Mark Andrews <ma...@isc.org> writes: > It’s a long known issue with so called “Transparent” DNS > proxies/accelerators/firewalls. Iterative resolvers expect to talk to > authoritative servers. They ask questions differently to the way they > do when they talk to a recursive server. Answers from different > levels of the DNS hierarchy for the same question are different. If > you just cache and return the previous answer you break iterative > lookups. The answers from recursive servers are different to those > from authoritative servers. > > You get the same sort of problem in many hotels if you have an > iterative resolver on your portable devices. Switching named to use a > public recursive server that supports DNSSEC in forward only mode > helps sometimes. It really depends on what the middleware is doing.
How about configuring forwarder(s) if you have to operate a resolver in such an environment? Hoping that the answer from the intercepting server isn't too different from what you'd expect from a forwarder. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
