On Sat, 08 Mar 2008 05:48:27 GMT, Robert M. Riches Jr. wrote:
> In an earlier thread about security vulnerabilities, it was
> stated that DNS server(s) should be specified as forwarders
> in /var/lib/named/etc/named.conf. When using the default
> Mandriva bind/named configuration, as a caching nameserver,
> if no forwarders are specified, where does named find where
> it should go for answers?

NOTE: I have no knowledge about how it works.

As I mis-understand it, when an app wants some resolution,
/etc/host.conf and
grep hosts: /etc/nsswitch.conf
indicates where/order to go look something up.

You may have more than one DNS ip in resolv.conf but look ups will not
go to the next DNS server if the first one returns no record found.
If the first server times out, the next dns ip in resolv.conf will
get the request.

When you make a request of the first DNS server, and it can not resolve it, it
will forward the request to the next DNS server it knows about.

So, people with an Internet router set the router as a DNS ip,
it in turn, forwards it's request to it's forwarders, usually the
isp's DNS servers. Request continue up the forwarders chain until one
of those direct the request to owner's resolver which sends back the
requested information.

Hopefully someone like Moe Trin can indicate where I am incorrect and
provide a bit more detail.

On Sat, 8 Mar 2008, in the Usenet newsgroup alt.os.linux.mandriva, in article
, Bit Twister wrote:

>Robert M. Riches Jr. wrote:

>> In an earlier thread about security vulnerabilities, it was
>> stated that DNS server(s) should be specified as forwarders
>> in /var/lib/named/etc/named.conf. When using the default
>> Mandriva bind/named configuration, as a caching nameserver,
>> if no forwarders are specified, where does named find where
>> it should go for answers?
>
>NOTE: I have no knowledge about how it works.

Still, the answers provided are reasonable.

>As I mis-understand it, when an app wants some resolution,
>/etc/host.conf and
>grep hosts: /etc/nsswitch.conf
>indicates where/order to go look something up.

[compton ~]$ grep host /etc/host.conf /etc/nsswitch.conf
/etc/host.confrder hosts,bind
/etc/nsswitch.conf:hosts: files nis dns
[compton ~]$

Close enough. '/etc/host.conf' is the older file, while most apps and
the resolver library consult /etc/nsswitch.conf.

>You may have more than one DNS ip in resolv.conf but look ups will not
>go to the next DNS server if the first one returns no record found.
>If the first server times out, the next dns ip in resolv.conf will
>get the request.

RFC1035 and RFC2136 list 11 result codes. "NOERROR", and "NXDOMAIN"
are non-error results, and these "answer" the query ending the
search. The other nine result codes, or a timeout would cause the
resolver to query the next DNS server listed.

>When you make a request of the first DNS server, and it can not resolve
>it, it will forward the request to the next DNS server it knows about.

Ummm, the first server _may_ forward the request, but only if it is
configured as a forwarder. If this is not the case, it will return a
NXDOMAIN, and you're screwed. Note that some name servers will not
recurse for you (ask the root server, then follow the chain), but your
_resolver_ shouldn't be talking to those servers anyway (that's the
job of a name server).

>So, people with an Internet router set the router as a DNS ip,
>it in turn, forwards it's request to it's forwarders, usually the
>isp's DNS servers. Request continue up the forwarders chain until one
>of those direct the request to owner's resolver which sends back the
>requested information.

s/owner\'s resolver/owner\'s name server/

>Hopefully someone like Moe Trin can indicate where I am incorrect

Actually, that's pretty good.

>and provide a bit more detail.

The only other thing to add is the case where there are "local" names
and "remote" names to resolve. Any name server you ask has to be able
to resolve BOTH (local through the existing zone files, remote either
by fully resolving using a root-hints file or by forwarding unresolvable
queries to a forwarder such as the ISPs name servers) lest you get into
the NXDOMAIN trap. If your local name server doesn't know how to get an
answer externally about www.example.com, you are dead just as if you
asked your ISPs (or the root servers) about hosts on your own
home.invalid network. "NXDOMAIN" means "game over".

Note that the 'search' and 'domain' keywords (man 5 resolver) are often
not a good idea, and MAY be a security risk on their own. Finally, that
same man page notes (in the 'nameserver' section) that typically only
three name servers can be listed (MAXNS in /usr/include/resolv.h), and
if NO nameserver line exists, the resolver defaults to asking the name
server on 127.0.0.1 (which may or may not exist).

Old guy