Date: Sun, 06 Dec 1998 21:40:53 From: Kurt Keller <Kurt@pinboard.com> To: net@FreeBSD.ORG Subject: Re: resolver behaviour Message-ID: <3.0.5.16.19981206214053.683794b8@pop.pbdhome.pinboard.com> In-Reply-To: <13930.17883.922553.625725@avalon.east> References: <13929.39477.406338.806610@avalon.east> <199812052221.RAA10079@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
>: > Instead, to the best of my current understanding, the resolver >: > presently returns failure if it encounters a responding nameserver >: > which reports a negative lookup response. This hardly seems And more often than not, the negative response is correct. There are lots of people trying to resolve inexistant hosts, be it because of typos or because they just try the wrong hostname for a given domain or they did not append the domain to the hostname. If someone tries to look up a hostname which simply does not exist (not every domain has hosts named ftp, mail, ns, pop, smtp...), what do you expect the resolver to do? Simply try till the end of time? >Upon reflection, I really don't want to run a nameserver on the >firewall at all. I just want to be able to successfully resolve names > 1) on disjoint networks from a common host, and > 2) in the presence of nameservers returning bad negative responses. > (a surprisingly common occurence in the present Internet milieu). I also don't want a nameserver on the firewall. If somehow possible, the firewall should be invisible towards both outside and inside. Whatever you can see, you can also try to attack and it might give you a clue that you need to work around that system. Run a DNS server in your DMZ. If nameservers give bad responses find out where those bad responses are coming from and send a friendly explanatory e-mail to the admin. At least up to now it has always worked for me. >: problems arise from doing lookups on `internal' addresses on `external' >: nameservers? >This is one source of problems If you have such a problem, then it's your DNS environment which is at fault, not the resolver. >Again, the DNS environment on the Internet as a whole is very poor. Forward lookups usually work, but I agree that many sites are missing the propper setup for reverse lookup. >: If one nameserver responses name invalid, another responses with >: an address, which would you consider to be the correct answer? >The address, because it often works. Negative caching is relatively short. Positive caching is usually much longer. So I would think that if one nameserver says 'no such host' it is correct. The admin might be about to remove or renumber the host. The other nameserver saying 'this host has IP X' probably gives you an answer out of its cache. Kurt -- -------------------------------------------------------------------- ¦ Kurt@pinboard.com http://www.pinboard.com/ business ¦ ¦ http://www.pinboard.com/kurt/ private ¦ ¦--------------------------------------------------------------------¦ ¦ Unix and Internet Specialist ¦ -------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.16.19981206214053.683794b8>