dns messages: non-recursive forwarder

[ponetguy2]

Note: Fake IPs are specified below for security purposes :|

options {
directory "/var/named";
allow-recursion { acl-recursion; };
allow-transfer { acl-transfer; };
blackhole { acl-blackhole; };

listen-on {
127.0.0.1;
10.10.10.10;
};

forwarders {
11.11.11.11;
22.22.22.22;
33.33.33.33;
44.44.44.44;
};

forward first;
recursion yes;



Jul 5 13:46:03 hostname named[475]: [ID 295310 daemon.warning] non-recursive forwarder: [11.11.11.11].53
Jul 5 13:46:03 hostname named[475]: [ID 295310 daemon.warning] non-recursive forwarder: [22.22.22.22].53
Jul 5 13:46:03 hostname named[475]: [ID 295310 daemon.warning] non-recursive forwarder: [33.33.33.33].53
Jul 5 13:46:03 hostname named[475]: [ID 295310 daemon.warning] non-recursive forwarder: [44.44.44.44].53

I'm getting the messages above over and over again on my external dns server. As you can see, the
four IP's on the messages file are pointing to our ISP's DNS servers to forward external queries.

Why am I getting these messages? If my ISP's DNS servers are not forwarding, our users will be complaining that they
can't surf the web

If my ISP's DNS servers are not forwarding our queries, how can the
queries from our network able to resolve external queries? Can I assume that our external DNS server
is the primary name resolver of external queries if our forwarders are failing?

Any ideas?

"Not all operating systems suck, it's just that some operating systems suck worst than others"

 

[parazhang]

These four DNS servers do not allow recursion for your nameserver,hence it will do you no good as a forwarder, unless you are explicitly forwarding for a zone it is authoritative for.

So you can make your dns server as a caching-only server to forward all your queries to the 13 Root dns servers;

If you have you own domain name,you can set the forwarders ip to its parent,the server that manage your domain name,certainly,it must be a name server,you know,you give money to them maybe every year.

Hope can help you

parazhang

 

[ponetguy2]

Forgive me DNS gurus, but I have a few more questions:

If the forwarder servers I specified do not allow recursion, how is the queries being answered?

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[ponetguy2]

I did a dig and found that my DNS server is going to root to resolve the queries.
It seems that my DNS server is resolving all the queries (internal and external).
In other words, the forwarder servers I specified are not forwarding as the messages in question indicates.
This is a problem, right? Security and load problem?

Please tell me if I'm wrong or right.

# dig +norec +noH +noques +nostats +nocmd anydomain.com
;; res options: init defnam dnsrch
;; got answer:
; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; AUTHORITY SECTION:
com. 18h51m48s IN NS A.GTLD-SERVERS.NET.
com. 18h51m48s IN NS G.GTLD-SERVERS.NET.
com. 18h51m48s IN NS H.GTLD-SERVERS.NET.
com. 18h51m48s IN NS C.GTLD-SERVERS.NET.
com. 18h51m48s IN NS I.GTLD-SERVERS.NET.
com. 18h51m48s IN NS B.GTLD-SERVERS.NET.
com. 18h51m48s IN NS D.GTLD-SERVERS.NET.
com. 18h51m48s IN NS L.GTLD-SERVERS.NET.
com. 18h51m48s IN NS F.GTLD-SERVERS.NET.
com. 18h51m48s IN NS J.GTLD-SERVERS.NET.
com. 18h51m48s IN NS K.GTLD-SERVERS.NET.
com. 18h51m48s IN NS E.GTLD-SERVERS.NET.
com. 18h51m48s IN NS M.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET. 1d1h57m25s IN AAAA 2001:503:a83e::2:30
A.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.5.6.30
G.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.42.93.30
H.GTLD-SERVERS.NET. 1d39m3s IN A 192.54.112.30
C.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.26.92.30
I.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.43.172.30
B.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.33.14.30
B.GTLD-SERVERS.NET. 1d1h57m25s IN AAAA 2001:503:231d::2:30
D.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.31.80.30
L.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.41.162.30
F.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.35.51.30
J.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.48.79.30
K.GTLD-SERVERS.NET. 1d1h57m25s IN A 192.52.178.30


"Not all OSs suck, it's just that some OSs suck worse than others"

 

[kHz]

If your DNS server uses forwarders and it cannot resolve the query locally or using forwarders, the server attempts to reolve the query using standard recursion. It can also be configured not to perform recursion after the forwarders fail. The server does not try any further queries to resolve. This is a forward-only server. If all forwarders in the query don't respond to a foward-only DNS server, the DNS server will not attempt recursion.

Try this global forwarding and see if it works:

options {
	directory "/var/named";
	version "not currently available";
	forwarders {11.11.11.11; 22.22.22.22;};
	forward only;
};

This is per domain:

zone "example.com" IN {
	type forward;
	forwarders {11.11.11.11; 22.22.22.22;};
};

 

[ponetguy2]

Thank you for the response from everyone.

This is our external DNS server and I have forwarding pointed to our Telco provider. I think I need to contact them to get a access to a forwarding DNS server. I'm not sure if this is normal procedure

I know I'm being stupid, but can I assume that my external DNS is resolving queries via db.cache?

I really need to start reading my DNS & Bind book from oreilly. Sorry.

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[kHz]

I would guess what you want is that if your internal users cannot access the website locally (cached) then it would be forwarded.

I don't understand if that is an external DNS server why you would forward to another external DNS server. Your external DNS server should resolve outside.