Hi Brian.
So in your config you still have a section like this?
zone ".: {
type hint;
file <whatever>;
};
You don't need it a) at all anyway, for the reason I gave and b) because
you are forwarding everything non-local and if you specify "forward only;"
for both global forwarding (last resort, similar to default route) *and*
all your forward zones - which I recommend you do - then the box will never
recurse, so hints become moot.
I don't know anything about your network topology, addressing or routeing,
so I can't guess why traffic (outbound queries from this server?) might be
going to either a local router or a firewall.
As an aside, I would try to keep the forwarding to a minimum; if several
things forward to the same place(s), try to aggregate them. Also, if the
servers you are forwarding to are authoritative, I would use one of
stub/static-stub/secondary zones instead.
Cheers, Greg
On Tue, 10 Dec 2024 at 14:22, Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov> wrote:
> Greg,
>
>
>
> Thank you.
>
>
>
> Replacing the db.cache file seems to work for replacing the root servers,
> I saw traffic shift to an internal router were I had expected/previously
> seen traffic through the FW.
> Manager noticed that secondary queries to domain servers were still going
> through the FW.
>
>
>
> The forwarder zones I have in place now will continue to function since
> they are more specific than the new fowarders setting, that serves as a
> forwarder of last resort (for lack of a better term and borrowing from
> words I use for network routing).
>
>
>
> Example.
>
> Let say I have forwarder zones for health.ny.gov and ny.gov and its.ny.gov,
> those will continue to word when I add a forwarders statement for the
> servers that ny.gov servers for all more generic queries.
>
>
>
> Many thanks,
>
> Brian
>
>
>
> *From:* Greg Choules <gregchoules+bindus...@googlemail.com>
> *Sent:* Monday, December 9, 2024 6:26 PM
> *To:* Cuttler, Brian R (HEALTH) <brian.cutt...@health.ny.gov>
> *Cc:* bind-users <bind-users@lists.isc.org>
> *Subject:* Re: forwarding non-domain queries
>
>
>
> *ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.*
>
>
>
> Hi Brian.
>
> If that's what you want to do; answer authoritatively from local zones you
> own and forward everything else to Corporate, then you have it correct.
> "forwarders {...etc" and "forward only;" go in the "options" block.
>
>
>
> Since you are forwarding everything that's not local *and* disabling
> recursion if forwarding fails, you don't need the hint zone at all; please
> delete it.
>
>
>
> Actually you don't need it anyway, even if you are doing recursion, as
> Internet root hints have been built into BIND for many years. The only
> reason you would need a hint zone is to define custom roots for a private
> network that is *completely* isolated from the Internet. Your corporate
> network does not meet that criterion because your corporate DNS servers
> will be answering names from the Internet. Therefore, lose the hint zone.
>
>
>
> I hope that helps.
>
> Greg
>
>
>
> On Mon, 9 Dec 2024 at 21:34, Cuttler, Brian R (HEALTH) via bind-users <
> bind-users@lists.isc.org> wrote:
>
> Hello, looking for a sanity check.
>
>
>
> Inside our network we are running BIND 9.18.28-0ubuntu0.22.04.1-Ubuntu on
> Ubuntu 22.04.5 LTS
>
>
>
> Currently our server serves our own zones files - A/CNAME/PTR/TXT/etc
> records for our domain.
> We have already modified the db.cache file to reference two servers
> provided by our corporate IT rather than using the internet root servers.
>
> We have numerous forwarder zones for corporate zones, both forward and
> reverse zones.
>
>
>
> We are looking to no longer use recursion but rely entirely on the
> corporate servers for anything we would normally resolve from external
> servers.
>
>
>
> I think all we need to do is create a forwarders stanza set “forwarder only”
> , similar to(but with the correct IPS)
>
>
> forwarders {
>
> 1.2.3.4; # External DNS
>
> 1.2.3.5; # External DNS
>
> };
>
> forward only;
>
>
>
> The desire is to continue to use our own zone files, and to continue to
> use the already established fowarder zones, but to replace recursion
> managed by our own internal servers with queries to ONLY the 2 servers we
> are already using as replacement root servers.
>
>
>
> Seems so simple that I have to believe I’ve missed something.
>
>
>
> Thanks in advance,
>
> Brian
>
>
>
>
>
>
>
> Brian Cuttler, System and Network Administration
>
> Wadsworth Center, NYS Department of Health
>
> Albany, NY 12201 POB 509
>
> brian.cutt...@health.ny.gov
>
> 518 486-1697
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
