 |  |  |  |  |  |  |  |
DNS Cache-Only Config Advice
Thread Solved |
Well there are settings in BIND for caching out-of-zone data which is the case here. There are inherent security issues with caching out of zone data unless you know what you are doing (which is the case here 
). Take a look at this:
http://www.zytrax.com/books/dns/ch7/queries.html
The default behavior should be what you want but double check your configs and make sure they're set up for yes/yes caching. The URL indicates it should only be for CNAME/DNAME out-of-zone following but I would try it just to be sure.
Also take a look at your cache to see what is in it so we don't have to guess:
From what I can tell MX records aren't cached. If I ran a dump -all I only see MX records for zones where the server is an authority. I have been reading around for half an hour and I can't see a definitive answer on how caching MX records should work. I do not see them in the bind cache and in RFC1912 I see this:
It looks like you were right that exim keeps asking regardless. This must be the behavior of the mailer...
). Take a look at this:http://www.zytrax.com/books/dns/ch7/queries.html
The default behavior should be what you want but double check your configs and make sure they're set up for yes/yes caching. The URL indicates it should only be for CNAME/DNAME out-of-zone following but I would try it just to be sure.
Also take a look at your cache to see what is in it so we don't have to guess:
sk:/var/cache/bind# rndc dumpdb -cache sk:/var/cache/bind# ls named_dump.db stats
From what I can tell MX records aren't cached. If I ran a dump -all I only see MX records for zones where the server is an authority. I have been reading around for half an hour and I can't see a definitive answer on how caching MX records should work. I do not see them in the bind cache and in RFC1912 I see this:
•
•
•
•
It is a good idea to give every host an MX record, even if it points
to itself! Some mailers will cache MX records, but will always need
to check for an MX before sending mail. If a site does not have an
MX, then every piece of mail may result in one more resolver query,
since the answer to the MX query often also contains the IP addresses
of the MX hosts. Internet SMTP mailers are required by [RFC 1123] to
support the MX mechanism.
Hi Sknake,
A couple of thoughts before bed...
I have no "additional-from*" statements so from the link, I should indeed be "yes yes" (bind 9).
(counted them to hide the details, they're all MX records)
I wonder why only a few zones behave with the repeated queries, no A record, maybe I should visit their config and have them return a different value? I notice that there is no answer section when I dig these.
ttfn.
A couple of thoughts before bed...
I have no "additional-from*" statements so from the link, I should indeed be "yes yes" (bind 9).
# grep MX cache_dump.db | wc -l 2802
I wonder why only a few zones behave with the repeated queries, no A record, maybe I should visit their config and have them return a different value? I notice that there is no answer section when I dig these.
ttfn.
Are they "domain.mx" -> mexico, or are they "IN MX" records? My qmail mail server only had domain.mx records in the bind cache, and MX records for my authoratative sites (my domains) -- not cached ones. I think you're on the right track with not having the A record. While its technically correct it may be confusing a resolver.
Just FYI on the thread...
Any idea what the number means? Is it TTL?
I'll post more when I've checked out altering the record for the errant domain.
25927 MX 5 mail.nacro.org.uk.
25927 MX 10 mail.uksolutions.net.
48373 MX 10 mailgate.sawyershall.org.uk.
36730 MX 5 mailgate1.networcs.net.
36730 MX 5 mailgate2.networcs.net.
36730 MX 15 mailgate3.networcs.net.
36730 MX 15 mailgate4.networcs.net.
62156 MX 0 mx5h.state.nj.us.
62156 MX 0 mx6o.state.nj.us.
62156 MX 0 mx7h.state.nj.us.
62156 MX 0 mx8o.state.nj.us.I'll post more when I've checked out altering the record for the errant domain.
0
#16 Oct 6th, 2009
Right, it's definitely working. I was unconvinced that Exim was actually benefiting from the local DNS cache but have proved that it is. Here's what I did to test...
[The packet capture bits were Ethereal screenshots but had to be deleted because they contained internal IP addresses. I've included descriptions of what was found instead]
Big thanks sknake.
