Re: Public DNS - recursion no - Access to the Internet - DNS

This is a discussion on Re: Public DNS - recursion no - Access to the Internet - DNS ; Hello, Jarek Buczynski a écrit : > >>You don't need "nameserver 0.0.0.0" in your resolv.conf as that will just >>confuse things because it's not a valid IP address. Leave it as >>"nameserver 127.0.0.1" > > I use 0.0.0.0 because I ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Re: Public DNS - recursion no - Access to the Internet

  1. Re: Public DNS - recursion no - Access to the Internet

    Hello,

    Jarek Buczynski a écrit :
    >
    >>You don't need "nameserver 0.0.0.0" in your resolv.conf as that will just
    >>confuse things because it's not a valid IP address. Leave it as
    >>"nameserver 127.0.0.1"

    >
    > I use 0.0.0.0 because I read about it in "DNS and BIND, 5th Edition
    > By Paul Albitz, Cricket Liu "
    >
    > Quote:
    > "You can also configure the resolver to query the host's local nameserver
    > using either the local host's IP address or the zero address. The zero
    > address, 0.0.0.0, is interpreted by most TCP/IP implementations to mean
    > "this host."


    This is a wrong use of "this host". According to RFC 1700 and RFC 3330,
    addresses in 0.0.0.0/8, including 0.0.0.0, may only be used as source
    addresses, not destination addresses.



  2. Re: Public DNS - recursion no - Access to the Internet

    In article ,
    Pascal Hambourg wrote:

    > Hello,
    >
    > Jarek Buczynski a ecrit :
    > >
    > >>You don't need "nameserver 0.0.0.0" in your resolv.conf as that will just
    > >>confuse things because it's not a valid IP address. Leave it as
    > >>"nameserver 127.0.0.1"

    > >
    > > I use 0.0.0.0 because I read about it in "DNS and BIND, 5th Edition
    > > By Paul Albitz, Cricket Liu "
    > >
    > > Quote:
    > > "You can also configure the resolver to query the host's local nameserver
    > > using either the local host's IP address or the zero address. The zero
    > > address, 0.0.0.0, is interpreted by most TCP/IP implementations to mean
    > > "this host."

    >
    > This is a wrong use of "this host". According to RFC 1700 and RFC 3330,
    > addresses in 0.0.0.0/8, including 0.0.0.0, may only be used as source
    > addresses, not destination addresses.


    That only refers to using it on the network, it has nothing to do with
    configuration files.

    The reason it didn't work for him was that he only put 127.0.0.1 in his
    allow-recursion ACL. But when you use 0.0.0.0 in your named.conf, it
    doesn't send from/to 127.0.0.1, it sends to one of the machine's real
    NIC addresses, and in this case the source address is also that NIC
    address. Since this doesn't match the ACL, recursion is denied.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***



  3. Re: Public DNS - recursion no - Access to the Internet

    Barry Margolin a écrit :
    > Pascal Hambourg wrote:
    >>>
    >>>Quote:
    >>>"You can also configure the resolver to query the host's local nameserver
    >>>using either the local host's IP address or the zero address. The zero
    >>>address, 0.0.0.0, is interpreted by most TCP/IP implementations to mean
    >>>"this host."

    >>
    >>This is a wrong use of "this host". According to RFC 1700 and RFC 3330,
    >>addresses in 0.0.0.0/8, including 0.0.0.0, may only be used as source
    >>addresses, not destination addresses.

    >
    > That only refers to using it on the network, it has nothing to do with
    > configuration files.


    It has to do with both, when an address in a configuration file is meant
    to be used on the network. Isn't a nameserver address in resolv.conf
    meant to be used on the network ?

    > The reason it didn't work for him was that he only put 127.0.0.1 in his
    > allow-recursion ACL.


    No, the reason was that "allow-recursion" was kept to "no".

    > But when you use 0.0.0.0 in your named.conf,


    0.0.0.0 was not used in named.conf but in resolv.conf.

    > it
    > doesn't send from/to 127.0.0.1, it sends to one of the machine's real
    > NIC addresses,


    Do you mean that 0.0.0.0 as a nameserver address in resolv.conf is legal
    and means "any local address" ?

    > and in this case the source address is also that NIC address.


    IMHO it depends on the default source adress selected by the IP stack.
    Is there any requirement in RFCs saying that the default source adress
    must be identical to the destination address ?



  4. Re: Public DNS - recursion no - Access to the Internet

    In article ,
    Pascal Hambourg wrote:

    > Barry Margolin a ecrit :
    > > Pascal Hambourg wrote:
    > >>>
    > >>>Quote:
    > >>>"You can also configure the resolver to query the host's local nameserver
    > >>>using either the local host's IP address or the zero address. The zero
    > >>>address, 0.0.0.0, is interpreted by most TCP/IP implementations to mean
    > >>>"this host."
    > >>
    > >>This is a wrong use of "this host". According to RFC 1700 and RFC 3330,
    > >>addresses in 0.0.0.0/8, including 0.0.0.0, may only be used as source
    > >>addresses, not destination addresses.

