediately; no need to make queries into the Internet. > - If BIND doesn't (currently) know the answer it makes non-recursive > queries to anywhere it needs, to gather information to construct a response. > It is important to note that each of these is a separate DNS conversation. > > Does that help? > > Please get another server (and a test server) and upgrade them all to > current software. > > Cheers, Greg > > On Fri, 28 Jun 2024 at 11:58, Renzo Marengo > wrote: > >> Hi Greg again! :) >> >> > 1) This should help you understand the difference between recursive and >> non-recursive queries. >> I read about recursive and iterative query but I think A.B.C.D server >> should be as recursive server for domain controllers, I ask myself the same >> question to root servers? Or Bind9 server should have to make iterative >> queries to root servers ? >> >> > I hope this server is behind a good firewall? >> Yes >> >> >Do you only have one BIND server? >> >I would recommend two at least, in case you need to take one down for >> maintenance or it fails for some reason. >> Yes only one server >> >> >> Your "allow-..." statements should look like this, with IP addresses, >> not domain names. >> Oh yes, this one was to explain you what servers I inserted into this >> list. >> >> >> I have another doubt, /etc/resolv.conf in bind server is used only from >> client services ? E.g. ping tool >> I think bind9 dns service doesn't contact any /etc/resolv.conf, right? >> >> >> >> >> >> Il giorno ven 28 giu 2024 alle ore 08:46 Greg Choules < >> gregchoules+bindus...@googlemail.com> ha scritto: >> >>> Hi Renzo. >>> You're welcome. >>> 1) Correct. You don't need forwarding for a simple resolver. Take a look >>> at the meaning of the RD flag in the BIND protocol header. This should help >>> you understand the difference between recursive and non-recursive queries. >>> 2) No. See 1) >>> 3) Yes. For a standard resolver facing the Internet you do not need a >>> hint zone. >>> >>> Some more thoughts occurred to me: >>> - I hope this server is behind a good firewall? >>> - Do you only have one BIND server? I would recommend two at least, in >>> case you need to take one down for maintenance or it fails for some reason. >>> - Your "allow-..." statements should look like this, with IP addresses, >>> not domain names. >>>allow-... {127.0.0.1; ; >>> ; ;}; You do >>> not need to include this server in the list. >>> >>> Any changes you make should be done on a test server first, so you can >>> be comfortable understanding what effect those changes have and only move >>> them to production when you are certain. >>> >>> Cheers, Greg >>> >>> On Fri, 28 Jun 2024 at 07:14, Renzo Marengo >>> wrote: >>> Hi greg, I thank you again for your suggestions. >A.B.C.D is the address of this server? yes, It's the Bind server I read several documents about DNS architecture My questions is about this configuration of bind: 1- according to your opinion my bind makes queries ro root server if is set no 'forwarders' option? I'll verify It by tcpdump as you suggested 2- Do you suggest to set some "forwarders" ? 3-- This bind version has root server built-in? If I removed 'named.ca' reference, Bind would use root server built-in? thanks Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules < gregchoules+bindus...@googlemail.com> ha scritto: > Hi Renzo. > > Thank you for that. The hints look OK. A bit old, but they will work. > > The first thing I would advise you to do as a matter of priority is to > upgrade BIND. > 9.11 has been end-of-life for a few years and there have been many > security fixes since then. 9.18.27 is the current version. > You could install that directly, or upgrade RHEL and obtain a more > recent packaged version. > > > You can check what BIND is doing by using "tcpdump". For example: > sudo tcpdump -n -i -c 1000 port 53 and host A.B.C.D > > I am making some assumptions: > A.B.C.D is the address of this server? > is the name of the i
Re: forward option in dns server
Hi again Renzo. In general, BIND (and other resolvers) make non-recursives (aka iterative) queries to authoritative servers, such as the roots and others. - Clients (laptops etc.) make recursive queries to the DCs. If the DCs know the answer they respond immediately; no forwarding needed. - If the DCs don't (currently) know the answer, they make recursive queries to BIND because that's what you have told them to do, using either global or conditional forwarding. If BIND knows the answer it responds immediately; no need to make queries into the Internet. - If BIND doesn't (currently) know the answer it makes non-recursive queries to anywhere it needs, to gather information to construct a response. It is important to note that each of these is a separate DNS conversation. Does that help? Please get another server (and a test server) and upgrade them all to current software. Cheers, Greg On Fri, 28 Jun 2024 at 11:58, Renzo Marengo wrote: > Hi Greg again! :) > > > 1) This should help you understand the difference between recursive and > non-recursive queries. > I read