Good idea, Brian. People should test more.
Hope it goes well. Packet captures and Wireshark are your friends.
Cheers, Greg
On Tue, 10 Dec 2024 at 15:25, Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov> wrote:
> Greg,
>
>
>
> I have a test server I will enable the changes on before I roll them out
> to my primary and secondary servers.
> The test server is where we make all tests and updates to zone files.
>
>
>
> As I configure the forwarders stanza, I will remove the zone for db.cache
> and test it out.
>
>
>
> Thanks,
>
> Brian
>
>
>
> *From:* Greg Choules <gregchoules+bindus...@googlemail.com>
> *Sent:* Tuesday, December 10, 2024 9:54 AM
> *To:* Cuttler, Brian R (HEALTH) <brian.cutt...@health.ny.gov>
> *Cc:* bind-users <bind-users@lists.isc.org>
> *Subject:* Re: forwarding non-domain queries
>
>
>
> *ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.*
>
>
>
> And my point is that you just don't need that hint zone definition at
> all, especially using custom NS in an environment such as this. Maybe try
> commenting it out and see if it makes any difference.
>
>
>
> Greg
>
>
>
> On Tue, 10 Dec 2024 at 14:48, Cuttler, Brian R (HEALTH) <
> brian.cutt...@health.ny.gov> wrote:
>
> Greg,
>
> Yes, I do have that but it looks like this
>
> (/etc/dns-root is a link to /etc/bind/zones carry over from an older
> platform)
>
> These are the servers I want to use as the forwards for all queries that
> aren’t either local zones or more specific zones in the internal corp
> network.
>
>
>
> brian@cedar:/etc/dns-root$ more db.cache
>
>
>
> @ IN A 10.108.43.7
>
> @ IN A 10.108.43.8
>
>
>
> @ IN NS @
>
>
>
> *From:* Greg Choules <gregchoules+bindus...@googlemail.com>
> *Sent:* Tuesday, December 10, 2024 9:38 AM
> *To:* Cuttler, Brian R (HEALTH) <brian.cutt...@health.ny.gov>
> *Cc:* bind-users <bind-users@lists.isc.org>
> *Subject:* Re: forwarding non-domain queries
>
>
>
> *ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.*
>
>
>
> Hi Brian.
>
> So in your config you still have a section like this?
>
>
>
> zone ".: {
>
> type hint;
>
> file <whatever>;
>
> };
>
>
>
> You don't need it a) at all anyway, for the reason I gave and b) because
> you are forwarding everything non-local and if you specify "forward only;"
> for both global forwarding (last resort, similar to default route) *and*
> all your forward zones - which I recommend you do - then the box will never
> recurse, so hints become moot.
>
>
>
> I don't know anything about your network topology, addressing or routeing,
> so I can't guess why traffic (outbound queries from this server?) might be
> going to either a local router or a firewall.
>
>
>
> As an aside, I would try to keep the forwarding to a minimum; if several
> things forward to the same place(s), try to aggregate them. Also, if the
> servers you are forwarding to are authoritative, I would use one of
> stub/static-stub/secondary zones instead.
>
>
>
> Cheers, Greg
>
>
>
> On Tue, 10 Dec 2024 at 14:22, Cuttler, Brian R (HEALTH) <
> brian.cutt...@health.ny.gov> wrote:
>
> Greg,
>
>
>
> Thank you.
>
>
>
> Replacing the db.cache file seems to work for replacing the root servers,
> I saw traffic shift to an internal router were I had expected/previously
> seen traffic through the FW.
> Manager noticed that secondary queries to domain servers were still going
> through the FW.
>
>
>
> The forwarder zones I have in place now will continue to function since
> they are more specific than the new fowarders setting, that serves as a
> forwarder of last resort (for lack of a better term and borrowing from
> words I use for network routing).
>
>
>
> Example.
>
> Let say I have forwarder zones for health.ny.gov and ny.gov and its.ny.gov,
> those will continue to word when I add a forwarders statement for the
> servers that ny.gov servers for all more generic queries.
>
>
>
> Many thanks,
>
> Brian
>
>
>
> *From:* Greg Choules <gregchoules+bindus...@googlemail.com>
> *Sent:* Monday, December 9, 2024 6:26 PM
> *To:* Cuttler, Brian R (HEALTH) <brian.cutt...@health.ny.gov>
> *Cc:* bind-users <bind-users@lists.isc.org>
> *Subject:* Re: forwarding non-domain queries
>
>
>
> *ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.*
>
>
>
> Hi Brian.
>
> If that's what you want to do; answer authoritatively from local zones you
> own and forward everything else to Corporate, then you have it correct.
> "forwarders {...etc" and "forward only;" go in the "options" block.
>
>
>
> Since you are forwarding everything that's not local *and* disabling
> recursion if forwarding fails, you don't need the hint zone at all; please
> delete it.
>
>
>
> Actually you don't need it anyway, even if you are doing recursion, as
> Internet root hints have been built into BIND for many years. The only
> reason you would need a hint zone is to define custom roots for a private
> network that is *completely* isolated from the Internet. Your corporate
> network does not meet that criterion because your corporate DNS servers
> will be answering names from the Internet. Therefore, lose the hint zone.
>
>
>
> I hope that helps.
>
> Greg
>
>
>
> On Mon, 9 Dec 2024 at 21:34, Cuttler, Brian R (HEALTH) via bind-users <
> bind-users@lists.isc.org> wrote:
>
> Hello, looking for a sanity check.
>
>
>
> Inside our network we are running BIND 9.18.28-0ubuntu0.22.04.1-Ubuntu on
> Ubuntu 22.04.5 LTS
>
>
>
> Currently our server serves our own zones files - A/CNAME/PTR/TXT/etc
> records for our domain.
> We have already modified the db.cache file to reference two servers
> provided by our corporate IT rather than using the internet root servers.
>
> We have numerous forwarder zones for corporate zones, both forward and
> reverse zones.
>
>
>
> We are looking to no longer use recursion but rely entirely on the
> corporate servers for anything we would normally resolve from external
> servers.
>
>
>
> I think all we need to do is create a forwarders stanza set “forwarder only”
> , similar to(but with the correct IPS)
>
>
> forwarders {
>
> 1.2.3.4; # External DNS
>
> 1.2.3.5; # External DNS
>
> };
>
> forward only;
>
>
>
> The desire is to continue to use our own zone files, and to continue to
> use the already established fowarder zones, but to replace recursion
> managed by our own internal servers with queries to ONLY the 2 servers we
> are already using as replacement root servers.
>
>
>
> Seems so simple that I have to believe I’ve missed something.
>
>
>
> Thanks in advance,
>
> Brian
>
>
>
>
>
>
>
> Brian Cuttler, System and Network Administration
>
> Wadsworth Center, NYS Department of Health
>
> Albany, NY 12201 POB 509
>
> brian.cutt...@health.ny.gov
>
> 518 486-1697
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
