On Fri, Apr 17, 2020 at 10:34 AM Tim Daneliuk <[email protected]> wrote:
> On 4/17/20 7:26 AM, Bob Harold wrote: > > > > On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <[email protected] > <mailto:[email protected]>> wrote: > > > > We have split horizon setup and enable our internal and trusted hosts > > to do things as follows: > > > > allow-recursion { trustedhosts; }; > > allow-transfer { trustedhosts; }; > > > > 'trustedhosts' includes a number of public facing IPs as well as the > > 192.168.0/24 CIDR block. It also includes the IPs of the Master and > > Slave bind servers. > > > > So here's the part that has me wondering. If I do a reverse lookup > of > > an IP, it works as expected _except_ if I do it on either the Master > > or Slave machines. They will not only look up reverses on our > > own IPs, they won't do it for ANY IP and returns the warning: > > > > WARNING: recursion requested but not available > > > > This is replicable with 9.14 or 9.16 (or was until today's assert > borkage) > > running on FreeBSD 11.3-STABLE. Master is on a cloud server, Slave > is > > on a physical machine. Neither instance is jailed. > > > > Ideas? > > > > -- > > > ---------------------------------------------------------------------------- > > Tim Daneliuk [email protected] <mailto:[email protected] > > > > PGP Key: http://www.tundraware.com/PGP/ > > > > > > Is 127.0.0.1 in the 'trustedhosts' list? > > Yes > > > Are you telling 'dig' what server to use - dig @*MailScanner warning: > numerical links are often malicious:* 127.0.0.1 <http://127.0.0.1> > > No. But when I do, it works properly. Doesn't dig default to localhost > (in this case the host running bind)? > > > What servers are listed in /etc/resolv.conf? Do they resolve the > reverse zones? > > There is no resolv.conf on these machines. They are the ones running the > nameservers. > > > Are local queries hitting the right 'view' (if you have multiple views) ? > > Yes, IF I explicitly point dig to the right nameserver. > > > So ... what's going on is that dig appears to not be using localhost first > to resolve reverses. > > Agree, that's odd, and not what the man page says. Any chance that there is some other DNS helper running, like resolved, nscd, dnsmasq, etc? 'dig' should tell you what address it used, at the bottom of the output - what does it say? -- Bob Harold > > > > -- > > Bob Harold > > > > > -- > > ---------------------------------------------------------------------------- > Tim Daneliuk [email protected] > PGP Key: http://www.tundraware.com/PGP/ >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