about recursive and iterative query but I think A.B.C.D server > should be as recursive server for domain controllers, I ask myself the same > question to root servers? Or Bind9 server should have to make iterative > queries to root servers ? > > > I hope this server is behind a good firewall? > Yes > > >Do you only have one BIND server? > >I would recommend two at least, in case you need to take one down for > maintenance or it fails for some reason. > Yes only one server > > >> Your "allow-..." statements should look like this, with IP addresses, > not domain names. > Oh yes, this one was to explain you what servers I inserted into this > list. > > > I have another doubt, /etc/resolv.conf in bind server is used only from > client services ? E.g. ping tool > I think bind9 dns service doesn't contact any /etc/resolv.conf, right? > > > > > > Il giorno ven 28 giu 2024 alle ore 08:46 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi Renzo. >> You're welcome. >> 1) Correct. You don't need forwarding for a simple resolver. Take a look >> at the meaning of the RD flag in the BIND protocol header. This should help >> you understand the difference between recursive and non-recursive queries. >> 2) No. See 1) >> 3) Yes. For a standard resolver facing the Internet you do not need a >> hint zone. >> >> Some more thoughts occurred to me: >> - I hope this server is behind a good firewall? >> - Do you only have one BIND server? I would recommend two at least, in >> case you need to take one down for maintenance or it fails for some reason. >> - Your "allow-..." statements should look like this, with IP addresses, >> not domain names. >>allow-... {127.0.0.1; ; >> ; ;}; You do >> not need to include this server in the list. >> >> Any changes you make should be done on a test server first, so you can be >> comfortable understanding what effect those changes have and only move them >> to production when you are certain. >> >> Cheers, Greg >> >> On Fri, 28 Jun 2024 at 07:14, Renzo Marengo >> wrote: >> >>> Hi greg, >>> I thank you again for your suggestions. >>> >>> >A.B.C.D is the address of this server? >>> yes, It's the Bind server >>> >>> I read several documents about DNS architecture >>> My questions is about this configuration of bind: >>> >>> 1- according to your opinion my bind makes queries ro root server if is >>> set no 'forwarders' option? I'll verify It by tcpdump as you suggested >>> 2- Do you suggest to set some "forwarders" ? >>> 3-- This bind version has root server built-in? If I removed 'named.ca' >>> reference, Bind would use root server built-in? >>> >>> thanks >>> >>> Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules < >>> gregchoules+bindus...@googlemail.com> ha scritto: >>> Hi Renzo. Thank you for that. The hints look OK. A bit old, but they will work. The first thing I would advise you to do as a matter of priority is to upgrade BIND. 9.11 has been end-of-life for a few years and there have been many security fixes since then. 9.18.27 is the current version. You could install that directly, or upgrade RHEL and obtain a more recent packaged version. You can check what BIND is doing by using "tcpdump". For example: sudo tcpdump -n -i -c 1000 port 53 and host A.B.C.D I am making some assumptions: A.B.C.D is the address of this server? is the name of the interface the server will use for outbound queries, according to its routeing table. I am guessing this is the interface with address A.B.C.D? -c stops the capture after 1000 packets. This is just a safety precaution. port 53 and host A.B.C.D limits the capture to only packets with port 53 (DNS) AND with the address of this interface, so you don't capture any SSH or HTTPS etc. A fresh (recently restarted) DNS resolver
Re: forward option in dns server
Hi Greg again! :) > 1) This should help you understand the difference between recursive and non-recursive queries. I read about recursive and iterative query but I think A.B.C.D server should be as recursive server for domain controllers, I ask myself the same question to root servers? Or Bind9 server should have to make iterative queries to root servers ? > I hope this server is behind a good firewall? Yes >Do you only have one BIND server? >I would recommend two at least, in case you need to take one down for maintenance or it fails for some reason. Yes only one server >> Your "allow-..." statements should look like this, with IP addresses, not domain names. Oh yes, this one was to explain you what servers I inserted into this list. I have another doubt, /etc/resolv.conf in bind server is used only from client services ? E.g. ping tool I think bind9 dns service doesn't contact any /etc/resolv.conf, right? Il giorno ven 28 giu 2024 alle ore 08:46 Greg Choules < gregchoules+bindus...