Where does named search by default? - Mandriva

This is a discussion on Where does named search by default? - Mandriva ; In an earlier thread about security vulnerabilities, it was stated that DNS server(s) should be specified as forwarders in /var/lib/named/etc/named.conf. When using the default Mandriva bind/named configuration, as a caching nameserver, if no forwarders are specified, where does named find ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Where does named search by default?

  1. Where does named search by default?

    In an earlier thread about security vulnerabilities, it was
    stated that DNS server(s) should be specified as forwarders
    in /var/lib/named/etc/named.conf. When using the default
    Mandriva bind/named configuration, as a caching nameserver,
    if no forwarders are specified, where does named find where
    it should go for answers? (I Googled but could not find the
    answer.)

    Details: I'm running Mandriva 2008.0, "bind" RPM installed
    with default /var/lib/named/etc/named.conf. I run static IP
    addresses on my home LAN with two NAT firewall boxes in
    series between the Mandriva machines and Verizon FIOS. In
    /etc/resolv.conf, I have 127.0.0.1 followed by the IP
    addresses of two Verizon DNS servers (from the ifcfg-eth0
    file).

    So, if I don't specify forwarders, does my named use the
    non-local entries in /etc/resolv.conf? Or, does my named
    the gateway NAT boxes (which would be problematic
    security-wise) for DNS? Or, does my named go straight to
    the root servers?

    Thanks.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  2. Re: Where does named search by default?

    On Sat, 08 Mar 2008 05:48:27 GMT, Robert M. Riches Jr. wrote:
    > In an earlier thread about security vulnerabilities, it was
    > stated that DNS server(s) should be specified as forwarders
    > in /var/lib/named/etc/named.conf. When using the default
    > Mandriva bind/named configuration, as a caching nameserver,
    > if no forwarders are specified, where does named find where
    > it should go for answers?


    NOTE: I have no knowledge about how it works.

    As I mis-understand it, when an app wants some resolution,
    /etc/host.conf and
    grep hosts: /etc/nsswitch.conf
    indicates where/order to go look something up.

    You may have more than one DNS ip in resolv.conf but look ups will not
    go to the next DNS server if the first one returns no record found.
    If the first server times out, the next dns ip in resolv.conf will
    get the request.

    When you make a request of the first DNS server, and it can not resolve it, it
    will forward the request to the next DNS server it knows about.

    So, people with an Internet router set the router as a DNS ip,
    it in turn, forwards it's request to it's forwarders, usually the
    isp's DNS servers. Request continue up the forwarders chain until one
    of those direct the request to owner's resolver which sends back the
    requested information.

    Hopefully someone like Moe Trin can indicate where I am incorrect and
    provide a bit more detail.

  3. Re: Where does named search by default?

    On Sat, 8 Mar 2008, in the Usenet newsgroup alt.os.linux.mandriva, in article
    , Bit Twister wrote:

    >Robert M. Riches Jr. wrote:


    >> In an earlier thread about security vulnerabilities, it was
    >> stated that DNS server(s) should be specified as forwarders
    >> in /var/lib/named/etc/named.conf. When using the default
    >> Mandriva bind/named configuration, as a caching nameserver,
    >> if no forwarders are specified, where does named find where
    >> it should go for answers?

    >
    >NOTE: I have no knowledge about how it works.


    Still, the answers provided are reasonable.

    >As I mis-understand it, when an app wants some resolution,
    >/etc/host.conf and
    >grep hosts: /etc/nsswitch.conf
    >indicates where/order to go look something up.


    [compton ~]$ grep host /etc/host.conf /etc/nsswitch.conf
    /etc/host.confrder hosts,bind
    /etc/nsswitch.conf:hosts: files nis dns
    [compton ~]$

    Close enough. '/etc/host.conf' is the older file, while most apps and
    the resolver library consult /etc/nsswitch.conf.

    >You may have more than one DNS ip in resolv.conf but look ups will not
    >go to the next DNS server if the first one returns no record found.
    >If the first server times out, the next dns ip in resolv.conf will
    >get the request.


    RFC1035 and RFC2136 list 11 result codes. "NOERROR", and "NXDOMAIN"
    are non-error results, and these "answer" the query ending the
    search. The other nine result codes, or a timeout would cause the
    resolver to query the next DNS server listed.

    >When you make a request of the first DNS server, and it can not resolve
    >it, it will forward the request to the next DNS server it knows about.


    Ummm, the first server _may_ forward the request, but only if it is
    configured as a forwarder. If this is not the case, it will return a
    NXDOMAIN, and you're screwed. Note that some name servers will not
    recurse for you (ask the root server, then follow the chain), but your
    _resolver_ shouldn't be talking to those servers anyway (that's the
    job of a name server).

    >So, people with an Internet router set the router as a DNS ip,
    >it in turn, forwards it's request to it's forwarders, usually the
    >isp's DNS servers. Request continue up the forwarders chain until one
    >of those direct the request to owner's resolver which sends back the
    >requested information.


    s/owner\'s resolver/owner\'s name server/

    >Hopefully someone like Moe Trin can indicate where I am incorrect


    Actually, that's pretty good.

    >and provide a bit more detail.


    The only other thing to add is the case where there are "local" names
    and "remote" names to resolve. Any name server you ask has to be able
    to resolve BOTH (local through the existing zone files, remote either
    by fully resolving using a root-hints file or by forwarding unresolvable
    queries to a forwarder such as the ISPs name servers) lest you get into
    the NXDOMAIN trap. If your local name server doesn't know how to get an
    answer externally about www.example.com, you are dead just as if you
    asked your ISPs (or the root servers) about hosts on your own
    home.invalid network. "NXDOMAIN" means "game over".

    Note that the 'search' and 'domain' keywords (man 5 resolver) are often
    not a good idea, and MAY be a security risk on their own. Finally, that
    same man page notes (in the 'nameserver' section) that typically only
    three name servers can be listed (MAXNS in /usr/include/resolv.h), and
    if NO nameserver line exists, the resolver defaults to asking the name
    server on 127.0.0.1 (which may or may not exist).

    Old guy

+ Reply to Thread