Re: forward option in dns server

Sat, 06 Jul 2024 04:26:22 -0700

yes this helped me. 
thanks 

Il giorno 28 giu 2024, alle ore 13:10, Greg Choules <gregchoules+bindus...@googlemail.com> ha scritto:



Does that help?


Cheers, Greg

On Fri, 28 Jun 2024 at 11:58, Renzo Marengo <buckroger2...@gmail.com> wrote:
Hi Greg again! :)

> 1) This should help you understand the difference between recursive and non-recursive queries.
I read about recursive and iterative query but I think A.B.C.D server should be as recursive server for domain controllers, I ask myself the same question to root servers? Or Bind9 server should have to make iterative queries to root servers ?

> I hope this server is behind a good firewall?
Yes

>Do you only have one BIND server? 
>I would recommend two at least, in case you need to take one down for maintenance or it fails for some reason.
Yes only one server

>> Your "allow-..." statements should look like this, with IP addresses, not domain names.
Oh yes, this one was to explain you what servers I inserted into this list.


I have another doubt, /etc/resolv.conf in bind server is used only from client services ? E.g. ping tool
I think bind9 dns service doesn't contact any /etc/resolv.conf, right?





Il giorno ven 28 giu 2024 alle ore 08:46 Greg Choules <gregchoules+bindus...@googlemail.com> ha scritto:
Hi Renzo.
You're welcome.
1) Correct. You don't need forwarding for a simple resolver. Take a look at the meaning of the RD flag in the BIND protocol header. This should help you understand the difference between recursive and non-recursive queries.
2) No. See 1)
3) Yes. For a standard resolver facing the Internet you do not need a hint zone.

Some more thoughts occurred to me:
- I hope this server is behind a good firewall?
- Do you only have one BIND server? I would recommend two at least, in case you need to take one down for maintenance or it fails for some reason.
- Your "allow-..." statements should look like this, with IP addresses, not domain names.
   allow-... {127.0.0.1; <query_source_IP_address_of_DC1>; <query_source_IP_address_of_DC2>; <any_other_source_addresses...>;}; You do not need to include this server in the list.

Any changes you make should be done on a test server first, so you can be comfortable understanding what effect those changes have and only move them to production when you are certain.

Cheers, Greg

On Fri, 28 Jun 2024 at 07:14, Renzo Marengo <buckroger2...@gmail.com> wrote:
Hi greg,
I thank you again for your suggestions.

>A.B.C.D is the address of this server?
yes, It's the Bind server

I read several documents about DNS architecture
My questions is about this configuration of bind:

1- according to your opinion my bind makes queries ro root server if is set no 'forwarders' option? I'll verify It by tcpdump as you suggested
2- Do you suggest to set some "forwarders" ?
3-- This bind version has root server built-in? If I removed 'named.ca' reference, Bind would use root server built-in?

thanks

Il giorno ven 28 giu 2024 alle ore 07:51 Greg Choules <gregchoules+bindus...@googlemail.com> ha scritto:
Hi Renzo.

Thank you for that. The hints look OK. A bit old, but they will work. 

The first thing I would advise you to do as a matter of priority is to upgrade BIND.
9.11 has been end-of-life for a few years and there have been many security fixes since then. 9.18.27 is the current version.
You could install that directly, or upgrade RHEL and obtain a more recent packaged version.


You can check what BIND is doing by using "tcpdump". For example:
sudo tcpdump -n -i <interface> -c 1000 port 53 and host A.B.C.D

I am making some assumptions:
A.B.C.D is the address of this server?
<interface> is the name of the interface the server will use for outbound queries, according to its routeing table. I am guessing this is the interface with address A.B.C.D?
-c stops the capture after 1000 packets. This is just a safety precaution.
port 53 and host A.B.C.D limits the capture to only packets with port 53 (DNS) AND with the address of this interface, so you don't capture any SSH or HTTPS etc.

A fresh (recently restarted) DNS resolver - any one, not just BIND - will make queries to the root to start with. It does this to learn where to go next. It stores the results of those queries in its cache so that it doesn't have to make them again for some time.

There are many good books and articles available online to explain the basics of DNS. The BIND ARM (distributed with BIND and also available online) is the reference manual for BIND itself.

I hope that helps.
Greg

On Fri, 28 Jun 2024 at 05:57, Renzo Marengo <buckroger2...@gmail.com> wrote:
Hi Greg,
he info you required:

1) BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.2 (Extended Support Version) on running on Linux x86_64 3.10.0-1160.2.2.el7.x86_64
2) named.ca if file which contains root servers
----
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      A       198.41.0.4
b.root-servers.net.     518400  IN      A       199.9.14.201
c.root-servers.net.     518400  IN      A       192.33.4.12
d.root-servers.net.     518400  IN      A       199.7.91.13
e.root-servers.net.     518400  IN      A       192.203.230.10
f.root-servers.net.     518400  IN      A       192.5.5.241
g.root-servers.net.     518400  IN      A       192.112.36.4
h.root-servers.net.     518400  IN      A       198.97.190.53
i.root-servers.net.     518400  IN      A       192.36.148.17
j.root-servers.net.     518400  IN      A       192.58.128.30
k.root-servers.net.     518400  IN      A       193.0.14.129
l.root-servers.net.     518400  IN      A       199.7.83.42
m.root-servers.net.     518400  IN      A       202.12.27.33
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     518400  IN      AAAA    2001:500:200::b
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
g.root-servers.net.     518400  IN      AAAA    2001:500:12::d0d
h.root-servers.net.     518400  IN      AAAA    2001:500:1::53
i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
l.root-servers.net.     518400  IN      AAAA    2001:500:9f::42
m.root-servers.net.     518400  IN      AAAA    2001:dc3::35
----