@googlemail.com> ha scritto: > Hi Renzo. > You're welcome. > 1) Correct. You don't need forwarding for a simple resolver. Take a look > at the meaning of the RD flag in the BIND protocol header. This should help > you understand the difference between recursive and non-recursive queries. > 2) No. See 1) > 3) Yes. For a standard resolver facing the Internet you do not need a hint > zone. > > Some more thoughts occurred to me: > - I hope this server is behind a good firewall? > - Do you only have one BIND server? I would recommend two at least, in > case you need to take one down for maintenance or it fails for some reason. > - Your "allow-..." statements should look like this, with IP addresses, > not domain names. >allow-... {127.0.0.1; ; > ; ;}; You do > not need to include this server in the list. > > Any changes you make should be done on a test server first, so you can be > comfortable understanding what effect those changes have and only move them > to production when you are certain. > > Cheers, Greg > > On Fri, 28 Jun 2024 at 07:14, Renzo Marengo > wrote: > >> Hi greg, >> I thank you again for your suggestions. >> >> >A.B.C.D is the address of this server? >> yes, It's the Bind server >> >> I read several documents about DNS architecture >> My questions is about this configuration of bind: >> >> 1- according to your opinion my bind makes queries ro root server if is >> set no 'forwarders' option? I'll verify It by tcpdump as you suggested >> 2- Do you suggest to set some "forwarders" ? >> 3-- This bind version has root server built-in? If I removed 'named.ca' >> reference, Bind would use root server built-in? >> >> thanks >> >> Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules < >> gregchoules+bindus...@googlemail.com> ha scritto: >> >>> Hi Renzo. >>> >>> Thank you for that. The hints look OK. A bit old, but they will work. >>> >>> The first thing I would advise you to do as a matter of priority is to >>> upgrade BIND. >>> 9.11 has been end-of-life for a few years and there have been many >>> security fixes since then. 9.18.27 is the current version. >>> You could install that directly, or upgrade RHEL and obtain a more >>> recent packaged version. >>> >>> >>> You can check what BIND is doing by using "tcpdump". For example: >>> sudo tcpdump -n -i -c 1000 port 53 and host A.B.C.D >>> >>> I am making some assumptions: >>> A.B.C.D is the address of this server? >>> is the name of the interface the server will use for >>> outbound queries, according to its routeing table. I am guessing this is >>> the interface with address A.B.C.D? >>> -c stops the capture after 1000 packets. This is just a safety >>> precaution. >>> port 53 and host A.B.C.D limits the capture to only packets with port 53 >>> (DNS) AND with the address of this interface, so you don't capture any SSH >>> or HTTPS etc. >>> >>> A fresh (recently restarted) DNS resolver - any one, not just BIND - >>> will make queries to the root to start with. It does this to learn where to >>> go next. It stores the results of those queries in its cache so that it >>> doesn't have to make them again for some time. >>> >>> There are many good books and articles available online to explain the >>> basics of DNS. The BIND ARM (distributed with BIND and also available >>> online) is the reference manual for BIND itself. >>> >>> I hope that helps. >>> Greg >>> >>> On Fri, 28 Jun 2024 at 05:57, Renzo Marengo >>> wrote: >>> Hi Greg, he info you required: 1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support Version) on running on Linux x86_64 3.10.0-1160.2.2.el7.x86_64 2) named.ca if file which contains root servers named.ca . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-serve
Re: forward option in dns server
Hi Renzo. You're welcome. 1) Correct. You don't need forwarding for a simple resolver. Take a look at the meaning of the RD flag in the BIND protocol header. This should help you understand the difference between recursive and non-recursive queries. 2) No. See 1) 3) Yes. For a standard resolver facing the Internet you do not need a hint zone. Some more thoughts occurred to me: - I hope this server is behind a good firewall? - Do you only have one BIND server? I would recommend two at least, in case you need to take one down for maintenance or it fails for some reason. - Your "allow-..." statements should look like this, with IP addresses, not domain names. allow-... {127.0.0.1; ; ; ;}; You do not need to include this server in the list. Any changes you make should be done on a test server first, so you can be comfortable understanding what effect those changes have and only move them to production when you are certain. Cheers, Greg On Fri, 28 Jun 2024 at 07:14, Renzo Marengo wrote: > Hi greg, > I thank you again for your suggestions. > > >A.B.C.D is the address of this server? > yes, It's the Bind server > > I read several documents about DNS architecture > My questions is about this configuration of bind: > > 1- according to your opinion my bind makes queries ro root server if is > set no 'forwarders' option? I'll verify It by tcpdump as you suggested > 2- Do you suggest to set some "forwarders" ? > 3-- This bind version has root server built-in? If I removed 'named.ca' > reference, Bind would use root server built-in? > > thanks > > Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi Renzo. >> >> Thank you