Solved

can someone explain why my dns records might be 'non-authoratitve'

Posted on 2006-11-19
16
373 Views
Last Modified: 2012-06-21
hi - mostly an academic question really, as everything "works"...

i've set my self up a dns server, master and slave.
This dns server is intended to be SOA for a number of domains.
For all practicle purposes it works
BUT
when I use nslookup or even watchin syslog on the slave as it recieves 'notifies' from the master, theres always a '(non-authoratative)' mentioned.

Im wondering WTF does that mean and what can I do about it?!?

thanks

0
Comment
Question by:valhallatech
  • 7
  • 6
  • 3
16 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17976820
--> i've set my self up a dns server, master and slave.

This confuses me.  Did you setup two DNS severs?  If you have one, what is it a slave to?

"non-authorative" means that something thinks it received an answer from a DNS sever that is not authortive, that is not a primary or a secondary, for the domain in which the host resides.

I would have to know more about your setup.  However this is not necesarlly a "bad" thing.
0
 
LVL 26

Expert Comment

by:jar3817
ID: 17976863
It simply means the server you are asking the question of is neither master or slave for that domain...but rather got the answer through a recursive lookup.

In other words... you have a domain.com...and setup ns1 and ns2.domain.com as the dns servers for it. At home if you do an nslookup and your computer asks your ISP's nameservers what www.domain.com is...your isp's nameservers will then ask ns1.domain.com for the answer and then send that same answer to you.

You can ask ns1.domain.com specifically using nslookup like this:

nslookup -v www.domain.com ns1.domain.com

That should return an authoritative answer. Also note that a non-authoritative answer will probably be cached
0
 
LVL 2

Author Comment

by:valhallatech
ID: 17976884
hey gilir
Ive setup up 2 one master on the same box as the domains it answers for and one slave on a linode, so that it has geographic seperation - so how does the domain become 'known' as authoratitve i.e. pimary or secondary. I would have assumed that the delegation would have done that?
0
 
LVL 2

Author Comment

by:valhallatech
ID: 17976891
hey jar3817

thats my dliema, that IS when I get the non-authorative response, which is why im confused. in fact even the log of the secondry when it gets notifications reports that the result is non-authoratative

0
 
LVL 26

Expert Comment

by:jar3817
ID: 17979022
post the some logs, your zone files, and output of nslookup.

are there NS records for the correct nameservers in your zone file?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17979082
The SOA record should point to the box that is the primary.  You should have NS records for the primary and the secondary.

The box that you are running the nslookup from should point to either the primary and/or the secondary as the DNS severs you have setup as the authortive severs for you domain.

--> one master on the same box as the domains it answers for ...

Based on this I am assuming this is a Windows enviroment.  

-- > ... and one slave on a linode

What is a "linode"?
0
 
LVL 2

Author Comment

by:valhallatech
ID: 17983035
hey guys....
ok will post actuall info bit later in day.

No, master=debian box (216.133.67.151) and secondary = debian 69.56.173.95, client at home is ubuntu

sorry - linode is a virtual hosting service

0
 
LVL 57

Expert Comment

by:giltjr
ID: 17983222
O.K.  For you to see an authoritive answer whatever computer your are doing the nslookups from must have either 216.133.67.151 or 69.56.173.95 coded as their DNS sever or you must switch to point to one of these boxes to do the query against.

For a linux box, this would be in /etc/resolv.conf.  

If you are doing nslookup, then the best bet is to:

nslookup
lserver x.x.x.x (where x.x.x.x is one of the above IP addresses)
hostname.domain.com

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 2

Author Comment

by:valhallatech
ID: 17983452
so thats it! bingo! is that all it means - ok so now, when I do any of the above method using primary I get authorataive answers. but not for secondary - then the answers are non-authorative - does that indicate a configuration issue at secondary, or on the client?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17984403
Do you have a NS record in your zone for the secondary?  If not, it may not answer as "authoritive".  Infact I am not 100% sure that a secondary will answer as authortive at all.  It really is not "THE" authoritve sever for the zone.

If the primary is down long enough, it (the secondary) will stop responding to any queiries as the zone will expires.
0
 
LVL 2

Author Comment

by:valhallatech
ID: 17984438
>>Do you have a NS record in your zone for the secondary?  
yes

>>Infact I am not 100% sure that a secondary will answer as authortive at all.  It really is not "THE" authoritve sever for the zone.
sounds good - but just tried it with my isp primary and secondary - they both answer authoratively for tpg.com.au
(name servers are 203.12.160.35 and 203.12.160.36)
0
 
LVL 26

Assisted Solution

by:jar3817
jar3817 earned 200 total points
ID: 17984777
All servers (including slaves and stealth server) that have the zone defined in named.conf and answer queries for that zone are authoritative. If there is no NS record for that server, the resolver will probably think it's non-authoritative. Make sure your NS record is correct.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17984815
I run a DNS sever in my house for my home network.  I just setup a second DNS server and set it up as a slave for my home domain and it responded as a authortive sever. I did NOT have NS record for my second DNS server.  So it knew it was authortive for the zone without the NS record.

I then deleted the slave zone and just set it up as a forwarder and it responded as non-authortive, which I would expect.

Which version/release of BIND are you running?
0
 
LVL 2

Author Comment

by:valhallatech
ID: 17984867
bind 9.3.2 on master and 9.24 on slave

in the slave I have 'forward first'   and 2 forwards set up - is that relevant?

also I have auth-nxdomain=no in the primary and yes in slave - this relevant?

thanks

0
 
LVL 57

Accepted Solution

by:
giltjr earned 300 total points
ID: 17984962
Yes forward first matters..  Forward first means it will forward the request before it attempts to reslove it itself.

In other words, when your secondary/slave receives a request for "yourdomain" it will forward it to the primary first, if the primary responds, then the secondary/slave will relay the response, but it will say "non-authoritive" as in this situtation it (the secondary) did not reslove the name.

If you remove forward first, then your secondary should no longer respond with non-authortive.

If the primary does not respond, then it (the secondary) will attempt to reslove it from the copy of the zones it has.  In this case it (the secondary) will act as an authortive sever as it did reslove the request.

auth-nxdomain deals with how a name severs answers for a NXDOMAIN response.  BIND V8 defaulted to YES and BIND V9 defaults to NO.  
0
 
LVL 2

Author Comment

by:valhallatech
ID: 17985055
ok - ive fixed problem - infact several:
 - foward first = BAD - at least in this use case
 - also found several issues in the various zone definitions, but didnt see them fail in log file

thanks for your inputs guys
glenn
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now