Hi David.
I find your configuration a bit bizarre because you say you don't want
recursion, yet you have both "recursion yes;" and "forward first;' (which
is the default anyway, so this statement is redundant).
"recursion yes;" says to attempt recursion unless something else (like
forwarding) says not to. So try setting that to "no".
"forward first'; says to recurse if forwarding fails, which sounds like
exactly what you don't want to happen.
I am not sure what the behaviour is if you define zone "." and then
(presumably) give it a null list of hints. it may be that this is ignored
and built-in root hints used instead. A pcap should show this.
With so many forwarders (quite a lot!), why should it be that forwarding
ever fails completely? The usual point of forwarding is to offload queries
to somewhere reliable, not deliberately unreliable or likely to fail.
Hope that helps.
Cheers, Greg
On Fri, 5 Sept 2025 at 19:30, Reynolds, David <dreyno...@epiqglobal.com>
wrote:
> Greetings all,
>
>
>
> I stumbled across an oddity in BIND that may be due to my ignorance or
> some other environmental factor.
>
>
>
> We have a pair of caching resolvers in a datacenter that ended up with the
> following in the configuration:
>
> forwarders {
>
> // Cloudflare
>
> 1.1.1.1;
>
> 1.0.0.1;
>
> // Quad9
>
> 9.9.9.9;
>
> 149.112.112.112;
>
> //Cisco OpenDNS
>
> 208.67.222.222;
>
> 208.67.220.220;
>
> };
>
> forward first;
>
> dnssec-enable no;
>
> dnssec-validation no;
>
> empty-zones-enable no;
>
> };
>
>
>
> zone "." IN {
>
> type hint;
>
> file "/dev/null";
>
> };
>
>
>
> In this configuration, the forward always fails. Not only does it fail,
> we see no traffic leaving the server (tcpdump port 53)!
>
> And since we don’t want these following the full recursion out to the
> internet, root hints are intentionally disabled (we’re hoping for at least
> some data hygiene by using these specific forwarders).
>
>
>
> Setting it to ‘forward only’ resolved the issue.
>
>
>
> Do I have something misconfigured?
>
>
>
> More detail of named.conf (removed logging and internal zones):
>
> options {
>
> listen-on port 53 {
>
> any;
>
> };
>
> directory "/var/named";
>
> dump-file "/opt/named/cache_dump.db";
>
> statistics-file "/var/named/data/named_stats.txt";
>
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> recursing-file "/var/named/data/named.recursing";
>
> secroots-file "/var/named/data/named.secroots";
>
> allow-query { any; };
>
> querylog yes;
>
> recursion yes;
>
> recursive-clients 50000;
>
> tcp-clients 50000;
>
> edns-udp-size 4096;
>
> max-udp-size 4096;
>
>
>
>
>
> bindkeys-file "/etc/named.root.key";
>
>
>
> managed-keys-directory "/var/named/dynamic";
>
>
>
> pid-file "/run/named/named.pid";
>
> session-keyfile "/run/named/session.key";
>
> forwarders {
>
> 1.1.1.1;
>
> 1.0.0.1;
>
> 9.9.9.9;
>
> 149.112.112.112;
>
> 208.67.222.222;
>
> 208.67.220.220;
>
> };
>
> forward first;
>
> dnssec-enable no;
>
> dnssec-validation no;
>
> empty-zones-enable no;
>
> };
>
>
>
> zone "." IN {
>
> type hint;
>
> file "/dev/null";
>
> };
>
>
>
> include "/etc/named.rfc1912.zones";
>
> include "/etc/named.root.key";
>
>
>
>
>
> OS details:
> # cat /etc/*release
>
> NAME="Red Hat Enterprise Linux"
>
> VERSION="8.10 (Ootpa)"
>
> ID="rhel"
>
> ID_LIKE="fedora"
>
> VERSION_ID="8.10"
>
> PLATFORM_ID="platform:el8"
>
> PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
>
> ANSI_COLOR="0;31"
>
> CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
>
> HOME_URL=https://www.redhat.com/
>
> DOCUMENTATION_URL=
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8
>
> BUG_REPORT_URL=https://issues.redhat.com/
>
>
>
> REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
>
> REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
>
> REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
>
> REDHAT_SUPPORT_PRODUCT_VERSION="8.10"
>
> Red Hat Enterprise Linux release 8.10 (Ootpa)
>
> Red Hat Enterprise Linux release 8.10 (Ootpa)
>
>
>
>
>
>
>
> BIND details:
>
> BIND 9.11.36-RedHat-9.11.36-16.el8_10.4 (Extended Support Version)
> <id:68dbd5b>
> running on Linux x86_64 4.18.0-553.56.1.el8_10.x86_64 #1 SMP Mon Jun 2
> 12:33:13 EDT 2025
> built by make with '--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu' '--program-prefix='
> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--with-python=/usr/libexec/platform-python' '--with-libtool'
> '--localstatedir=/var' '--enable-threads' '--enable-ipv6'
> '--enable-filter-aaaa' '--with-pic' '--disable-static'
> '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2'
> '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11'
> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes'
> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
> '--disable-isc-spnego' '--with-lmdb=no' '--with-libjson' '--enable-dnstap'
> '--with-cmocka' '--enable-fixed-rrset'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
> '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -fexceptions -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
> 'LDFLAGS=-Wl,-z,relro -Wl,-z,now
> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE'
> 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
> compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-23)
> compiled with OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
> linked to OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
> compiled with libxml2 version: 2.9.7
> linked to libxml2 version: 20907
> compiled with libjson-c version: 0.13.1
> linked to libjson-c version: 0.13.1
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> linked to maxminddb version: 1.2.0
> compiled with protobuf-c version: 1.3.0
> linked to protobuf-c version: 1.3.0
> threads support is enabled
>
> default paths:
> named configuration: /etc/named.conf
> rndc configuration: /etc/rndc.conf
> DNSSEC root key: /etc/bind.keys
> nsupdate session key: /var/run/named/session.key
> named PID file: /var/run/named/named.pid
> named lock file: /var/run/named/named.lock
> geoip-directory: /usr/share/GeoIP
>
>
>
>
>
> *David Reynolds*
>
> Epiq | Linux Support
>
> Portland, OR 97227
>
> Mobile: 503 457-2262
>
> Email: dreyno...@epiqglobal.com
>
>
>
> *People. **Partnership. Performance.*
>
> www.epiqglobal.com
>
> This communication (including any attachment(s)) is intended solely for
> the recipient(s) named above and may contain information that is
> confidential, privileged or legally protected. Any unauthorized use or
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please immediately notify the sender
> by return e-mail message and delete all copies of the original
> communication to include any copy that may reside in your sent box. Thank
> you for your cooperation.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list.
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