for that. The hints look OK. A bit old, but they will work. >> >> The first thing I would advise you to do as a matter of priority is to >> upgrade BIND. >> 9.11 has been end-of-life for a few years and there have been many >> security fixes since then. 9.18.27 is the current version. >> You could install that directly, or upgrade RHEL and obtain a more recent >> packaged version. >> >> >> You can check what BIND is doing by using "tcpdump". For example: >> sudo tcpdump -n -i -c 1000 port 53 and host A.B.C.D >> >> I am making some assumptions: >> A.B.C.D is the address of this server? >> is the name of the interface the server will use for outbound >> queries, according to its routeing table. I am guessing this is the >> interface with address A.B.C.D? >> -c stops the capture after 1000 packets. This is just a safety precaution. >> port 53 and host A.B.C.D limits the capture to only packets with port 53 >> (DNS) AND with the address of this interface, so you don't capture any SSH >> or HTTPS etc. >> >> A fresh (recently restarted) DNS resolver - any one, not just BIND - will >> make queries to the root to start with. It does this to learn where to go >> next. It stores the results of those queries in its cache so that it >> doesn't have to make them again for some time. >> >> There are many good books and articles available online to explain the >> basics of DNS. The BIND ARM (distributed with BIND and also available >> online) is the reference manual for BIND itself. >> >> I hope that helps. >> Greg >> >> On Fri, 28 Jun 2024 at 05:57, Renzo Marengo >> wrote: >> >>> Hi Greg, >>> he info you required: >>> >>> 1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support Version) >>> on running on Linux x86_64 3.10.0-1160.2.2.el7.x86_64 >>> 2) named.ca if file which contains root servers >>> named.ca >>> >>> . 518400 IN NS a.root-servers.net. >>> . 518400 IN NS b.root-servers.net. >>> . 518400 IN NS c.root-servers.net. >>> . 518400 IN NS d.root-servers.net. >>> . 518400 IN NS e.root-servers.net. >>> . 518400 IN NS f.root-servers.net. >>> . 518400 IN NS g.root-servers.net. >>> . 518400 IN NS h.root-servers.net. >>> . 518400 IN NS i.root-servers.net. >>> . 518400 IN NS j.root-servers.net. >>> . 518400 IN NS k.root-servers.net. >>> . 518400 IN NS l.root-servers.net. >>> . 518400 IN NS m.root-servers.net. >>> >>> ;; ADDITIONAL SECTION: >>> a.root-servers.net. 518400 IN A 198.41.0.4 >>> b.root-servers.net. 518400 IN A 199.9.14.201 >>> c.root-servers.net. 518400 IN A 192.33.4.12 >>> d.root-servers.net. 518400 IN A 199.7.91.13 >>> e.root-servers.net. 518400 IN A 192.203.230.10 >>> f.root-servers.net. 518400 IN A 192.5.5.241 >>> g.root-servers.net. 518400 IN A 192.112.36.4 >>> h.root-servers.net.
Re: forward option in dns server
Hi greg, I thank you again for your suggestions. >A.B.C.D is the address of this server? yes, It's the Bind server I read several documents about DNS architecture My questions is about this configuration of bind: 1- according to your opinion my bind makes queries ro root server if is set no 'forwarders' option? I'll verify It by tcpdump as you suggested 2- Do you suggest to set some "forwarders" ? 3-- This bind version has root server built-in? If I removed 'named.ca' reference, Bind would use root server built-in? thanks Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules < gregchoules+bindus...@googlemail.com> ha scritto: > Hi Renzo. > > Thank you for that. The hints look OK. A bit old, but they will work. > > The first thing I would advise you to do as a matter of priority is to > upgrade BIND. > 9.11 has been end-of-life for a few years and there have been many > security fixes since then. 9.18.27 is the current version. > You could install that directly, or upgrade RHEL and obtain a more recent > packaged version. > > > You can check what BIND is doing by using "tcpdump". For example: > sudo tcpdump -n -i -c 1000 port 53 and host A.B.C.D > > I am making some assumptions: > A.B.C.D is the address of this server? > is the name of the interface the server will use for outbound > queries, according to its routeing table. I am guessing this is the > interface with address A.B.C.D? > -c stops the capture after 1000 packets. This is just a safety precaution. > port 53 and host A.B.C.D limits the capture to only packets with port 53 > (DNS) AND with the address of this interface, so you don't capture any SSH > or HTTPS etc. > > A fresh (recently restarted) DNS resolver - any one, not just BIND - will > make queries to the root to start with. It does this to learn where to go > next. It stores the results of those queries in its cache so that it > doesn't have to make them again for some time. > > There are many good books and articles available online to explain the > basics of DNS. The BIND ARM (distributed with BIND and also available > online) is the reference manual for BIND itself. > > I hope that helps. > Greg > > On Fri, 28 Jun 2024 at 05:57, Renzo Marengo > wrote: > >> Hi Greg, >> he info you required: >> >> 1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support Version) >> on running on Linux x86_64 3.10.0-1160.2.2.el7.x86_64 >> 2) named.ca if file which contains root servers >> named.ca >> >> . 