    > >
    > > That only refers to using it on the network, it has nothing to do with
    > > configuration files.

    >
    > It has to do with both, when an address in a configuration file is meant
    > to be used on the network. Isn't a nameserver address in resolv.conf
    > meant to be used on the network ?


    Not in the case of 0.0.0.0.

    >
    > > The reason it didn't work for him was that he only put 127.0.0.1 in his
    > > allow-recursion ACL.

    >
    > No, the reason was that "allow-recursion" was kept to "no".
    >
    > > But when you use 0.0.0.0 in your named.conf,

    >
    > 0.0.0.0 was not used in named.conf but in resolv.conf.


    That's what I meant to write.

    >
    > > it
    > > doesn't send from/to 127.0.0.1, it sends to one of the machine's real
    > > NIC addresses,

    >
    > Do you mean that 0.0.0.0 as a nameserver address in resolv.conf is legal
    > and means "any local address" ?


    Yes. Read the above quote from "DNS & BIND".

    >
    > > and in this case the source address is also that NIC address.

    >
    > IMHO it depends on the default source adress selected by the IP stack.
    > Is there any requirement in RFCs saying that the default source adress
    > must be identical to the destination address ?


    I believe RFC 1122 says that the default source address should be the
    outgoing interface. When sending to your own address, the outgoing
    interface is the one whose address you're sending to, so the source and
    destination addresses will be the same.

    However, since nothing is going on the wire the RFC's don't *really*
    apply. But most stacks work this way.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***



  5. Re: Public DNS - recursion no - Access to the Internet

    Barry Margolin a écrit :
    >
    >>>The reason it didn't work for him was that he only put 127.0.0.1 in his
    >>>allow-recursion ACL.

    >>
    >>No, the reason was that "allow-recursion" was kept to "no".


    I meant "recursion" instead of "allow-recursion".

    >>>But when you use 0.0.0.0 in your resolv.conf [corrected quote], it
    >>>doesn't send from/to 127.0.0.1, it sends to one of the machine's real
    >>>NIC addresses,


    This is not what I observed on a Debian GNU/Linux system. When
    resolv.conf contains "nameserver 0.0.0.0" or no nameserver entry or does
    not exist, DNS queries are sent to 127.0.0.1, with source address
    127.0.0.1. So it does not seem that the resolver seeks any local
    addresses on "real" network interfaces. My understanding is that
    "nameserver 0.0.0.0" is invalid and ignored. In this case, 127.0.0.1 is
    used as the default nameserver, as stated by the resolv.conf manpage :
    "If no nameserver entries are present, the default is to use the name
    server on the local machine". Other OSes may behave differently.

    >>Do you mean that 0.0.0.0 as a nameserver address in resolv.conf is legal
    >>and means "any local address" ?

    >
    > Yes. Read the above quote from "DNS & BIND".


    I did, and reacted because I do not agree with it. To me 0.0.0.0 can be
    used as "this host" in a source address in special cases (e.g. DHCP
    queries) or as an "any local address" wildcard when creating a socket
    (e.g. "Listen 0.0.0.0" in Apache setup). But I have never seen that it
    may be considered as a wildcard remote destination address by any IP
    implementation.

    > I believe RFC 1122 says that the default source address should be the
    > outgoing interface. When sending to your own address, the outgoing
    > interface is the one whose address you're sending to, so the source and
    > destination addresses will be the same.


    In common OSes, when sending to any of your own addresses the outgoing
    interface is the loopback interface. So, according to what you wrote,
    the default source address should be the loopback address, 127.0.0.1.
    But this is not what is commonly observed. The Linux 2.4 kernel uses ::1
    as the default IPv6 source address when sending to a local address. But
    this was changed at least in recent 2.6 kernels which use the same
    address as the destination, just like in IPv4.



  6. Re: Public DNS - recursion no - Access to the Internet

    Pascal Hambourg wrote:
    > This is not what I observed on a Debian GNU/Linux system. When
    > resolv.conf contains "nameserver 0.0.0.0" or no nameserver entry or does
    > not exist, DNS queries are sent to 127.0.0.1, with source address
    > 127.0.0.1. So it does not seem that the resolver seeks any local
    > addresses on "real" network interfaces. My understanding is that
    > "nameserver 0.0.0.0" is invalid and ignored. In this case, 127.0.0.1 is
    > used as the default nameserver, as stated by the resolv.conf manpage :
    > "If no nameserver entries are present, the default is to use the name
    > server on the local machine". Other OSes may behave differently.
    >


    I observed that on a Redhat system, it transparently rewrites 0.0.0.0 to
    127.0.0.1, however whether this is in the network stack or not I'm not
    sure - it could just be individual applications, hence it's another
    "point of failure" to remove when diagnosing problem like the OP had
    when this thread started.

    *BSD and Windows, report "invalid address" when 0.0.0.0 is used.
    Personally I think if you mean the localhost, you should put the proper
    localhost address which is anything in the 127.0.0.0/8 subnet (commonly
    127.0.0.1.)




+ Reply to Thread