Tuesday, May 16, 2023

Not all nameservers are looked up

 In DNS, the NXDOMAIN message is not exactly a failure. It is, or at least is supposed to be, perfectly valid information that the domain you asked for does not exist. Errors would be something like "I don't know" or "I'm not allowed to tell you" or "[dead silence until timeout]".

In /etc/resolv.conf, the expectation is that all the configured nameservers are equal. That is, they are supposed to all have the same access to DNS information: they all should be able to resolve any name you might need resolved.

If this is not true, then traditional Unix-style /etc/resolv.conf will be insufficient. Many have tried to achieve what you seek by tweaking the order of DNS servers in the file, but all have failed: it just does not work that way.

Instead, you'll typically need to set up a DNS resolver/cache/proxy that can be configured with some rules like "if the name you need resolved belongs to one of these domains, then ask one of these servers; if the name is in that domain, then use that server; and for everything else, use those servers."

For example, you could set up dnsmasq and write something like this in dnsmasq.conf:

no-resolv
server=/corporate-domain.com.example/10.1.2.3
rev-server=10.1.0.0/16,10.1.2.3
server=/google.com/8.8.8.8
server=9.9.9.9

This would mean:

  • ignore /etc/resolv.conf (to prevent loops)
  • use nameserver 10.1.2.3 to resolve any names in corporate-domain.com.example domain and any reverse queries for IP addresses in 10.1.0.0/16 network
  • use 8.8.8.8 to resolve any names in the google.com domain
  • for all the rest, use 9.9.9.9.

Once you had dnsmasq configured like this, you would then configure /etc/resolv.conf with nameserver 127.0.0.1 only, to redirect all local DNS requests to the local dnsmasq.

If your local nameserver is BIND, you can do the same using zone declarations of type forward:

zone "corporate-domain.com.example" {
    type forward;
    forwarders { 10.1.2.3; };
};

zone "1.10.in-addr.arpa" {
    type forward;
    forwarders { 10.1.2.3; };
}; 

zone "google.com" {
    type forward;
    forwarders { 8.8.8.8; 8.8.4.4; }; 
};

options {
    forwarders { 9.9.9.9; };
    forward only;
};

This achieves the exact same results as the dnsmasq configuration above, but BIND configuration syntax is a bit more verbose.


Source:

https://unix.stackexchange.com/questions/473062/not-all-nameservers-are-looked-up

References

https://www.cloudns.net/blog/dns-cache-explained/

https://installati.one/debian/10/nscd/


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)