BIND DNS zone forwarding
It seems in order for BIND dns forwarding to work, i need to enable "recursion yes;" in named.conf.
We don't want to use recursions, only enable forwarding.
To explain further: we have two Solaris machines with non global Solaris zones. on these machines, we have for each a non-global solaris zone with dns. The solaris machines are dns authorative of there own dns zone. In some cases, they need to be able to resolve hosts outside of there own dns zone (for example a mail host).
i tried global forwarding
options { ...
forwarders { <ipdns1>; <ipdns2>; };
... }
and also per zone forwarding
zone "extdomain.com" {
type forward;
forwarders { <ipdns1>; <ipdns2>; };
forward only;
};
but it seems when using nslookup to the outside world, it only works when recursion is set to yes. This causes slow ssh login's on the Solaris machines.
We don't want to use recursions, only enable forwarding.
To explain further: we have two Solaris machines with non global Solaris zones. on these machines, we have for each a non-global solaris zone with dns. The solaris machines are dns authorative of there own dns zone. In some cases, they need to be able to resolve hosts outside of there own dns zone (for example a mail host).
i tried global forwarding
options { ...
forwarders { <ipdns1>; <ipdns2>; };
... }
and also per zone forwarding
zone "extdomain.com" {
type forward;
forwarders { <ipdns1>; <ipdns2>; };
forward only;
};
but it seems when using nslookup to the outside world, it only works when recursion is set to yes. This causes slow ssh login's on the Solaris machines.
usialky, you have forwarders defined as a matter of fact, it would seem redundant to also have a forwarded zone.
The difficulty that complicates deals with whether your use of the DNS server is solely an authoritative server or dual function authoritative and caching.
As an authoritative server where recursion is not needed, using a forwarder in the main config would be contrary to its use.
What is the reasoning for the zone in question that you are adding it rather than allow your DNS caching server reach out to the authoritative servers responsible for .........
For dual use DNS server where you enable reversion while limiting query to itself, and the local LAN.
The difficulty that complicates deals with whether your use of the DNS server is solely an authoritative server or dual function authoritative and caching.
As an authoritative server where recursion is not needed, using a forwarder in the main config would be contrary to its use.
What is the reasoning for the zone in question that you are adding it rather than allow your DNS caching server reach out to the authoritative servers responsible for .........
For dual use DNS server where you enable reversion while limiting query to itself, and the local LAN.
Slow SSH logins are because your reverse zone is not configured.
You can disable UseDNS in sshd_config
or
Reduce timeouts in resolv.conf
or fix the problem
By defining empty reverse DNS zone that returns just NXDOMAIN but quickly.
If in dubt you can enable querylog on any DNS server you want to look at and re-measure times of any query.
You can disable UseDNS in sshd_config
or
Reduce timeouts in resolv.conf
or fix the problem
By defining empty reverse DNS zone that returns just NXDOMAIN but quickly.
If in dubt you can enable querylog on any DNS server you want to look at and re-measure times of any query.
Multicast DNS can be a solution as well. (mDNS aka Zeroconf aka Bonjour) for local addresses. This can be setup for the domain in use as well.
if you need recursion in order to resolve while you already have forwarders configured, that means your forwarders do not work or you misconfigured them in such a way they are ignored by bind. does a regular query to the forwarders work from the machines hosting the dns ?
i second @gheist's comment regarding slow dns. the entries are the ones corresponding to the PTR of the ssh client's address.
i second @gheist's comment regarding slow dns. the entries are the ones corresponding to the PTR of the ssh client's address.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
In that case windows DNS are forced to use root hint servers for name resolution, meaning they are forced to use iterative queries
That make sense. because queries can be forwarded only if recursion is allowed, so DNS server will forward query and wait for response from forwarder server (recursive query), now its forwarder dns server responsibility to do iterative query to internet root servers \ followed by TLD servers to get answer and sent back to requestor server
The same logic should get applied to other platform DNS as well