Hi Greg,
he info you required:
1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support Version) on
running on Linux x86_64 3.10.0-1160.2.2.el7.x86_64
2) named.ca if file which contains root servers
named.ca
----
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 199.9.14.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
----
I didn't know some Bind versions had the Internet root hints built-in.
About my configuration I understand that bind makes always queries to root
servers ? Right?
I'd like to re-check configuration of bind
Il giorno gio 27 giu 2024 alle ore 22:15 Greg Choules <
gregchoules+bindus...@googlemail.com> ha scritto:
> Hi Renzo.
> Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the
> Internet on behalf of its clients, so it forwards to BIND.
>
> In that case, two questions:
> 1) What version of BIND are you running? You can get this with "named -V"
> 2) What is in the file "named.ca"?
> For a long time (which is why I need to know the version) BIND has had the
> Internet root hints built in, so you don't need a hint zone anymore. Unless
> you are defining different roots for some reason. Hence why I need to know
> the contents of that file.
>
> Thanks, Greg
>
>
>
> On Thu, 27 Jun 2024 at 18:06, Renzo Marengo <buckroger2...@gmail.com>
> wrote:
>
>>
>> Hi Greg,
>>
>> thank you very much for your explanation.
>>
>> Let’s supposte AD domain was ‘my domain.it’ and I have 6000 computers
>> of government institute.
>>
>> Here my bind configuration:
>>
>>
>> named.conf
>>
>> ———
>>
>> include “…. named.conf.options" ;
>>
>> zone "." IN {
>>
>> type hint;
>>
>> file "named.ca";
>>
>> };
>>
>> include “…. named.rfc1912.zones";
>>
>> include “…. named.root.key";
>>
>> ———
>>
>>
>>
>> named.conf.options
>>
>> ———
>>
>> logging {
>>
>> channel named_debug {
>>
>> syslog local6;
>>
>> severity debug 1;
>>
>> print-category yes;
>>
>> print-severity yes;
>>
>> print-time yes;
>>
>> };
>>
>> category default { named_debug; };
>>
>> };
>>
>>
>> options {
>>
>> auth-nxdomain no; # conform to RFC1035
>>
>> allow-recursion {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it;
>> ….. } ;
>>
>> allow-query {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it;
>> ….. } ;
>>
>> recursive-clients 3000;
>>
>> allow-query-cache {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it;
>> ….. } ; ;
>>
>>
>> listen-on port 53 { 127.0.0.1; A.B.C.D; };
>>
>> directory “….. named";
>>
>> dump-file “….. cache_dump.db";
>>
>> statistics-file “….. named_stats.txt";
>>
>> memstatistics-file “…. named_mem_stats.txt";
>>
>> recursing-file “… named.recursing";
>>
>> secroots-file “… named.secroots";
>>
>> recursion yes;
>>
>> dnssec-enable no;
>>
>> dnssec-validation no;
>>
>>
>> bindkeys-file "….. named.iscdlv.key";
>>
>> managed-keys-directory "….. dynamic";
>>
>> pid-file "….. named.pid";
>>
>> session-keyfile "….. session.key";
>>
>> ———
>>
>>
>>
>> >Thirdly, I would not forward to AD DNS, unless the AD servers also
>> recurse and can provide >resolution for delegated names below the AD domain
>>
>> >that are not hosted on the AD servers themselves.
>>
>>
>> There is no forward option to AD DNS. Forward is enable from AD DNS to
>> A.B.C.D. bind9 server.
>>
>>
>>
>>
>> All clients are using AD DNS infact every query, about name of ‘
>> mydomain.it,’ is resolved from AD DNS.
>>
>> When client asks an external domain, e.g. www.google.it, AD server
>> forward query to A.B.C.D. server. (Forward option is set on every domain
>> controller)
>>
>> Only AD DNS make queries to A.B.C.D server and it’s necessary only to
>> solve external domains.
>>
>> A.B.C.D. server never makes queries to AD server. A.B.C.D. is next dns
>> server which partecipates when it’s necessary to resolve an external domain
>>
>>
>> I hope to have explained right.
>>
>> I thought A.B.C.D server made query to root server because into
>> configuration there is no reference to forward option, because I thought to
>> set as DNS forward a government dns of my country. What do you think?
>>
>> I have doubts about recursive and iterative queries options too.
>>
>> Thanks
>>
>>
>> Il giorno gio 27 giu 2024 alle ore 13:24 Greg Choules <
>> gregchoules+bindus...@googlemail.com> ha scritto:
>>
>>> Hi Renzo.
>>> Firstly, please can we see your BIND configuration and have the actual
>>> AD domain name.
>>>
>>> Secondly, BIND, or any other recursive DNS server, does not 'forward' to
>>> the root servers, unless you have configured it explicitly to do so, which
>>> would be a bad idea and not work anyway. It will recurse (paradoxically,
>>> perform non-recursive aka iterative queries) to the roots and other
>>> authoritative servers. It is an important distinction to be aware of.
>>>
>>> Thirdly, I would not forward to AD DNS, unless the AD servers also
>>> recurse and can provide resolution for delegated names below the AD domain
>>> that are not hosted on the AD servers themselves. Personally I would use a
>>> stub or static-stub zone in BIND to refer to the AD domain.
>>>
>>> In general, decide which DNS is going to do the resolving and make that
>>> the control point, fetching data from wherever it needs to (e.g. AD DNS) -
>>> using non-recursive queries - and using that data to construct answers for
>>> its clients.
>>>
>>> I hope that helps.
>>> Cheers, Greg
>>>
>>> On Thu, 27 Jun 2024 at 12:02, Renzo Marengo <buckroger2...@gmail.com>
>>> wrote:
>>>
>>>> I have Active Directory domain ( 'mydomain.it' ) with 8 domain
>>>> controllers to manage 8000 computers. Every Domain controller acts as dns
>>>> service and resolve internal domain names while forward queries about
>>>> external domains to another server, which Bind9 dns server (It's inside my
>>>> company)
>>>> I'm checking this Bind9 configuration (Centos server) and I see no
>>>> forward servers so I think It makes bind9 forward queries directly to root
>>>> servers. What do you think ?
>>>> According your opinion this Bind9 server should have to forward
>>>> requests to one or more dns server by forward option?
>>>>
>>>> --
>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>>> from this list
>>>>
>>>> ISC funds the development of this software with paid support
>>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>>> information.
>>>>
>>>>
>>>> bind-users mailing list
>>>> bind-users@lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>
>>>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
