Re: parent dns answers the ARR of child dns

Mon, 07 Dec 2009 15:13:39 -0800 

Tech W. wrote:

--- On Fri, 4/12/09, Kevin Darcy <k...@chrysler.com> wrote:


From: Kevin Darcy <k...@chrysler.com>
Subject: Re: parent dns answers the ARR of child dns
To: bind-users@lists.isc.org
Received: Friday, 4 December, 2009, 1:56 AM
Not only that, but DNS.gduf.edu.cn is
performing recursion, while not setting RA in, and not copying RD into, the header of the 
response.

% dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn

; <<>> DiG 9.3.0 <<>>
www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 593
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1,
ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn. IN A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10

I suspect this is YABDLBD (Yet Another Brain-Damaged
Load-Balancer Device). Or a defective DNS proxy. 

Thanks for your answers.
But DNS.gduf.edu.cn is a Windows DNS Server running on MS Advanced Server,
not a proxy or load-balancer.


While the cache is populated with these records, even
*non-recursive* queries will be given this answer directly, instead of a referral. Once the records time out, referrals are given again. 



Yes I am also confused by this behavior.
So do you have any suggestion how to resolve it?
I want, any query to the subzone should be answered by subzone's NS server, not 
by the parent one.
This can't happen as long as the parent nameserver keeps on recursing queries and then responding with cached answers to those previously-recursed queries.
This isn't a Microsoft DNS mailing list, and I'm not that familiar with Microsoft DNS, so about the only advice I can give you is look through the config and see where to turn off recursion completely. If that's not possible, because the server also needs to act as a resolver for some set of clients, then I don't know how such requirements are met, if at all, by Microsoft DNS. I don't think that product has a "view" feature, for instance.
Even if Microsoft provides fine-grained control of who can recurse and who can't, that alone still might not solve your problem, since you can never control if and when one or more of its "authorized" clients may look up www.smartip.gduf.edu.cn and then that answer will be cached for some period of time. You'd also need, at a bare minimum, fine-grained control over who can query the cache (e.g. something analogous to allow-query-cache), in order to really pull that off. 

- Kevin

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to