Caching name server setup problems
Michael Varre
mike at jirc.com
Tue Jul 15 20:22:11 UTC 2008
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Kevin Darcy
> Sent: Tuesday, July 15, 2008 3:44 PM
> To: bind-users at isc.org
> Subject: Re: Caching name server setup problems
>
snipped> >>
> >>
> >
> > [Michael P. Varre]
> >
> > Thanks Chris that all makes perfect sense and I would agree that I
> might as
> > well keep my upstream ISP servers out of the loop. It would just add
> an
> > extra place for something to fail.
> >
> > I do have some issues with this working in practice however. I stress
> that
> > there is no firewall in between these, just a wide open point to
> point vpn
> > tunnel. Port 53 is wide open and talking correctly and there are no
> views
> > created except for the default "single view".
> >
> > I have recursion turned on, NO views (just the default of course). I
> don't
> > have any forwarders listed at all. And I have several local test
> zones
> > added for this server to be authoritative for.
> >
> > ****When I dig @localhost.com publicdomain.com from the mynsserver, I
> get
> > the proper answer and it is cached.
> >
> > ****When I dig @mynsserver publicdomain.com from a server on the same
> 172
> > subnet as mynsserver I get the right answer and it gets cached.
> >
> > ****when I dig @mynsserver publicdomain.com from a machine on a
> different
> > subnet, yet still internal, and no firewall in between, I get:
> >
> > ; <<>> DiG 9.3.2 <<>> @172.16.0.60 dumb.com a
> > ; (1 server found)
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2022
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;dumb.com. IN A
> >
> > ;; Query time: 17 msec
> > ;; SERVER: 172.16.0.60#53(172.16.0.60)
> > ;; WHEN: Tue Jul 15 14:30:42 2008
> > ;; MSG SIZE rcvd: 26
> >
> >
> > ****but when I dig @mynsserver localzone-on-mynssserver I get the
> correct
> > address.
> >
> What version of BIND? They recently (9.4) changed the default for
> answering queries from cache. See "allow-query-cache" in the ARM.
>
> If you're running something older than 9.4, do you have any
> "allow-query"s in effect?
>
> - Kevin
>
>
[Michael P. Varre]
I'm currently running BIND 9.4.2-P1. I'm not familiar with
allow-query-cache. I don't have this directive applied in my config. By
default now with my version am I required to explicitly allow "any" hosts
lookups to be added to the cache? If this were the case, I would imagine
that even with this directive not set, recursion=on should at least give me
an answer to publicdomain.com lookup.
More information about the bind-users
mailing list