About query response on a view
Barry S. Finkel
bsfinkel at att.net
Wed Dec 9 16:03:54 UTC 2015
Okan Bostan <bostanok at itu.edu.tr> wrote:
> Hello List,
>
> We are planning to migrate to Bind dns, I'm a bit newbie.
>
> In our design we have two views; int and ext.
> As internal view, recursion is on and we have our internal zones & forwarders. I have no problem with internal view.
>
> In external view, recursion in no. Also have some zones. In testing external view, I can query the records in zones, thats not a problem also.
>
> But when I try to query, for examplewww.google.com<http://www.google.com> it returns the root servers records by dig.
>
> ;; QUESTION SECTION:
> ;ww. IN A
>
> ;; AUTHORITY SECTION:
> . 518400 IN NS D.ROOT-SERVERS.NET.
> . 518400 IN NS M.ROOT-SERVERS.NET.
> . 518400 IN NS C.ROOT-SERVERS.NET.
> . 518400 IN NS J.ROOT-SERVERS.NET.
> . 518400 IN NS G.ROOT-SERVERS.NET.
> . 518400 IN NS H.ROOT-SERVERS.NET.
> . 518400 IN NS I.ROOT-SERVERS.NET.
> . 518400 IN NS L.ROOT-SERVERS.NET.
> . 518400 IN NS F.ROOT-SERVERS.NET.
> . 518400 IN NS K.ROOT-SERVERS.NET.
> . 518400 IN NS A.ROOT-SERVERS.NET.
> . 518400 IN NS B.ROOT-SERVERS.NET.
> . 518400 IN NS E.ROOT-SERVERS.NET.
>
> And status: NOERROR
>
> also in nslookup:
>
> Name:www.google.com
> Served by:
> - E.ROOT-SERVERS.NET
>
> - F.ROOT-SERVERS.NET
>
> - J.ROOT-SERVERS.NET
>
> - G.ROOT-SERVERS.NET
>
> - D.ROOT-SERVERS.NET
>
> - C.ROOT-SERVERS.NET
>
> - A.ROOT-SERVERS.NET
>
>
> But in our existing DNS enviroment, I get status: SERVFAIL to same query.
>
> Is this a normal behaviour ? How can I disable this Authority section with root server NS records?
>
> My external view:
>
> view "EXTERNAL" {
>
> match-clients {"any";};
> allow-query-on {ext_ip; };
>
> recursion no;
> allow-recursion { none;};
>
>
> #Include SLAVE zones
> include "slave.zones";
>
> #Include REVERSE zones
> include "reverse.zones";
>
>
>
> };// view EXTERNAL
>
> Regards,
>
> Okan.
Something got lost in "translation".
> But when I try to query, for example
> www.google.com<http://www.google.com>
Did you really type "dig www.google.com"?
> ;; QUESTION SECTION:
> ;ww. IN A
According to dig, you queried "ww.".
And the output of dig is correct - there is no DNS entry
with that name, and the authority section contains the
root servers, as it is those servers which would have
contained the zone, had it existed.
You did not give us the unedited output of "dig".
--Barry Finkel
More information about the bind-users
mailing list