BIND DNS showing Root hints on nslookp

Hi,
I have an issue on a DNS server I am setting up using Bind where when I run an nslookup it keeps displaying the root hints first rather than just the query for the particular record. I also find that using DIG I can query the whole zone file which I do not want to be allowed. I have this setup correctly on another server however I can't see the difference in settings.

Thanks.
LVL 3
talkster5Asked:
Who is Participating?
 
Chris DentPowerShell DeveloperCommented:

Yeah, that should stop it attempting recursive name resolution for the servers own name / IP.

For the zone dump to be possible Zone Transfers must be allowed. It's normally something you'd have to turn on for a dump like to work in the first place. Any options to enable it in named.conf at the moment?

Chris
0
 
Chris DentPowerShell DeveloperCommented:

nslookup, at least the MS variant, likes to perform a self-test first. It resolves the IP Address used into the name via the PTR record, and the host name to the IP via the Host (A) record.

If one of those is not present locally, and if recursion is not permitted, it is possible that it may end up with root hints as a "best" possible answer.

Is it MS NsLookup? And is it returning the answer correctly after displaying root hints?

For dig, you mean you can transfer the zone? You should be able to replicate that with NsLookup as well using:

nslookup
ls -d domain.com

Chris
0
 
talkster5Author Commented:
So if I create a PTR record and an A record for the DNS servers it should be stop the hints from showing?

Yes it is MS nslookup and does display the correct answer after the root hints.

With the zone dump I meant that I do not want it to be possible to dump the whole zone file as with our other DNS servers where it is not possible.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
talkster5Author Commented:
Ok thanks I will try that tommorow.

Sorry if I havent been clear. I want to turn it off not on. I have set zone transfers to only be allowed from the other DNS servers already yet I can still pull the whole zone.
0
 
Chris DentPowerShell DeveloperCommented:

Any chance you can share the snippet from named.conf for transfer permissions?

Chris
0
 
talkster5Author Commented:
Hi Chris,
I will post post it tommorow for you once I am back in the office.
0
 
talkster5Author Commented:
Hi Chris,
Here are my options:

options {
        directory "/etc";
        pid-file "/var/run/named/named.pid";
        allow-transfer {
                172.31.1.191;
                172.31.1.192;
                172.25.1.6;
                };
        notify yes;
        allow-recursion {
                172.31.1.191;
                172.31.1.192;
                172.25.1.6;
                };
        };
0
 
Chris DentPowerShell DeveloperCommented:

The machine you're getting the list from is, presumably, none of the above?

Chris
0
 
talkster5Author Commented:
Correct.
0
 
Chris DentPowerShell DeveloperCommented:

No options on the zone level to override or make zone transfers more accessible?

And just to make sure I'm not on totally the wrong track. You're running one of these:

nslookup
ls -d domain.com
Or
dig domain.com axfr

Just to make sure you understand :)

Chris
0
 
talkster5Author Commented:
The only options in the zone level are:

        also-notify {
                172.31.1.192;
                172.31.1.191;
                172.25.1.6;
                };
        notify yes;

When I am doing dig I am running:

dig domain.com ANY
0
 
Chris DentPowerShell DeveloperCommented:

Ahh okay, that query isn't anything special. I'm not aware of a way to prevent responses to specific queries (which doesn't mean much).

The query isn't doing anything wrong, nor is it doing anything that requires elevated rights on the zone. It will only display records bound to "domain.com", nothing else.

Chris
0
 
talkster5Author Commented:
There is definatley a way to restrict it though as when I do it with pretty much any other DNS server it only lists the main A record for the domain and the name servers and this is the way I have always been informed to set them up to prevent someone pulling every DNS record unless they know what they are looking for in which case they are specifying the record.
0
 
Chris DentPowerShell DeveloperCommented:

Do you have access to the configuration on the other servers? Any difference between these?

Normal behaviour is for the DNS server to respond fully to that particular query, so whatever was done to secure the other DNS servers will have to be repeated here.

Chris
0
 
talkster5Author Commented:
Yeah I have compared them and can't see any difference. The other ones were created automatically by cPanel however so there may be something else somewhere. I am pretty sure this is fairly standard however. For example if you do dig bbc.co.uk ANY or dig google.co.uk ANY you will only see a couple of records rather than their whole zone file. This is the same with all of our cPanel servers as well.
0
 
Chris DentPowerShell DeveloperCommented:

I won't deny it must be possible. I just don't know how to do it, which isn't all that helpful.

Chris
0
 
talkster5Author Commented:
Ok thank you for your help so far. I have added the PTR and A records as well so once they go through I will see if that fixes that part of the problem.
0
 
talkster5Author Commented:
Hi,
I the PTR record has propagated however I am still getting the root hints come up. Is there anything else that may cause this?

I have noticed when I do an nslookup it also comes up as Unknown.
0
 
talkster5Author Commented:
Although I had added PTR records at the ISP I have now added them at the DNS server and the root hints are now gone. Just the problem with the whole zone being reachable now.
0
 
shauncroucherCommented:
if you run ls -d domain.com does it refuse or provide you will the zone info?

shaun
0
 
Chris DentPowerShell DeveloperCommented:

According to the above the problem is the output from:

nslookup -q=any domain.com

Which is rather more difficult to solve because it's supposed to reply to that one in full. If I manage to figure out how to limit the response to that query on my own server I'll post it.

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.