Recently my DNS Slave server has started doing something odd.
If I am on my main Unix server and run nslookup (dig not available) against
my primary DNS server I get something like:
The problem I believe is the slave server is using an external forwarder
when it does its own resolution.
To resolve the issue, I have temporarily removed the external forwarders on
the slave server and added the Primary DNS server as the only listed
forwarder. Obviously this is a short term hack since if the primary DNS went
down there would be no forwarder at all.
I discovered this problem when one of our automated process attempted to RCP
from the Unix host to another host and uses the slave DNS server. Since the
remote host uses .rhosts and the names do not match, the rcp connect fails.
This configuration has been in place for oh say, 2 years. It’s just a simple
master/slave arrangement.
GofBorg wrote:
> Recently my DNS Slave server has started doing something odd.
> If I am on my main Unix server and run nslookup (dig not available) against
> my primary DNS server I get something like:
>
> Server: main-dns.domain.com
> Address: 192.168.0.1
>
> Name: serverqueriedon.domain.com
> Address: 192.168.0.100
>
>
> If I then switch to my slave server
>
>> server slave-dns.domain.com
>
> and query again I get:
>
> Server: main-dns.domain.com
> Address: 192.168.0.1
>
> Name: serverqueriedon.domain.com
> Address: 192.168.0.100
>
> and all is right with the world…BUT…
>
> If I then switch back to the main server:
>
>> server main-dns.domain.com
>
> I see:
>
> Default Server: NAT’d.IP.Information.From.External.DNS.query
> Address: 192.168.0.1
>
> The problem I believe is the slave server is using an external forwarder
> when it does its own resolution.
>
> To resolve the issue, I have temporarily removed the external forwarders on
> the slave server and added the Primary DNS server as the only listed
> forwarder. Obviously this is a short term hack since if the primary DNS went
> down there would be no forwarder at all.
>
> I discovered this problem when one of our automated process attempted to RCP
> from the Unix host to another host and uses the slave DNS server. Since the
> remote host uses .rhosts and the names do not match, the rcp connect fails.
>
> This configuration has been in place for oh say, 2 years. It’s just a simple
> master/slave arrangement.
>
> Any ideas?
Not really sure what’s happening there, but you don’t really need to be
using forwarders at all. Just make sure you have a current version of
the root.hint file. Your server will then query the root servers and
resolve external addresses just fine, even if the master goes down.
Of course, your zone data will eventually time out so you’ll have to
get the master server up in a timely manner. But that’s a different issue.
The main advantage of forwarders is they may have your query already
cached, which speeds things up a bit. No need to hit the root servers
and recurse down to the authoritative server for a given domain. The
hit is pretty minor though, and I doubt your users will notice. After
the first hit, your dns server will have the entry cached itself.
…Kevin
Kevin Miller
Juneau, Alaska http://www.alaska.net/~atftb
In a recent poll, seven out of ten hard drives preferred Linux.
> Not really sure what’s happening there, but you don’t really need to be
> using forwarders at all. Just make sure you have a current version of
> the root.hint file. Your server will then query the root servers and
> resolve external addresses just fine, even if the master goes down.
>
> Of course, your zone data will eventually time out so you’ll have to
> get the master server up in a timely manner. But that’s a different
> issue.
>
> The main advantage of forwarders is they may have your query already
> cached, which speeds things up a bit. No need to hit the root servers
> and recurse down to the authoritative server for a given domain. The
> hit is pretty minor though, and I doubt your users will notice. After
> the first hit, your dns server will have the entry cached itself.
Thanks for those bits Kevin. I’ve been using forwarders since forever.
This problem is just a bit perplexing. Do you think that if my slave server
has a forwarders file with just my master DNS server as the only entry, and
the master goes down that the slave server would then try root.hint before
returning unresolvable? If so then I think my current arrangement is okay as
the server does have a current root.hint file. Just not sure if there is an
order of priority like forwarders>root.hint or if they are mutually
exclusive and one overrides the other completely.
GofBorg wrote:
>
> Thanks for those bits Kevin. I’ve been using forwarders since
> forever. This problem is just a bit perplexing. Do you think that if
> my slave server has a forwarders file with just my master DNS server
> as the only entry, and the master goes down that the slave server
> would then try root.hint before returning unresolvable? If so then I
> think my current arrangement is okay as the server does have a
> current root.hint file. Just not sure if there is an order of
> priority like forwarders>root.hint or if they are mutually exclusive
> and one overrides the other completely.
Hmmm. Not sure what happens if your forward server goes down. I would
think it would then fall back to the root servers, but don’t really know
for certain. Do you have the luxury of stopping named on the master for
30 seconds and then trying a lookup from the slave?
If you can do that, be sure the slave isn’t looking up something already
cached. Pick some domain that you’re pretty sure nobody has done a
query on, or restart named on the slave - that will flush the cache.
(Probably a more elegant way to flush the dns cache but I’m too lazy to
look it up.)
…Kevin
Kevin Miller
Juneau, Alaska http://www.alaska.net/~atftb
In a recent poll, seven out of ten hard drives preferred Linux.
> Hmmm. Not sure what happens if your forward server goes down. I would
> think it would then fall back to the root servers, but don’t really know
> for certain. Do you have the luxury of stopping named on the master for
> 30 seconds and then trying a lookup from the slave?
Yah I was going to try that if you weren’t certain anyway. I can do it
after hours. I’ll let you know the results.
GofBorg wrote:
>> Hmmm. Not sure what happens if your forward server goes down. I would
>> think it would then fall back to the root servers, but don’t really know
>> for certain. Do you have the luxury of stopping named on the master for
>> 30 seconds and then trying a lookup from the slave?
>
> Yah I was going to try that if you weren’t certain anyway. I can do it
> after hours. I’ll let you know the results.
>>> Hmmm. Not sure what happens if your forward server goes down. I would
>>> think it would then fall back to the root servers, but don’t really know
>>> for certain. Do you have the luxury of stopping named on the master for
>>> 30 seconds and then trying a lookup from the slave?
>>
>> Yah I was going to try that if you weren’t certain anyway. I can do it
>> after hours. I’ll let you know the results.
>
> So how’d it work out?
Got tied up on some other things. Will see if I can test it tonight.
>>>> Hmmm. Not sure what happens if your forward server goes down. I would
>>>> think it would then fall back to the root servers, but don’t really
>>>> know
>>>> for certain. Do you have the luxury of stopping named on the master
>>>> for 30 seconds and then trying a lookup from the slave?
GofBorg wrote:
>>>>> Hmmm. Not sure what happens if your forward server goes down. I would
>>>>> think it would then fall back to the root servers, but don’t really
>>>>> know
>>>>> for certain. Do you have the luxury of stopping named on the master
>>>>> for 30 seconds and then trying a lookup from the slave?
>
> It fails. Times out with no servers available.
I’m 99.9% certain I used to run my slaves w/o forwarders. They would
still receive updates for the zones which they’re authoritative for from
my master, but would also do their own lookups. Don’t know if that’s an
option for you or not but you might give it a test. That way you
wouldn’t be dependent solely on your master…
…Kevin
Kevin Miller
Juneau, Alaska http://www.alaska.net/~atftb
In a recent poll, seven out of ten hard drives preferred Linux.
> I’m 99.9% certain I used to run my slaves w/o forwarders. They would
> still receive updates for the zones which they’re authoritative for from
> my master, but would also do their own lookups. Don’t know if that’s an
> option for you or not but you might give it a test. That way you
> wouldn’t be dependent solely on your master…