I didn't know some Bind versions had the Internet root hints built-in.
About my configuration I understand that bind makes always queries to root servers ? Right?
I'd like to re-check configuration of bind


Il giorno gio 27 giu 2024 alle ore 22:15 Greg Choules <gregchoules+bindus...@googlemail.com> ha scritto:
Hi Renzo.
Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the Internet on behalf of its clients, so it forwards to BIND.

In that case, two questions:
1) What version of BIND are you running? You can get this with "named -V"
2) What is in the file "named.ca"?
For a long time (which is why I need to know the version) BIND has had the Internet root hints built in, so you don't need a hint zone anymore. Unless you are defining different roots for some reason. Hence why I need to know the contents of that file.

Thanks, Greg



On Thu, 27 Jun 2024 at 18:06, Renzo Marengo <buckroger2...@gmail.com> wrote:


Hi Greg,

thank you very much for your explanation.

Let’s supposte AD domain was ‘my domain.it  and I have 6000 computers of government institute. 

Here my bind configuration:


named.conf

———

include “…. named.conf.options" ;

zone "." IN {

type hint;

file "named.ca";

};

include “…. named.rfc1912.zones";

include “….  named.root.key";

———



named.conf.options

———

        logging {

                channel named_debug {

                syslog local6;

                severity debug 1;

                print-category yes;

                print-severity yes;

                print-time yes;

                };

        category default { named_debug; };

        };


options {

auth-nxdomain no;    # conform to RFC1035

allow-recursion {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; ….. } ;

allow-query       {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; ….. } ;

recursive-clients 3000;

allow-query-cache {127.0.0.1; A.B.C.D; dc1.mydomain.it; dc2.mydomain.it; ….. } ; ;


listen-on port 53 { 127.0.0.1; A.B.C.D; };

directory “….. named";

dump-file “….. cache_dump.db";

statistics-file “….. named_stats.txt";

memstatistics-file “…. named_mem_stats.txt";

recursing-file  “… named.recursing";

secroots-file   “… named.secroots";

recursion yes;

dnssec-enable no;

dnssec-validation no;


bindkeys-file "….. named.iscdlv.key";

managed-keys-directory "….. dynamic";

pid-file "….. named.pid";

session-keyfile "….. session.key";

———



>Thirdly, I would not forward to AD DNS, unless the AD servers also recurse and can provide >resolution for delegated names below the AD domain 

>that are not hosted on the AD servers themselves. 


There is no forward option to AD DNS. Forward is enable from AD DNS to A.B.C.D. bind9 server.




All clients are using AD DNS infact every query, about name of ‘mydomain.it,’ is resolved from AD DNS.

When client asks an external domain, e.g. www.google.it, AD server forward query to A.B.C.D. server. (Forward option is set on every domain controller)

Only AD DNS  make queries to A.B.C.D server and it’s necessary only to solve external domains.

A.B.C.D. server never makes queries to AD server. A.B.C.D. is next dns server which partecipates when it’s necessary to resolve an external domain


I hope to have explained right.

I thought A.B.C.D server made query to root server because into configuration there is no reference to forward option, because I thought to set as DNS forward a government dns of my country. What do you think?

I have doubts about recursive and iterative queries options too.

Thanks



Il giorno gio 27 giu 2024 alle ore 13:24 Greg Choules <gregchoules+bindus...@googlemail.com> ha scritto:
Hi Renzo.
Firstly, please can we see your BIND configuration and have the actual AD domain name.

Secondly, BIND, or any other recursive DNS server, does not 'forward' to the root servers, unless you have configured it explicitly to do so, which would be a bad idea and not work anyway. It will recurse (paradoxically, perform non-recursive aka iterative queries) to the roots and other authoritative servers. It is an important distinction to be aware of.

Thirdly, I would not forward to AD DNS, unless the AD servers also recurse and can provide resolution for delegated names below the AD domain that are not hosted on the AD servers themselves. Personally I would use a stub or static-stub zone in BIND to refer to the AD domain.

In general, decide which DNS is going to do the resolving and make that the control point, fetching data from wherever it needs to (e.g. AD DNS) - using non-recursive queries - and using that data to construct answers for its clients.

I hope that helps.
Cheers, Greg

On Thu, 27 Jun 2024 at 12:02, Renzo Marengo <buckroger2...@gmail.com> wrote:
I have Active Directory domain ( 'mydomain.it' ) with 8 domain controllers to manage 8000 computers. Every Domain controller acts as dns service and resolve internal domain names while forward queries about external domains to another server, which Bind9 dns server (It's inside my company)
I'm checking this Bind9 configuration (Centos server) and I see no forward servers so I think It makes bind9 forward queries directly to root servers. What do you think ?
According your opinion this Bind9 server should have to forward requests to one or more dns server by forward option?

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to