Hell breaks loose in the afternoon with format error from X.X.X.X#53 resolving ./NS: non-improving referral
Reindl Harald
h.reindl at thelounge.net
Fri May 6 07:45:03 UTC 2022
Am 06.05.22 um 08:19 schrieb Bjørn Mork:
> Mark Andrews <marka at isc.org> writes:
>
>> It’s a long known issue with so called “Transparent” DNS
>> proxies/accelerators/firewalls. Iterative resolvers expect to talk to
>> authoritative servers. They ask questions differently to the way they
>> do when they talk to a recursive server. Answers from different
>> levels of the DNS hierarchy for the same question are different. If
>> you just cache and return the previous answer you break iterative
>> lookups. The answers from recursive servers are different to those
>> from authoritative servers.
>>
>> You get the same sort of problem in many hotels if you have an
>> iterative resolver on your portable devices. Switching named to use a
>> public recursive server that supports DNSSEC in forward only mode
>> helps sometimes. It really depends on what the middleware is doing.
>
> How about configuring forwarder(s) if you have to operate a resolver in
> such an environment? Hoping that the answer from the intercepting
> server isn't too different from what you'd expect from a forwarder
the problem is that this middleware crap operates on the protocol level
in the past our CISCO ISP router with "DNS ALG" even rewrote zone
transfers and invented a zero TTL for each and every CNAME it saw
means our secondary nameserver hat completly different zone files than
the master
you don't expect that and watch a zone transfer on both ends with
wireshark solved that riddle
so from the moment on some device thinking it's smart about DNS you are lost
More information about the bind-users
mailing list