BIND | Cname chain resolution using forward ( CNAME&A returned but no use A) (#3995)
Petr Menšík
pemensik at redhat.com
Tue Apr 4 10:05:04 UTC 2023
That is because forwarder is supposed to handle only zone
"bd.baidubce.com.", but addresses response is from bd.bcebos.com zone.
Therefore it queries contents of that according to global forwarders or
iteratively. BIND9 attempts to deliver the most authoritative answer it
can, so it ignores hints from server not authoritative for it. I do not
know a way to disable such behavior. Dns caches such as dnsmasq would
forward the reply as it is, but bind uses zones with authoritative
servers preferred. It does so to prevent unrelated servers pushing
invalid answers into your cache.
Workaround might be to forward also bd.bcebos.com. zone to the same
server. Can you share why should it return different addresses than the
authoritative servers offers?
I think if you need to override some addresses, RPZ might help you. At
least you would have a list of rules where the answer is modified. I
think most proper servers do it this way without ability to change the
behavior.
Just my 2 cents.
Regards,
Petr
On 04. 04. 23 8:08, Yang via bind-users wrote:
>
> hi bind admin,
>
> when i use bind-9.11 for my interdns, deviceip is 10.1.1.1,
>
> i config
>
> zone "bd.baidubce.com."
>
> in { type forward ; forward only; forwarders { 10.10.10.10; }; };
>
>
> 1、when i dig @10.1.1.1 x.bd.bcebos.com.
>
> 2、10.10.10.10 return record "CNAME bd.bcebos.com., A 100.67.96.26, A
> 100.67.96.27" to device10.1.1.1
>
> 3、but device10.1.1.1 not return A 100.67.96.26, A 100.67.96.27 to me
>
> 4、device10.1.1.1 go to qurey bd.bcebos.com. recursive itself,and get
> another record 110.242.70.8
>
> i have questions
>
> 1、why config is forward only, but bind get CNAME & A,bind do not
> return A to me,and query cname again itself?
>
> thanks
>
>
--
Petr Menšík
Software Engineer, RHEL
Red Hat,http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230404/42996e1b/attachment-0001.htm>
More information about the bind-users
mailing list