Announcement

Collapse
No announcement yet.

Request sent from DNS server to another DNS server not listed as forwarder

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Request sent from DNS server to another DNS server not listed as forwarder

    I have what might just be a lack of understanding of DNS in regards to how recursion works, but the only way to know is to ask and make sure that I know.

    The setup is the following:

    2 DNS servers in one domain (DNSA and DNSB), another DNS server in a different domain (DNS_C) and another DNS server sitting outside in the DMZ (DNS_DMZ). Recursion is enabled on all of the DNS servers.
    DNS_C has forwarders configured back to DNSA and DNSB. DNC_C has nothing configured on it to know about DNS_DMZ.

    With that being said, what I am seeing is that I have a request coming in for a reverse lookup on an IP address into DNS_C in which DNS_C does not have any zones for it or anything in its reverse lookup zone. It then, based on the DNS Debug logs, sends a request to DNSA and DNSB for that information. I imagine that this is because of the forwarders which are configured on DNS_C. The weird thing that is happening is that sometimes I see a request being sent out to DNSDMZ from DNS_C for the reverse lookup.

    Breakdown of what happens based on the DNS Debug log:

    1) DNS_C receives reverse lookup request (that is recursive) from a client
    2) DNS_C does not have information on the IP.
    3) DNS_C sends requests out to DNSA and DNSB (both listed as forwarders) for the reverse lookup
    4) Occasionally, a request is sent out to DNSDMZ, which is not listed anywhere except the cached lookup occasionally.


    So my question is that is this supposed to happen? I occasionally see a cached lookup for DNSDMZ but am not sure if that relates in any way to this occurence with the reverse lookup request that is sent out to the DNSDMZ server from DNS_C. DNSA and DNSB have entries for DNSDMZ and are authoritative if I do an NSLookup for DNSDMZ.

    Is there anything else that I should be looking at to understand why DNS_C sends requests out to DNSDMZ or is this just the way DNS works with recursion?

  • #2
    I've never used DNS in a network with a DMZ, but what would be useful to know is does the IP address that was requested exist on your network? If not, the request would have to leave your network so presumably the DNS server in the DMZ would be queried because it sits between your local network and the Internet. But, I may have this all wrong so will be happy to be corrected.
    A recent poll suggests that 6 out of 7 dwarfs are not happy

    Comment


    • #3
      I run a standard 3-legged server network (internal, dmz, external), and our DNS sits in the Internal segment. When the dmz servers need DNS resolution, the firewall between the segments allows the traffic on the specified ports. Anything our DNS isn't authoritative for gets recursively looked up by the forwarders configured. As with any DNS config, if the forwarders don't answer in time, the root hints listing is queried. I've never heard of the kind of behavior the OP describes.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Originally posted by Blood View Post
        I've never used DNS in a network with a DMZ, but what would be useful to know is does the IP address that was requested exist on your network? If not, the request would have to leave your network so presumably the DNS server in the DMZ would be queried because it sits between your local network and the Internet. But, I may have this all wrong so will be happy to be corrected.

        Yes the IP does exist on the network. In fact I can ping it on the same network as DNSA/B but not on the same network as DNS_C.

        Comment


        • #5
          Originally posted by RicklesP View Post
          I run a standard 3-legged server network (internal, dmz, external), and our DNS sits in the Internal segment. When the dmz servers need DNS resolution, the firewall between the segments allows the traffic on the specified ports. Anything our DNS isn't authoritative for gets recursively looked up by the forwarders configured. As with any DNS config, if the forwarders don't answer in time, the root hints listing is queried. I've never heard of the kind of behavior the OP describes.

          It is odd that it isn't consistent and usually the forwarders (DNSA/B) will get hit up first and response back. Just odd to me how this particular DNS server will get queried when it's not configured as a forwarder. I don't see anything going out to the servers in the root hints though, either.

          Comment

          Working...
          X