518400 IN NS a.root-servers.net. >> . 518400 IN NS b.root-servers.net. >> . 518400 IN NS c.root-servers.net. >> . 518400 IN NS d.root-servers.net. >> . 518400 IN NS e.root-servers.net. >> . 518400 IN NS f.root-servers.net. >> . 518400 IN NS g.root-servers.net. >> . 518400 IN NS h.root-servers.net. >> . 518400 IN NS i.root-servers.net. >> . 518400 IN NS j.root-servers.net. >> . 518400 IN NS k.root-servers.net. >> . 518400 IN NS l.root-servers.net. >> . 518400 IN NS m.root-servers.net. >> >> ;; ADDITIONAL SECTION: >> a.root-servers.net. 518400 IN A 198.41.0.4 >> b.root-servers.net. 518400 IN A 199.9.14.201 >> c.root-servers.net. 518400 IN A 192.33.4.12 >> d.root-servers.net. 518400 IN A 199.7.91.13 >> e.root-servers.net. 518400 IN A 192.203.230.10 >> f.root-servers.net. 518400 IN A 192.5.5.241 >> g.root-servers.net. 518400 IN A 192.112.36.4 >> h.root-servers.net. 518400 IN A 198.97.190.53 >> i.root-servers.net. 518400 IN A 192.36.148.17 >> j.root-servers.net. 518400 IN A 192.58.128.30 >> k.root-servers.net. 518400 IN A 193.0.14.129 >> l.root-servers.net. 518400 IN A 199.7.83.42 >> m.root-servers.net. 518400 IN A 202.12.27.33 >> a.root-servers.net. 518400 IN 2001:503:ba3e::2:30 >> b.root-servers.net. 518400 IN 2001:500:200::b >> c.root-servers.net. 518400 IN 2001:500:2::c >> d.root-servers.net. 518400 IN 2001:500:2d::d >> e.root-servers.net. 518400 IN 2001:500:a8::e >> f.root-servers.net. 518400 IN 2001:500:2f::f >> g.root-servers.net. 518400 IN 2001:500:12::d0d >> h.root-servers.net. 518400 IN 2001:500:1::53 >> i.root-servers.net. 518400 IN 2001:7fe::53 >> j.root-servers.net. 518400 IN 2001:503:c27::2:30 >> k.root-servers.net. 518400 IN 2001:7fd::1 >> l.root-servers.n
Re: forward option in dns server
Hi Renzo. Thank you for that. The hints look OK. A bit old, but they will work. The first thing I would advise you to do as a matter of priority is to upgrade BIND. 9.11 has been end-of-life for a few years and there have been many security fixes since then. 9.18.27 is the current version. You could install that directly, or upgrade RHEL and obtain a more recent packaged version. You can check what BIND is doing by using "tcpdump". For example: sudo tcpdump -n -i -c 1000 port 53 and host A.B.C.D I am making some assumptions: A.B.C.D is the address of this server? is the name of the interface the server will use for outbound queries, according to its routeing table. I am guessing this is the interface with address A.B.C.D? -c stops the capture after 1000 packets. This is just a safety precaution. port 53 and host A.B.C.D limits the capture to only packets with port 53 (DNS) AND with the address of this interface, so you don't capture any SSH or HTTPS etc. A fresh (recently restarted) DNS resolver - any one, not just BIND - will make queries to the root to start with. It does this to learn where to go next. It stores the results of those queries in its cache so that it doesn't have to make them again for some time. There are many good books and articles available online to explain the basics of DNS. The BIND ARM (distributed with BIND and also available online) is the reference manual for BIND itself. I hope that helps. Greg On Fri, 28 Jun 2024 at 05:57, Renzo Marengo wrote: > Hi Greg, > he info you required: > > 1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support Version) > on running on Linux x86_64 3.10.0-1160.2.2.el7.x86_64 > 2) named.ca if file which contains root servers > named.ca > > . 518400 IN NS a.root-servers.net. > . 518400 IN NS b.root-servers.net. > . 518400 IN NS c.root-servers.net. > . 518400 IN NS d.root-servers.net. > . 518400 IN NS e.root-servers.net. > . 518400 IN NS f.root-servers.net. > . 518400 IN NS g.root-servers.net. > . 518400 IN NS h.root-servers.net. > . 518400 IN NS i.root-servers.net. > . 518400 IN NS j.root-servers.net. > . 518400 IN NS k.root-servers.net. > . 518400 IN NS l.root-servers.net. > . 518400 IN NS m.root-servers.net. > > ;; ADDITIONAL SECTION: > a.root-servers.net. 518400 IN A 198.41.0.4 > b.root-servers.net. 518400 IN A 199.9.14.201 > c.root-servers.net. 518400 IN A 192.33.4.12 > d.root-servers.net. 518400 IN A 199.7.91.13 > e.root-servers.net. 518400 IN A 192.203.230.10 > f.root-servers.net. 518400 IN A 192.5.5.241 > g.root-servers.net. 518400 IN A 192.112.36.4 > h.root-servers.net. 518400 IN A 198.97.190.53 > i.root-servers.net. 518400 IN A 192.36.148.17 > j.root-servers.net. 518400 IN A 192.58.128.30 > k.root-servers.net. 518400 IN A 193.0.14.129 > l.root-servers.net. 518400 IN A 199.7.83.42 > m.root-servers.net. 518400 IN A 202.12.27.33 > a.root-servers.net. 518400 IN 2001:503:ba3e::2:30 > b.root-servers.net. 518400 IN 2001:500:200::b > c.root-servers.net. 518400 IN 2001:500:2::c > d.root-servers.net. 518400 IN 2001:500:2d::d > e.root-servers.net. 518400 IN 2001:500:a8::e > f.root-servers.net. 518400 IN 2001:500:2f::f > g.root-servers.net. 518400 IN 2001:500:12::d0d > h.root-servers.net. 518400 IN 