Recursion doesn't work ;-(

[jt]

Hi all,

I am running a Win2K DNS ( SP4 ) and the DNS pollutes my logs with error
7063, saying that
the "local DNS is configured as to forward all queries to a non recursive
provider DNS. These
servers "ought" to be configured as accepting process requests (
forwarding )."
The provider DNS is 194.25.2.130 which DOES answer recursive queries.
7063 also says that I should enable forwarding....guess what the system is
configured to.

Our DNS machine is NAT'ed 1:1 through a DMZ and a PIX , a low-level snif on
the cisco
boxes results in the outside sending answers to inside queries and the
inside sending queries
and receiving answers.

What the hell can this be ? UDP isn't blocked; #53 straight through; ICMP
globally blocked.


Greets

jt

 

[Kevin D. Goodknecht [MVP]]

In

Hi all,

I am running a Win2K DNS ( SP4 ) and the DNS pollutes my logs with
error 7063, saying that
the "local DNS is configured as to forward all queries to a non
recursive provider DNS. These
servers "ought" to be configured as accepting process requests (
forwarding )."
The provider DNS is 194.25.2.130 which DOES answer recursive queries.
7063 also says that I should enable forwarding....guess what the
system is configured to.

Our DNS machine is NAT'ed 1:1 through a DMZ and a PIX , a low-level
snif on the cisco
boxes results in the outside sending answers to inside queries and the
inside sending queries
and receiving answers.

What the hell can this be ? UDP isn't blocked; #53 straight through;
ICMP globally blocked.


Greets

jt

I just checked 194.25.2.130, it is _not_ recursive.
Try a different forwarder, what would make you think it is recursive? It
doesn't answer recursive, the RA bit is not there.

 

[jt]

Hi Kevin,

thanks for your answer ! To keep this amusing, lemme tell you what...

This seems to be one of those worse days. Just got up this morning, nearly
broke my foot by accidentally banging it against the
bed foot ( true ! ), spilled coffee all over the Office Kitchen, DNS
resolution screwed up and NOW, NOW ( !!! )......)
Guess what, I'm sitting here with this damned bandaged swollen foot and need
to learn about DNS recursion.

Did I get right that a public DNS server ( the mentioned one is from one of
our biggest ISPs ) needs to be configured
as to allow DNS recursion if I wanted to use it as a forwarder ? And did I
get right that throwing the "Recursion Off"
switch would hinder boxes behind NAT from resolution of non-local namespace
?
I assume I lack a major piece of understanding as it had been working
before.....I just don't know.

Anyway, how did you find out that the DNS isn't recursive ?

greets

Daniel

 

[Kevin D. Goodknecht [MVP]]

In

Hi Kevin,

thanks for your answer ! To keep this amusing, lemme tell you
what...

This seems to be one of those worse days. Just got up this morning,
nearly broke my foot by accidentally banging it against the
bed foot ( true ! ), spilled coffee all over the Office Kitchen, DNS
resolution screwed up and NOW, NOW ( !!! )......)
Guess what, I'm sitting here with this damned bandaged swollen foot
and need to learn about DNS recursion.

Well, just remember, when you're standing there in the middle of a swamp
with water up to your A-- surrounded by alligators, your original intent was
to drain the swamp.

Did I get right that a public DNS server ( the mentioned one is from
one of our biggest ISPs ) needs to be configured
as to allow DNS recursion if I wanted to use it as a forwarder ?

That, is up to the ISP or owner, many ISP's (especially the big ones) have
DNS servers strictly for hosting public zones. In that case they usually
have separate set DNS servers to act as public resolvers.

Check with your ISP to see if they have a set of resolvers to use, otherwise
you can use 4.2.2.1 and 4.2.2.2

did I get right that throwing the "Recursion Off"
switch would hinder boxes behind NAT from resolution of non-local
namespace ?

Turning recursion off will hinder any resolution of names that the DNS does
not have a zone for. In fact it does more than hinder it forbids it.

I assume I lack a major piece of understanding as it had been working
before.....I just don't know.

Your DNS server may have been using recursion, in that case it will resolve.

Anyway, how did you find out that the DNS isn't recursive ?

Here is a part of the query I ran against it.
opcode: Query, status: NOERROR, id: 23
flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

See the flags statement rd; ? That is Recursion Desired bit

When I run the same query against a recursive DNS.
opcode: Query, status: NOERROR, id: 23
flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

You see the rd followed by an ra?
The ra bit is for Recursion available.

 

[jt]

Hi again Kevin,

thanks for your answer, will get a huge pump ! )

That, is up to the ISP or owner, many ISP's (especially the big ones) have
DNS servers strictly for hosting public zones. In that case they usually
have separate set DNS servers to act as public resolvers.

Hm. Sounds reasonable. I always thought, there's a DNS box out there,
so why not using it ? I should add that I just got responsible for the box
since the guy who did the job before me got his butt fired. Now they hired
a Cisco Systems guy who stands before Win2k, having let gone Nt 3.51 and NCP
years ago.

Check with your ISP to see if they have a set of resolvers to use, otherwise
you can use 4.2.2.1 and 4.2.2.2

I will try.

Your DNS server may have been using recursion, in that case it will

resolve.

Strange is the fact that as far as I have been told, the nsX.btx.dtag.de
boxes
were in use over the whole uptime of nearly 2 years until now.

You see the rd followed by an ra?
The ra bit is for Recursion available.

Again learned something.

Hope This Helps

It did.

Thanks again, Kevin. Great job )

PS. Watch your feet ! )

 

[Ace Fekay [MVP]]

In

Well, just remember, when you're standing there in the middle of a
swamp with water up to your A-- surrounded by alligators, your
original intent was to drain the swamp.

<snip>

I like that... alligators! .... have to remember it!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

j> The provider DNS is 194.25.2.130 which [...]

.... appears to be a content DNS server. Use the forwardee
that you were _told_ you were allowed to use.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-obtaining-proxy-service.html>

 

[Jonathan de Boyne Pollard]

j> Now they hired a Cisco Systems guy who stands before Win2k, [...]

.... and who is apparently thinking of switching to ISC's DNS server
softwares.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-incompatible-secure-updates.html>