Different handling of referrals by dig and nslookup

Mark Andrews marka at isc.org
Sun Feb 21 21:10:43 UTC 2010 

In message <a5a893391002200851u131155c4h6fca226d27939d87 at mail.gmail.com>, kalpe
sh varyani writes:
> Hi Doug,
> 
> Please find my response inline.
> 
> 
> On Sun, Feb 14, 2010 at 8:53 AM, Doug Barton <dougb at dougbarton.us> wrote:
> 
> > On 02/13/10 18:42, kalpesh varyani wrote:
> >
> >> Hi Rick,
> >>
> >> I am aware that it is a somewhat odd (but not incorrect, am I right ?)
> >> to put a non-recursive name server in the resolv.conf
> >>
> >
> > There are certain very specific circumstances where you might want to do
> > this, but in general I can't see any reason to do this, and would not
> > recommend it.
> 
> 
> 
>  but I am not able
> >> to understand the behavioral difference of ping/dig and nslookup.
> >>
> >
> > What is it that you want to understand? You seem quite focused on figuring
> > out why they are behaving differently, is there some reason why you need to
> > put a non-resolving name server in resolv.conf?
> >
> >
> 
> I guess, I am in one of those specific circumstances.
> The reason I prefer to have non-resolving name server in resolv.conf is as
> follows:
> 
> Name server A (the first name server with "recursion no;") was not present
> earlier, and has been newly configured as a name server. Name server B,
> which was previously handling all the name resolution part has "recursion
> yes;"
> 
> Also, I would like my 3rd linux system (from where I try resolving names) to
> send queries to its root servers, only in case my first name server fails to
> resolve the name and sends back a referral. This would ensure that my 3rd
> linux system doesnot send queries to its name server, which could have been
> handled by the name server B (that was specified in resolv.conf). This would
> ensure that the root name server's network wont have unnecesary DNS
> traffic.
> 
> 
> 
> >  But logically shouldn't it be moving to the next name server when the
> >> first one fails even in the case of ping and dig. This is what, I think,
> >> one would expect from a resolver.
> >>
> >
> > dig is a DNS diagnostic tool. You asked for an answer, you got an answer.
> > The fact that it didn't move on is not a mystery. nslookup is designed to
> > get its answers from the system resolver, so the real question is, why did
> > ping and nslookup behave differently? But that's really a question for your
> > linux distro.
> >
> 
> My basic concern is that, if my 3rd linux system can resolve a name using
> any of the name servers specified in the resolv.conf, then it effectively
> means that the remote system (for which name resolution was done) is
> reachable from my linux system. And if that is the case, then a ping to
> that system should not fail in the name resolution part.
> 
> 
> 
> Regards,
> Kalpesh

ALL the nameservers listed in resolv.conf need to be to answer ALL of the
question put to them.  Multiple nameservers in resolv.conf are for
redundancy.  In practice to achieve this the servers listed in resolv.conf
need to be recursive.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list