BIND caching nameserver - how to discard recieved ADDITONAL SECTION fr 1

[bmihevc]

Hi all,

On internal caching nameserver I have forward zones for internal domains, type forward, forward only.
In case when DNS query is not having particular record in forward list it goes on the internet and get some answers from there. The problem is that same domains are internal and external and can happen that external IP addresses will be in cache of caching nameserver and that is not ok. Tests proved that this is happening because some other nameservers when give us an answer also deliver public IP which is in additional section, and caching server goes to this IP addresses, and not to internal ones that it has in forward list.

Is there any bind option or way of implementation to discard any receieved additional of given answer from outside?

Best regards.
G.

 

[Noway2]

The problem is that same domains are internal and external

Exactly. This is a problem. Don't use the same fully qualified domain name for two distinct domains. One possible exception is a multi homed router that is resolvable on multiple domains.

 

[bmihevc]

Yes, but I have no influence on that setup, just on caching server....don't ask.

Any feature on Linux/BIND configuration to "hardcode" IP addresses and names of just a few servers (i know that hosts file wont't work) except creating zones on caching server which I want to avoid?

 

[Noway2]

The only two methods that I know of to hard code an address are the hosts file and the zone. With respect to your earlier question of can you clear the cached information, restarting Bind will do that. Perhaps you could set up a CRON job to do so periodically.

Is there a reason you don't want to create a zone? It isn't very difficult and this would let you set the IP for desired hosts. If you are also running DHCP (at least on the same server) the linkage between the two is almost trivial and this will allow dynamic updates.

 

[bmihevc]

As far as I know file /etc/hosts is not important any more if bind is started. Reason why I don't want to create zone is that I have caching only configuration on my DNS, but I will have to do that. I have no choice, so it will bi mixed purpose ns.

Thanks for answers.

 

[Noway2]

During a lookup, the client will first go to the local host file, located at that client. If it does not find a proper match, it will then search any DNS specified in resolv.conf (linux) or whatever is specified in the network configuration (Windows). The key is that the host file is local to each client, it is not on the server. This is one of the key problems with host files that makes them unworkable as a large scale solution.

For your purposes, though, they may be applicable. At work, one of the IT departments changed something in a master DNS and one of our severs no longer resolved properly. As a work around, we overrode the DNS using the local hosts file on each machine that access that server, pointing it to the correct address.

 

[bmihevc]

Yes, thats for sure. But I'm not sure if I'm following you.... I just said that any enteries in /etc/hosts on DNS caching server will not have affect on it because of bind which is in function on it.

 

[Noway2]

Yes, putting entries in the host table of the DNS server will have no effect. You can put entries into the host file on EACH of the clients that are resolving the wrong IP. This will cause them to always resolve to the entry in the hosts file rather than query the DNS for those entries. It is a bit of repeat work, but it would eliminate your name resolution problem.