[The packet capture bits were Ethereal screenshots but had to be deleted because they contained internal IP addresses. I've included descriptions of what was found instead]
Check yahoo isn't in the cache [root@eximbox data]# rndc dumpdb [root@eximbox data]# grep yahoo cache_dump.db [root@eximbox data]# [nothing returned] Start capturing TCP traffic on port 53 [root@eximbox data]# tcpdump -i eth0 -s 0 -w /tmp/dns.eximbox.`date +%Y%m%d-%H%M`.cap "tcp port 53 or udp port 53" & Make Exim generate some DNS queries [root@eximbox data]# echo test | exim -d+resolver martinkagb@yahoo.com ... [output deleted] ... Exim reports successful DNS lookup DNS lookup of yahoo.com (MX) succeeded ... host_find_bydns yield = HOST_FOUND (2); returned hosts: f.mx.mail.yahoo.com 98.137.54.237 MX=1 a.mx.mail.yahoo.com 67.195.168.31 MX=1 e.mx.mail.yahoo.com 216.39.53.1 MX=1 c.mx.mail.yahoo.com 216.39.53.2 MX=1 c.mx.mail.yahoo.com 216.39.53.3 MX=1 d.mx.mail.yahoo.com 68.142.202.247 MX=1 d.mx.mail.yahoo.com 209.191.88.247 MX=1 b.mx.mail.yahoo.com 66.196.82.7 MX=1 b.mx.mail.yahoo.com 66.196.97.250 MX=1 g.mx.mail.yahoo.com 98.137.54.238 MX=1 g.mx.mail.yahoo.com 206.190.53.191 MX=1 ... [output deleted] ... Kill the capture [root@eximbox data]# kill %1 93 packets captured 186 packets received by filter 0 packets dropped by kernel Verify that DNS traffic has occured [Packet capture:] Shows DNS queries going to upstream DNS servers and replies coming back. Dump the cache and verify that yahoo has been entered [root@eximbox data]# rndc dumpdb [root@eximbox data]# grep yahoo cache_dump.db yahoo.com. 105668 NS ns1.yahoo.com. 105668 NS ns2.yahoo.com. 105668 NS ns3.yahoo.com. 105668 NS ns4.yahoo.com. 105668 NS ns5.yahoo.com. 105668 NS ns6.yahoo.com. 105668 NS ns8.yahoo.com. 4511 MX 1 a.mx.mail.yahoo.com. 4511 MX 1 b.mx.mail.yahoo.com. 4511 MX 1 c.mx.mail.yahoo.com. 4511 MX 1 d.mx.mail.yahoo.com. 4511 MX 1 e.mx.mail.yahoo.com. 4511 MX 1 f.mx.mail.yahoo.com. 4511 MX 1 g.mx.mail.yahoo.com. a.mx.mail.yahoo.com. 1024 A 67.195.168.31 b.mx.mail.yahoo.com. 1024 A 66.196.82.7 c.mx.mail.yahoo.com. 1024 A 216.39.53.2 d.mx.mail.yahoo.com. 1024 A 68.142.202.247 e.mx.mail.yahoo.com. 1024 A 216.39.53.1 f.mx.mail.yahoo.com. 1782 A 98.137.54.237 g.mx.mail.yahoo.com. 1024 A 98.137.54.238 ns1.yahoo.com. 105668 A 68.180.131.16 ns2.yahoo.com. 105668 A 68.142.255.16 ns3.yahoo.com. 105668 A 121.101.152.99 ns4.yahoo.com. 105668 A 68.142.196.63 ns5.yahoo.com. 105668 A 119.160.247.124 ns6.yahoo.com. 105668 A 202.43.223.170 ns8.yahoo.com. 105668 A 202.165.104.22 Start a new capture [root@eximbox data]# tcpdump -i eth0 -s 0 -w /tmp/dns.eximbox.`date +%Y%m%d-%H%M`.cap "tcp port 53 or udp port 53" & Make Exim generate more DNS queries [root@eximbox data]# echo test | exim -d+resolver martinkagb@yahoo.com ... [output deleted] ... Which again succeed DNS lookup of yahoo.com (MX) succeeded ... host_find_bydns yield = HOST_FOUND (2); returned hosts: ... [output deleted] ... Kill the capture [root@eximbox data]# kill %1 32 packets captured 65 packets received by filter 0 packets dropped by kernel Analyse the traffic [Packet capture:] No DNS traffic between host and upstream DNS servers.
Big thanks sknake.
 |
Similar Threads
- Cannot Flush DNS (Windows NT / 2000 / XP)
- Increase DNS Cache In Vista For Faster Web Browsing (Windows tips 'n' tweaks)
- Need help w/ DNS configuration: Exchange server on DMZ (Windows NT / 2000 / XP)
- DNSCache does not appear to flush? (Networking Hardware Configuration)
- how to clear DNS (IT Professionals' Lounge)
- Cannot find server or DNS Error - on MS download sites (Windows NT / 2000 / XP)
- DNS Error for Secure Web Sites only (Web Browsers)
- Yet another DNS error thread; pings, but won't display (Web Browsers)
- Cant view Site with Changed DNS (Windows NT / 2000 / XP)
- DNS & internet explorer. (Web Browsers)
Other Threads in the Domains and DNS Forum
- Previous Thread: Top 10 DNS servers list
- Next Thread: Restrict DNS to Respond Only for Our Domains
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Domains and DNS Posts
- Today's Posts
- Unanswered Threads
apps brands broadband business country cybersquatting dns dnsservers domain domains economy flake gay google government hacker hacking icann internet ip ipv6 kaminsky legal mapping marketing measurment microsoft news payperclick phishing registration rural security securityflaw size strider terrorism top10 trademark typo-squatting verisign web zone
