Greg,
Yes, I do have that but it looks like this
(/etc/dns-root is a link to /etc/bind/zones carry over from an older platform)
These are the servers I want to use as the forwards for all queries that aren't
either local zones or more specific zones in the internal corp network.
brian@cedar:/etc/dns-root$ more db.cache
@ IN A 10.108.43.7
@ IN A 10.108.43.8
@ IN NS @
From: Greg Choules <gregchoules+bindus...@googlemail.com>
Sent: Tuesday, December 10, 2024 9:38 AM
To: Cuttler, Brian R (HEALTH) <brian.cutt...@health.ny.gov>
Cc: bind-users <bind-users@lists.isc.org>
Subject: Re: forwarding non-domain queries
ATTENTION: This email came from an external source. Do not open attachments or
click on links from unknown senders or unexpected emails.
Hi Brian.
So in your config you still have a section like this?
zone ".: {
type hint;
file <whatever>;
};
You don't need it a) at all anyway, for the reason I gave and b) because you
are forwarding everything non-local and if you specify "forward only;" for both
global forwarding (last resort, similar to default route) *and* all your
forward zones - which I recommend you do - then the box will never recurse, so
hints become moot.
I don't know anything about your network topology, addressing or routeing, so I
can't guess why traffic (outbound queries from this server?) might be going to
either a local router or a firewall.
As an aside, I would try to keep the forwarding to a minimum; if several things
forward to the same place(s), try to aggregate them. Also, if the servers you
are forwarding to are authoritative, I would use one of
stub/static-stub/secondary zones instead.
Cheers, Greg
On Tue, 10 Dec 2024 at 14:22, Cuttler, Brian R (HEALTH)
<brian.cutt...@health.ny.gov<mailto:brian.cutt...@health.ny.gov>> wrote:
Greg,
Thank you.
Replacing the db.cache file seems to work for replacing the root servers, I saw
traffic shift to an internal router were I had expected/previously seen traffic
through the FW.
Manager noticed that secondary queries to domain servers were still going
through the FW.
The forwarder zones I have in place now will continue to function since they
are more specific than the new fowarders setting, that serves as a forwarder of
last resort (for lack of a better term and borrowing from words I use for
network routing).
Example.
Let say I have forwarder zones for health.ny.gov<http://health.ny.gov/> and
ny.gov<http://ny.gov/> and its.ny.gov<http://its.ny.gov/>, those will continue
to word when I add a forwarders statement for the servers that
ny.gov<http://ny.gov/> servers for all more generic queries.
Many thanks,
Brian
From: Greg Choules
<gregchoules+bindus...@googlemail.com<mailto:gregchoules%2bbindus...@googlemail.com>>
Sent: Monday, December 9, 2024 6:26 PM
To: Cuttler, Brian R (HEALTH)
<brian.cutt...@health.ny.gov<mailto:brian.cutt...@health.ny.gov>>
Cc: bind-users <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>
Subject: Re: forwarding non-domain queries
ATTENTION: This email came from an external source. Do not open attachments or
click on links from unknown senders or unexpected emails.
Hi Brian.
If that's what you want to do; answer authoritatively from local zones you own
and forward everything else to Corporate, then you have it correct. "forwarders
{...etc" and "forward only;" go in the "options" block.
Since you are forwarding everything that's not local *and* disabling recursion
if forwarding fails, you don't need the hint zone at all; please delete it.
Actually you don't need it anyway, even if you are doing recursion, as Internet
root hints have been built into BIND for many years. The only reason you would
need a hint zone is to define custom roots for a private network that is
*completely* isolated from the Internet. Your corporate network does not meet
that criterion because your corporate DNS servers will be answering names from
the Internet. Therefore, lose the hint zone.
I hope that helps.
Greg
On Mon, 9 Dec 2024 at 21:34, Cuttler, Brian R (HEALTH) via bind-users
<bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> wrote:
Hello, looking for a sanity check.
Inside our network we are running BIND 9.18.28-0ubuntu0.22.04.1-Ubuntu on
Ubuntu 22.04.5 LTS
Currently our server serves our own zones files - A/CNAME/PTR/TXT/etc records
for our domain.
We have already modified the db.cache file to reference two servers provided by
our corporate IT rather than using the internet root servers.
We have numerous forwarder zones for corporate zones, both forward and reverse
zones.
We are looking to no longer use recursion but rely entirely on the corporate
servers for anything we would normally resolve from external servers.
I think all we need to do is create a forwarders stanza set "forwarder only" ,
similar to(but with the correct IPS)
forwarders {
1.2.3.4; # External DNS
1.2.3.5; # External DNS
};
forward only;
The desire is to continue to use our own zone files, and to continue to use the
already established fowarder zones, but to replace recursion managed by our own
internal servers with queries to ONLY the 2 servers we are already using as
replacement root servers.
Seems so simple that I have to believe I've missed something.
Thanks in advance,
Brian
Brian Cuttler, System and Network Administration
Wadsworth Center, NYS Department of Health
Albany, NY 12201 POB 509
brian.cutt...@health.ny.gov<mailto:brian.cutt...@health.ny.gov>
518 486-1697
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
