[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Forwarder statement issues

Posted on 2009-12-21
12
Medium Priority
?
369 Views
Last Modified: 2012-05-08
Hello
 
As part of a systems migration to RA Airways I am required to to remove RA subdomains from our DNS (that we were formerly authoritative for) and
forward them to our Untrusted DNS which then on -forwards to the RA net DNS servers for the correct (un NAT'd) resolution.
 
I am doing a trial domain at first.
 
I removed the secondary and primary servers from the domain profile of "tpf.uk.ra.com"
Then I pushed the secondary DNS servers then the primary server and the old (NAT) addresses ceased being resolved.
I then put the following DNS forwarder statement in the 'options' of the DNS server
 
zone "tpf.uk.ra.com" {
    type forward;
    forwarders { 10.142.20.60; 10.142.20.61; 10.141.20.60; };
};
 
Then once again pushed the DNS server
When I try to resolve the host (which will now depend upon the forwarder statement in named.conf file) it does NOT resolve&..
============================================================
dho51@starasv109> nslookup bsslive.tpf.uk.ra.com
Server:         127.0.0.1
Address:        127.0.0.1#53
 
** server can't find bsslive.tpf.uk.ra.com: NXDOMAIN
 
dho51@starasv109>
=============================================================
 
However, when I force the lookup to the the first address in the forwarder statement, it does work
Any idea what might be wrong.

(See below for forced lookup with the desired resolution)
 
==================================================================
dho51@starasv109> nslookup bsslive.tpf.uk.ra.com 10.142.20.60
Server:         10.142.20.60
Address:        10.142.20.60#53
 
Non-authoritative answer:
Name:   bsslive.tpf.uk.ra.com
Address: 62.208.174.139
Name:   bsslive.tpf.uk.ra.com
Address: 62.208.174.12
 
===============================================================
 
Any ideas what might be wrong with what I am doing???
0
Comment
Question by:richsark
  • 7
  • 5
12 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 26105201
What do you mean by "pushed" the DNS server?  I am assuming that you stopped and restarted it, or at least did a kill -HUP.

I am assuming that starasv109 is the DNS server also.

If you did stop/restart/HUP'ed the DNS server and starasv109 is the DNS server, then I suggest that you run nslookup with d2 options and try and debug what it is doing.
0
 
LVL 1

Author Comment

by:richsark
ID: 26105515
Hi, pushed is updated dns and or stop/start. Named. D2 does not reveal any answers.  Just want an explanation on my issuer above and why does the fwdr need the domain there for it to work
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26108679
Have you looked at named's logs?

What you have coded is right and should forward any requests for hosts in the zone tpf.uk.ra.com to the IP addresses you have listed.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 1

Author Comment

by:richsark
ID: 26108771
Yes, but the domain needs to exist if it does not, the forwarders do not work. That's what I need to know.  Perhaps I need an NS record instead? If yes,  explain
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26108818
I'm getting confused as to what your  issue is.

If you want to direct (forward) name resolution requests to specific name servers, you must define the zone in your DNS server as a forward zone and point it to the name servers you want to forward it to.  Which is what you have done.

If you do not do the above, then your DNS server will forward the requests to your default forwarders.

As you are not authoritative for that zone, you should not be defining NS records for it.  In fact you should not even have a zone file for that domain as all you are doing is forwarding the requests.
0
 
LVL 1

Author Comment

by:richsark
ID: 26108855
Ok,  so can you help analyze why I have this issue from my example on the first thread. And also what is the best solution to my delema.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26108883
What OS and DNS server are you running?

Again, from what I have seen you should be able to do "nslookup bsslive.tpf.uk.ra.com" and it work.  So the next step is to figure out what DNS server you are using, see what logging it has and start looking at its logs.

Just to make sure, you entered the "nslookup bsslive.tpf.uk.ra.com" on the DNS server, right?
0
 
LVL 1

Author Comment

by:richsark
ID: 26109095
.My OS is Solaris and redhat using isc bind 9.3p2
But why when I force the lookup it works?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26109178
Because for some reason your DNS server does not appear to be forwarding the requests.

You can go to:

http://www.netadmintools.com/art233.html

and copy and past the logging config option in your bind.conf files.  Stop and restart your DNS server and then try the nslookup again.

Then remove the logging statements and stop and restart your DNS server again.  Now you can look at the logs to see if they shed any light on the problem.
0
 
LVL 1

Author Comment

by:richsark
ID: 26346591
ok, but was looking for a person who has seen this or can explain
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 26349215
O.K., if you enable the logging you might get your answer.  Hopefully the logs will show some type of error.

Can you post your /etc/resolv.conf and your bind.conf files?

Also, I am assuming that starasv109 is the server you are running bind on.  Is this correct?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26492594
Thanks for the points, but what was the problem?
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question