2001:500:1::53 > i.root-servers.net. 518400 IN 2001:7fe::53 > j.root-servers.net. 518400 IN 2001:503:c27::2:30 > k.root-servers.net. 518400 IN 2001:7fd::1 > l.root-servers.net. 518400 IN 2001:500:9f::42 > m.root-servers.net. 518400 IN 2001:dc3::35 > > > I didn't know some Bind versions had the Internet root hints built-in. > About my configuration I understand that bind makes always queries to root > servers ? Right? > I'd like to re-check configuration of bind > > > Il giorno gio 27 giu 2024 alle ore 22:15 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi Renzo. >> Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the >> Internet on behalf of its clients, so it forwards to BIND. >> >> In that case, two questions: >> 1) What version of BIND are you running? You can get this with "named -V" >> 2) What is in the file "named.ca"? >> For
Re: forward option in dns server
Hi Greg, he info you required: 1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support Version) on running on Linux x86_64 3.10.0-1160.2.2.el7.x86_64 2) named.ca if file which contains root servers named.ca . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 b.root-servers.net. 518400 IN A 199.9.14.201 c.root-servers.net. 518400 IN A 192.33.4.12 d.root-servers.net. 518400 IN A 199.7.91.13 e.root-servers.net. 518400 IN A 192.203.230.10 f.root-servers.net. 518400 IN A 192.5.5.241 g.root-servers.net. 518400 IN A 192.112.36.4 h.root-servers.net. 518400 IN A 198.97.190.53 i.root-servers.net. 518400 IN A 192.36.148.17 j.root-servers.net. 518400 IN A 192.58.128.30 k.root-servers.net. 518400 IN A 193.0.14.129 l.root-servers.net. 518400 IN A 199.7.83.42 m.root-servers.net. 518400 IN A 202.12.27.33 a.root-servers.net. 518400 IN 2001:503:ba3e::2:30 b.root-servers.net. 518400 IN 2001:500:200::b c.root-servers.net. 518400 IN 2001:500:2::c d.root-servers.net. 518400 IN 2001:500:2d::d e.root-servers.net. 518400 IN 2001:500:a8::e f.root-servers.net. 518400 IN 2001:500:2f::f g.root-servers.net. 518400 IN 2001:500:12::d0d h.root-servers.net. 518400 IN 2001:500:1::53 i.root-servers.net. 518400 IN 2001:7fe::53 j.root-servers.net. 518400 IN 2001:503:c27::2:30 k.root-servers.net. 518400 IN 2001:7fd::1 l.root-servers.net. 518400 IN 2001:500:9f::42 m.root-servers.net. 518400 IN 2001:dc3::35 I didn't know some Bind versions had the Internet root hints built-in. About my configuration I understand that bind makes always queries to root servers ? Right? I'd like to re-check configuration of bind Il giorno gio 27 giu 2024 alle ore 22:15 Greg Choules < gregchoules+bindus...@googlemail.com> ha scritto: > Hi Renzo. > Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the > Internet on behalf of its clients, so it forwards to BIND. > > In that case, two questions: > 1) What version of BIND are you running? You can get this with "named -V" > 2) What is in the file "named.ca"? > For a long time (which is why I need to know the version) BIND has had the > Internet root hints built in, so you don't need a hint zone anymore. Unless > you are defining different roots for some reason. Hence why I need to know > the contents of that file. > > Thanks, Greg > > > > On Thu, 27 Jun 2024 at 18:06, Renzo Marengo > wrote: > >> >> Hi Greg, >> >> thank you very much for your explanation. >> >> Let’s supposte AD domain was ‘my domain.it’ and I have 6000 computers >> of government institute. >> >> Here my bind configuration: >> >> >> named.conf >> >> ——— >> >> include “…. named.conf.options" ; >> >> zone "." IN { >> >> type hint; >> >> file "named.ca"; >> >> }; >> >> include “…. named.rfc1912.zones"; >> >> include “…. named.root.key"; >> >> ——— >> >> >> >> named.conf.options >> >> ——— >> >> logging { >> >> channel named_debug { >> >> syslog local6; >> >> severity debug 1; >> >> print-category yes; >> >> print-severity yes; >> >> print-time yes; >> >> }; >> >> category default { named_debug; }; >> >> }; >> >> >> options { >> >> auth-nxdomain no;# conform to RFC1035 >> >> allow-recursion {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; >> ….. } ; >> >> allow-query {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; >> ….. } ; >> >> recursive-clients 3000; >> >> allow-query-cache {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; >> ….. } ; ; >> >> >> listen-on port 53 { 127.0.0.1; A.B.C.D; }; >> >> directory “….. named"; >> >> dump-file “….. c
Re: forward option in dns server
