9

I have a Linux box (Ubuntu server 11.10) inside a Windows Active Directory domain, and is joined the domain using likewise-open. The resolv.conf file looks like this:

domain mydomain.com nameserver 192.168.1.1 nameserver 8.8.8.8 nameserver 8.8.4.4

where 192.168.1.1 is the Windows DNS server for the Windows domain. 8.8.8.8 and 8.8.4.4 are Google's public DNS servers that we preferred over our ISP servers.

That setup was working properly, until we decided to disable recursion in the Windows DNS server due to some changes of our network design. I thought that will go well as we have configured it to use Google's servers next, but it seems not:

mydomain\myuser@linux-server:~$ dig google.com ; <<>> DiG 9.7.3 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55321 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;google.com. IN A ;; AUTHORITY SECTION: . 3600 IN NS c.root-servers.net. . 3600 IN NS d.root-servers.net. . 3600 IN NS e.root-servers.net. . 3600 IN NS f.root-servers.net. . 3600 IN NS g.root-servers.net. . 3600 IN NS h.root-servers.net. . 3600 IN NS i.root-servers.net. . 3600 IN NS j.root-servers.net. . 3600 IN NS k.root-servers.net. . 3600 IN NS l.root-servers.net. . 3600 IN NS m.root-servers.net. . 3600 IN NS a.root-servers.net. . 3600 IN NS b.root-servers.net. ;; ADDITIONAL SECTION: c.root-servers.net. 3600 IN A 192.33.4.12 d.root-servers.net. 3600 IN A 128.8.10.90 e.root-servers.net. 3600 IN A 192.203.230.10 f.root-servers.net. 3600 IN A 192.5.5.241 ;; Query time: 4 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Wed Jan 8 14:02:22 2014 ;; MSG SIZE rcvd: 507

Also:

mydomain\myuser@linux-server:~$ ping google.com ping: unknown host google.com

And also I have failed squid proxy connections (which I solved using the dns_nameservers option inside squid configuration and neglected the internal DNS server).

Why DNS requests fails when recursion is declined by the first nameserver? Shouldn't the machine tries the next server? And what can I do if that was the expected (designed) behavior?

EDIT: NSLOOKUP gave other (success) results:

mydomain\myuser@linux-server:~$ nslookup google.com ;; Got recursion not available from 192.168.1.1, trying next server Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: google.com Address: 173.194.67.102 Name: google.com Address: 173.194.67.138 Name: google.com Address: 173.194.67.100 Name: google.com Address: 173.194.67.113 Name: google.com Address: 173.194.67.139 Name: google.com Address: 173.194.67.101

So is this application-dependent? Can I get that (trying next server if the first refuses recursion) to work transparently for all applications requesting name resolution, or name resolution is the responsibility of the program itself? (or am I missing something?!)...

EDIT: Also worth noting, mydomain.com is a registered and public address on the internet and is not owned by us. It's like we've set up an internal domain named apple.com, and I assure you I don't work for Apple, at least not yet ;-).

Improve this question

1 Answer 1

Reset to default
6

I'm afraid the answer will be "it depends".

As far as dig is concerned, it is basically a tool used to debug DNS information. Thus, it shows you the information it gets back from the nameserver you asked; it doesn't go on and make further questions.

For other programs, it will depend on the program. Most will probably use the operating system's functions for name resolution (see man getnameinfo). Others may not. This means that if you list a non-recursive nameserver, you will have some errors that will be very hard to locate.

In other words, keeping a non-recursive nameserver in your list of resolvers is a bad idea.

If you don't want the windows server to be recursive, then I'd recommend setting up a separate server to act as a resolver and let that one ask the Windows server for the internal domains.

Improve this answer
7
  • Actually mydomain.com is a valid and registered domain on the internet, I think that may cause a problem to the other recursive domain, maybe? Commented Jan 8, 2014 at 13:18
  • Since 192.168.1.1 is not a publicly routable address, I was assuming that this was not your company's public nameserver. But if you already have a separate server to respond to queries for addresses within your domain, why keep this one in the resolver list at all? It would appear to serve no puprpose... Commented Jan 8, 2014 at 13:24
  • (Also, mydomain.com is a valid and registered domain, but is it really yours?) Commented Jan 8, 2014 at 13:27
  • No no, the local domain name is identical to other one that is used on the internet but not ours. Say, for example, that our local domain is apple.com! P.S. I know that was a bad idea but it's the case already and is not subject to change now... Commented Jan 8, 2014 at 13:30
  • No, @Jenny it's not ours!! Commented Jan 8, 2014 at 13:31

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.