[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

BIND DNS showing Root hints on nslookp

Posted on 2010-01-05
21
Medium Priority
?
963 Views
Last Modified: 2012-05-08
Hi,
I have an issue on a DNS server I am setting up using Bind where when I run an nslookup it keeps displaying the root hints first rather than just the query for the particular record. I also find that using DIG I can query the whole zone file which I do not want to be allowed. I have this setup correctly on another server however I can't see the difference in settings.

Thanks.
0
Comment
Question by:talkster5
  • 11
  • 9
21 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26183438

nslookup, at least the MS variant, likes to perform a self-test first. It resolves the IP Address used into the name via the PTR record, and the host name to the IP via the Host (A) record.

If one of those is not present locally, and if recursion is not permitted, it is possible that it may end up with root hints as a "best" possible answer.

Is it MS NsLookup? And is it returning the answer correctly after displaying root hints?

For dig, you mean you can transfer the zone? You should be able to replicate that with NsLookup as well using:

nslookup
ls -d domain.com

Chris
0
 
LVL 3

Author Comment

by:talkster5
ID: 26191926
So if I create a PTR record and an A record for the DNS servers it should be stop the hints from showing?

Yes it is MS nslookup and does display the correct answer after the root hints.

With the zone dump I meant that I do not want it to be possible to dump the whole zone file as with our other DNS servers where it is not possible.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 26192527

Yeah, that should stop it attempting recursive name resolution for the servers own name / IP.

For the zone dump to be possible Zone Transfers must be allowed. It's normally something you'd have to turn on for a dump like to work in the first place. Any options to enable it in named.conf at the moment?

Chris
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
LVL 3

Author Comment

by:talkster5
ID: 26193483
Ok thanks I will try that tommorow.

Sorry if I havent been clear. I want to turn it off not on. I have set zone transfers to only be allowed from the other DNS servers already yet I can still pull the whole zone.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26194608

Any chance you can share the snippet from named.conf for transfer permissions?

Chris
0
 
LVL 3

Author Comment

by:talkster5
ID: 26194626
Hi Chris,
I will post post it tommorow for you once I am back in the office.
0
 
LVL 3

Author Comment

by:talkster5
ID: 26198074
Hi Chris,
Here are my options:

options {
        directory "/etc";
        pid-file "/var/run/named/named.pid";
        allow-transfer {
                172.31.1.191;
                172.31.1.192;
                172.25.1.6;
                };
        notify yes;
        allow-recursion {
                172.31.1.191;
                172.31.1.192;
                172.25.1.6;
                };
        };
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26198080

The machine you're getting the list from is, presumably, none of the above?

Chris
0
 
LVL 3

Author Comment

by:talkster5
ID: 26198085
Correct.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26198111

No options on the zone level to override or make zone transfers more accessible?

And just to make sure I'm not on totally the wrong track. You're running one of these:

nslookup
ls -d domain.com
Or
dig domain.com axfr

Just to make sure you understand :)

Chris
0
 
LVL 3

Author Comment

by:talkster5
ID: 26198143
The only options in the zone level are:

        also-notify {
                172.31.1.192;
                172.31.1.191;
                172.25.1.6;
                };
        notify yes;

When I am doing dig I am running:

dig domain.com ANY
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26198202

Ahh okay, that query isn't anything special. I'm not aware of a way to prevent responses to specific queries (which doesn't mean much).

The query isn't doing anything wrong, nor is it doing anything that requires elevated rights on the zone. It will only display records bound to "domain.com", nothing else.

Chris
0
 
LVL 3

Author Comment

by:talkster5
ID: 26198218
There is definatley a way to restrict it though as when I do it with pretty much any other DNS server it only lists the main A record for the domain and the name servers and this is the way I have always been informed to set them up to prevent someone pulling every DNS record unless they know what they are looking for in which case they are specifying the record.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26198254

Do you have access to the configuration on the other servers? Any difference between these?

Normal behaviour is for the DNS server to respond fully to that particular query, so whatever was done to secure the other DNS servers will have to be repeated here.

Chris
0
 
LVL 3

Author Comment

by:talkster5
ID: 26198316
Yeah I have compared them and can't see any difference. The other ones were created automatically by cPanel however so there may be something else somewhere. I am pretty sure this is fairly standard however. For example if you do dig bbc.co.uk ANY or dig google.co.uk ANY you will only see a couple of records rather than their whole zone file. This is the same with all of our cPanel servers as well.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26198327

I won't deny it must be possible. I just don't know how to do it, which isn't all that helpful.

Chris
0
 
LVL 3

Author Comment

by:talkster5
ID: 26198333
Ok thank you for your help so far. I have added the PTR and A records as well so once they go through I will see if that fixes that part of the problem.
0
 
LVL 3

Author Comment

by:talkster5
ID: 26210143
Hi,
I the PTR record has propagated however I am still getting the root hints come up. Is there anything else that may cause this?

I have noticed when I do an nslookup it also comes up as Unknown.
0
 
LVL 3

Author Comment

by:talkster5
ID: 26210365
Although I had added PTR records at the ISP I have now added them at the DNS server and the root hints are now gone. Just the problem with the whole zone being reachable now.
0
 
LVL 27

Expert Comment

by:shauncroucher
ID: 26337683
if you run ls -d domain.com does it refuse or provide you will the zone info?

shaun
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26339079

According to the above the problem is the output from:

nslookup -q=any domain.com

Which is rather more difficult to solve because it's supposed to reply to that one in full. If I manage to figure out how to limit the response to that query on my own server I'll post it.

Chris
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question