Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

NIOS DNS DHCP IPAM

Reply

Iterative lookups on client

New Member
Posts: 2
1849     1

I have a domain, example.com, which has a delegated subdomain sub.example.com. However, recursion is turned off for the Infoblox server hosting example.com. 

Should clients iterate if they request host.sub.example.com? Or do they just end up with an NXDOMAIN, which seems wrong to me? I can't seem to find any definitive answers. Thanks.

-deo

Re: Iterative lookups on client

Superuser
Posts: 45
1849     1
Hi Deo,

Thank you for your DDI inquiry. We’re looking into it and will respond as soon as possible. Thank you for your patience.

Best regards,

Bob Rose
Principal Product Marketing Manager
Infoblox NIOS DDI & Value-Added Services
M: +1 360.584.8360 | My I.D.TM is 7553<>
Secure, Cloud-First Network Experience
[Shape Description automatically generated with medium confidence]

Re: Iterative lookups on client

Superuser
Posts: 105
1850     1

Hi,

 

here i will assume that there's no configuration issue. basically stub resolver will not do iterative query when you have delegation zone, this is because when you did query from a pc/stub the rd (recursion desired) flag is set to 1, it will cause when it gets referal response it will not do the iterative query.

 

if you need to test the delegation zone than you need a resolver dns / LDNS (local DNS), the reason is the rd flag in LDNS is set to 0, this will make the resolve will do iterative query when it gets referral answer such delegation zone. and you also can do packet capture in LDNS so you can see how it works.

 

Thanks

Re: Iterative lookups on client

Superuser
Posts: 45
1850     1
Hi,

I’ve presented your inquiry to our Infoblox DDI SMEs (DDI Architects, Product Managers, and Principal Solution Architects (SAs)) and here’s their guidance:

If the client in question is a stub resolver and it's configured to query the Infoblox DNS server hosting example.com, it should get a referral back (to the DNS servers for sub.example.com). Most stub resolvers can't follow referrals, so they'll just return an error (but not NXDOMAIN, which wouldn't be accurate).

Here are some additional comments concerning:

A Client:
It wouldn’t do iterative queries.

An Internal DNS Environment:
You’d have to enable recursion for it to work (and it’s recommended to use forwarding rather than delegation in that use case).

An External DNS Environment:
In this (Internet-facing) environment, there would certainly be a recursive resolver between the client and your DNS servers, and that recursive resolver would be able to follow the referral to the delegated server.

We hope this helps answer your inquiry. Please advise if you have any further questions or contact your Account Team Solution Architect for further information. Thank you for being part of the Infoblox DDI Community.

Best regards,

Bob Rose
Principal Product Marketing Manager
Infoblox NIOS DDI & Value-Added Services
M: +1 360.584.8360 | My I.D.TM is 7553<>
Secure, Cloud-First Network Experience
[Shape Description automatically generated with medium confidence]

Re: Iterative lookups on client

New Member
Posts: 2
1850     1

Thanks. This is what I was looking for.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You