Hi Renzo. Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the Internet on behalf of its clients, so it forwards to BIND. In that case, two questions: 1) What version of BIND are you running? You can get this with "named -V" 2) What is in the file "named.ca"? For a long time (which is why I need to know the version) BIND has had the Internet root hints built in, so you don't need a hint zone anymore. Unless you are defining different roots for some reason. Hence why I need to know the contents of that file. Thanks, Greg On Thu, 27 Jun 2024 at 18:06, Renzo Marengo wrote: > > Hi Greg, > > thank you very much for your explanation. > > Let’s supposte AD domain was ‘my domain.it’ and I have 6000 computers of > government institute. > > Here my bind configuration: > > > named.conf > > ——— > > include “…. named.conf.options" ; > > zone "." IN { > > type hint; > > file "named.ca"; > > }; > > include “…. named.rfc1912.zones"; > > include “…. named.root.key"; > > ——— > > > > named.conf.options > > ——— > > logging { > > channel named_debug { > > syslog local6; > > severity debug 1; > > print-category yes; > > print-severity yes; > > print-time yes; > > }; > > category default { named_debug; }; > > }; > > > options { > > auth-nxdomain no;# conform to RFC1035 > > allow-recursion {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; > ….. } ; > > allow-query {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; > ….. } ; > > recursive-clients 3000; > > allow-query-cache {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; > ….. } ; ; > > > listen-on port 53 { 127.0.0.1; A.B.C.D; }; > > directory “….. named"; > > dump-file “….. cache_dump.db"; > > statistics-file “….. named_stats.txt"; > > memstatistics-file “…. named_mem_stats.txt"; > > recursing-file “… named.recursing"; > > secroots-file “… named.secroots"; > > recursion yes; > > dnssec-enable no; > > dnssec-validation no; > > > bindkeys-file "….. named.iscdlv.key"; > > managed-keys-directory "….. dynamic"; > > pid-file "….. named.pid"; > > session-keyfile "….. session.key"; > > ——— > > > > >Thirdly, I would not forward to AD DNS, unless the AD servers also > recurse and can provide >resolution for delegated names below the AD domain > > >that are not hosted on the AD servers themselves. > > > There is no forward option to AD DNS. Forward is enable from AD DNS to > A.B.C.D. bind9 server. > > > > > All clients are using AD DNS infact every query, about name of ‘ > mydomain.it,’ is resolved from AD DNS. > > When client asks an external domain, e.g. www.google.it, AD server > forward query to A.B.C.D. server. (Forward option is set on every domain > controller) > > Only AD DNS make queries to A.B.C.D server and it’s necessary only to > solve external domains. > > A.B.C.D. server never makes queries to AD server. A.B.C.D. is next dns > server which partecipates when it’s necessary to resolve an external domain > > > I hope to have explained right. > > I thought A.B.C.D server made query to root server because into > configuration there is no reference to forward option, because I thought to > set as DNS forward a government dns of my country. What do you think? > > I have doubts about recursive and iterative queries options too. > > Thanks > > > Il giorno gio 27 giu 2024 alle ore 13:24 Greg Choules < > gregchoules+bindus...@googlemail.com> ha scritto: > >> Hi Renzo. >> Firstly, please can we see your BIND configuration and have the actual AD >> domain name. >> >> Secondly, BIND, or any other recursive DNS server, does not 'forward' to >> the root servers, unless you have configured it explicitly to do so, which >> would be a bad idea and not work anyway. It will recurse (paradoxically, >> perform non-recursive aka iterative queries) to the roots and other >> authoritative servers. It is an important distinction to be aware of. >> >> Thirdly, I would not forward to AD DNS, unless the AD servers also >> recurse and can provide resolution for delegated names below the AD domain >> that are not hosted on the AD servers themselves. Personally I would use a >> stub or static-stub zone in BIND to refer to the AD domain. >> >> In general, decide which DNS is going to do the resolving and make that >> the control point, fetching data from wherever it needs to (e.g. AD DNS) - >> using non-recursive queries - and using that data to construct answers for >> its clients. >> >> I hope that helps. >> Cheers, Greg >> >> On Thu, 27 Jun 2024 at 12:02, Renzo Marengo >> wrote: >> >>> I have Active Directory domain ( 'mydomain.it' ) with 8 domain >>> controllers to manage 8000 computers. Every Domain controller acts as dns >>> service and resolve internal domain names while forward queries about >>> external domains to another server, which Bind9 dns server (It's inside my >>> company) >>> I'm checking this Bin
Re: forward option in dns server
Hi Greg, thank you very much for your explanation. Let’s supposte AD domain was ‘my domain.it’ and I have 6000 computers of government institute. Here my bind configuration: named.conf ——— include “…. named.conf.options" ; zone "." IN { type hint; file "named.ca"; }; include “…. named.rfc1912.zones"; include “…. named.root.key"; ——— named.conf.options ——— logging { channel named_debug { syslog local6; severity debug 1; print-category yes; print-severity yes; print-time yes; }; category default { named_debug; }; }; options { auth-nxdomain no;# conform to RFC1035 allow-recursion {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; ….. } ; allow-query {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; ….. } ; recursive-clients 3000; allow-query-cache {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; ….. } ; ; listen-on port 53 { 127.0.0.1; A.B.C.D; }; directory “….. named"; dump-file “….. cache_dump.db"; statistics-file “….. named_stats.txt"; memstatistics-file “…. named_mem_stats.txt"; recursing-file “… named.recursing"; secroots-file “… named.secroots"; recursion yes; dnssec-enable no; dnssec-validation no; bindkeys-file "….. named.iscdlv.key"; managed-keys-directory "….. dynamic"; pid-file "….. named.pid"; session-keyfile "….. session.key"; ——— >Thirdly, I would not forward to AD DNS, unless the AD servers also recurse and can provide >resolution for delegated names below the AD domain >that are not hosted on the AD servers themselves. There is no forward option to AD DNS. Forward is enable from AD DNS to A.B.C.D. bind9 server. All clients are using AD DNS infact every query, about name of ‘mydomain.it,’ is resolved from AD DNS. When client asks an external domain, e.g. www.google.it, AD server forward query to A.B.C.D. server. (Forward option is set on every domain controller) Only AD DNS make queries to A.B.C.D server and it’s necessary only to solve external domains. A.B.C.D. server never makes queries to AD server. A.B.C.D. is next dns server which partecipates when it’s necessary to resolve an external domain I hope to have explained right. I thought A.B.C.D server made query to root server because into configuration there is no reference to forward option, because I thought to set as DNS forward a government dns of my country. What do you think? I have doubts about recursive and iterative queries options too. Thanks Il giorno gio 27 giu 2024 alle ore 13:24 Greg Choules < gregchoules+bindus...@googlemail.com> ha scritto: > Hi Renzo. > Firstly, please can we see your BIND configuration and have the actual AD > domain name. > > Secondly, BIND, or any other recursive DNS server, does not 'forward' to > the root servers, unless you have configured it explicitly to do so, which > would be a bad idea and not work anyway. It will recurse (paradoxically, > perform non-recursive aka iterative queries) to the roots and other > authoritative servers. It is an important distinction to be aware of. > > Thirdly, I would not forward to AD DNS, unless the AD servers also recurse > and can provide resolution for delegated names below the AD domain that are > not hosted on the AD servers themselves. Personally I would use a stub or > static-stub zone in BIND to refer to the AD domain. > > In general, decide which DNS is going to do the resolving and make that > the control point, fetching data from wherever it needs to (e.g. AD DNS) - > using non-recursive queries - and using that data to construct answers for > its clients. > > I hope that helps. > Cheers, Greg > > On Thu, 27 Jun 2024 at 12:02, Renzo Marengo > wrote: > >> I have Active Directory domain ( 'mydomain.it' ) with 8 domain >> controllers to manage 8000 computers. Every Domain controller acts as dns >> service and resolve internal domain names while forward queries about >> external domains to another server, which Bind9 dns server (It's inside my >> company) >> I'm checking this Bind9 configuration (Centos server) and I see no >> forward servers so I think It makes bind9 forward queries directly to root >> servers. What do you think ? >> According your opinion this Bind9 server should have to forward requests >> to one or more dns server by forward option? >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/con
Re: forward option in dns server
Hi Renzo. Firstly, please can we see your BIND configuration and have the actual AD domain name. Secondly, BIND, or any other recursive DNS server, does not 'forward' to the root servers, unless you have configured it explicitly to do so, which would be a bad idea and not work anyway. It will recurse (paradoxically, perform non-recursive aka iterative queries) to the roots and other authoritative servers. It is an important distinction to be aware of. Thirdly, I would not forward to AD DNS, unless the AD servers also recurse and can provide resolution for delegated names below the AD domain that are not hosted on the AD servers themselves. Personally I would use a stub or static-stub zone in BIND to refer to the AD domain. In general, decide which DNS is going to do the resolving and make that the control point, fetching data from wherever it needs to (e.g. AD DNS) - using non-recursive queries - and using that data to construct answers for its clients. I hope that helps. Cheers, Greg On Thu, 27 Jun 2024 at 12:02, Renzo Marengo wrote: > I have Active Directory domain ( 'mydomain.it' ) with 8 domain > controllers to manage 8000 computers. Every Domain controller acts as dns > service and resolve internal domain names while forward queries about > external domains to another server, which Bind9 dns server (It's inside my > company) > I'm checking this Bind9 configuration (Centos server) and I see no forward > servers so I think It makes bind9 forward queries directly to root servers. > What do you think ? > According your opinion this Bind9 server should have to forward requests > to one or more dns server by forward option? > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users