04-11-2018 04:35 AM
I have a customer that has configured a bind server with forward zones, however in one of the forward zone "statements" inside named.conf a bad ip address out of two was entered. (So two forward servers are configured for the particualar zone)
Now to my real question, how will the server react on queries for the zone?
It felt like it used the default 10800 seconds of max-ncache-ttl, because it seemed like when the server doing the forwarding tried to reach the misconfigured server ip the DNS record was dead for 3 hours (monitored).
Does anyone know how it should react to unreachable forward servers in terms of cached responses?
I know that the max-ncache-ttl is normally configured in the SOA of the zone but in that case it does not even reach the zone.
I realize it is a somewhat strange question given the misconfiguration, but customer has asked for my advice.
Many thanks and kind regards,
Solved! Go to Solution.
04-12-2018 10:38 PM
Sorry for our delayed response. As long as one out of the ‘two’ forwarders are up & good, I believe there shouldn’t be a problem with your forward zone. I’m not quite sure about the question, “Does anyone know how it should react to unreachable forward servers in terms of cached responses?”.
I’ll explain this from an Infoblox point of view :
- Say your caching DNS server is 'X'. The forward zone configured is ‘infoblox.com’ with forwarders server 'B' & server 'C', in ‘Use Forwarders Only’ mode.
- Let’s consider server B is an unreachable server or is ‘dead’.
- A client queries server X for ‘community.infoblox.com’ -> Server X in turn queries server B for ‘community.infoblox.com’ -> Server B doesn’t respond to the query -> Server X in turn queries server C for ‘community.infoblox.com’-> Receives an IP address for ‘community.infoblox.com’ -> Server X caches the response for the TTL returned(Max cache TTL in case if the returned TTL > max cache TTL of server X) & returns the answer back to the client. I don’t think max-ncache-ttl ever comes into picture somewhere here. Yes, it would play a role in case if server B or Server C returns Negative responses for ‘community.infoblox.com’.
To explain with respect to the above example :
- Server B never responds & server C returns NXDOMAIN for ‘community.infoblox.com’ with a TTL of 10 minutes (negative TTL for ‘infoblox.com’ in its authoritative server when max negative ttl of server C is > than this TTL. If not, that’ll be the max-ncache-ttl of server C).
- Now say the max-ncache-ttl of server X is 5 minutes.
- Now server X would cache the NXDOMAIN response from server C for 5 minutes since the ‘max-ncache-ttl’ < than 10 minutes TTL returned by server C for ‘community.infoblox.com’. So it is important to ensure that the configured forwarders for the zone doesn’t return negative responses for the zone/record when queried which may be dangerous, considering the fact that NXDOMAIN is still a valid DNS response. In that aspect, I see something to be worried about the max-ncache-ttl.
- Server X continues to return NXDOMAIN response for the next 5 minutes before it tries either server B or server C for ‘community.infoblox.com’.
I hope this makes sense.
04-13-2018 12:01 AM - edited 04-13-2018 12:01 AM
Hi Mohammed, thanks for the reply.
That was my understanding as well, thanks for making it more clear.
The customer said that the record was down for 3 hours. That is equal to 10800, the default value of max-ncache-ttl and hence the post.
Many thanks and kind regards,