Am 06.05.22 um 08:19 schrieb Bjørn Mork:
Mark Andrews <ma...@isc.org> writes:
It’s a long known issue with so called “Transparent” DNS
proxies/accelerators/firewalls. Iterative resolvers expect to talk to
authoritative servers. They ask questions differently to the way they
do when they talk to a recursive server. Answers from different
levels of the DNS hierarchy for the same question are different. If
you just cache and return the previous answer you break iterative
lookups. The answers from recursive servers are different to those
from authoritative servers.
You get the same sort of problem in many hotels if you have an
iterative resolver on your portable devices. Switching named to use a
public recursive server that supports DNSSEC in forward only mode
helps sometimes. It really depends on what the middleware is doing.
How about configuring forwarder(s) if you have to operate a resolver in
such an environment? Hoping that the answer from the intercepting
server isn't too different from what you'd expect from a forwarder
the problem is that this middleware crap operates on the protocol level
in the past our CISCO ISP router with "DNS ALG" even rewrote zone
transfers and invented a zero TTL for each and every CNAME it saw
means our secondary nameserver hat completly different zone files than
the master
you don't expect that and watch a zone transfer on both ends with
wireshark solved that riddle
so from the moment on some device thinking it's smart about DNS you are lost
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
