Mike Bird wrote: > vr wrote: > > Mike Bird wrote: > > > vr wrote: > > >> nslookup X.X.X.X > > >> ;; Got recursion not available from x.x.x.x, trying next server > > >> ;; Got recursion not available from x.x.x.x, trying next server > > Are your name servers configured to allow recursion?
Older bind and newer bind have different defaults for recursion.
Older bind allowed it but newer bind defaults to it off for all but
the local subnet. Among other things this prevents bind from being
used in a distributed denial of service attack against a third party.
Are you using a nameserver on a different subnet? If so then I think
that will explain the problem. The nameserver on the other subnet
needs to allow your local subnet. You probably have one that allows
it and one that does not. This is why it works the second time.
For the first lookup it might hit a working server and just get the
answer. Or it might hit the one with recusion turned off. Then it
rotates to the next one and gets the answer. The second time around
the answer is cached and so no further lookups are done. You can
force a restart of bind in order to force it to look up for the first
time again.
If you list nameservers in the /etc/resolv.conf file then it will
always try them in the order listed. But the first nameserver there
may have forwarders configured on it. You need to follow the chain
through every nameserver that has forwarders listed until you get to
the end of the chain. Your description of the problem makes me think
the nameserver with the recursion disabled will be two away from you.
Look at the allow-recursion option to allow your subnets.
allow-recursion { 192.0.32.0/24; };
Nameservers listed in /etc/resolv.conf are tried in order with a
failure timeout. Because of that if the first nameserver is offline
then things operate but very slowly with a timeout for every lookup.
Therefore I always configure a local caching bind nameserver
configured with forwarders. That will pick the fastest responding
forwarder and avoid the timeout delay when one is down. Although
different versions of bind8 and bind9 have had different behaviors in
this area and some were better than others. If you had a local
caching nameserver configured you would probaby not have noticed your
upstream nameserver configuration errors.
Bob
signature.asc
Description: Digital signature
