Public DNS - recursion no - Access to the Internet
Pascal Hambourg
pascal.mail at plouf.fr.eu.org
Mon Feb 19 16:10:45 UTC 2007
Barry Margolin a écrit :
>
>>>The reason it didn't work for him was that he only put 127.0.0.1 in his
>>>allow-recursion ACL.
>>
>>No, the reason was that "allow-recursion" was kept to "no".
I meant "recursion" instead of "allow-recursion".
>>>But when you use 0.0.0.0 in your resolv.conf [corrected quote], it
>>>doesn't send from/to 127.0.0.1, it sends to one of the machine's real
>>>NIC addresses,
This is not what I observed on a Debian GNU/Linux system. When
resolv.conf contains "nameserver 0.0.0.0" or no nameserver entry or does
not exist, DNS queries are sent to 127.0.0.1, with source address
127.0.0.1. So it does not seem that the resolver seeks any local
addresses on "real" network interfaces. My understanding is that
"nameserver 0.0.0.0" is invalid and ignored. In this case, 127.0.0.1 is
used as the default nameserver, as stated by the resolv.conf manpage :
"If no nameserver entries are present, the default is to use the name
server on the local machine". Other OSes may behave differently.
>>Do you mean that 0.0.0.0 as a nameserver address in resolv.conf is legal
>>and means "any local address" ?
>
> Yes. Read the above quote from "DNS & BIND".
I did, and reacted because I do not agree with it. To me 0.0.0.0 can be
used as "this host" in a source address in special cases (e.g. DHCP
queries) or as an "any local address" wildcard when creating a socket
(e.g. "Listen 0.0.0.0" in Apache setup). But I have never seen that it
may be considered as a wildcard remote destination address by any IP
implementation.
> I believe RFC 1122 says that the default source address should be the
> outgoing interface. When sending to your own address, the outgoing
> interface is the one whose address you're sending to, so the source and
> destination addresses will be the same.
In common OSes, when sending to any of your own addresses the outgoing
interface is the loopback interface. So, according to what you wrote,
the default source address should be the loopback address, 127.0.0.1.
But this is not what is commonly observed. The Linux 2.4 kernel uses ::1
as the default IPv6 source address when sending to a local address. But
this was changed at least in recent 2.6 kernels which use the same
address as the destination, just like in IPv4.
More information about the bind-users
mailing list