[ale] cacheing DNS?

John Heim john at johnheim.net
Wed May 9 13:22:48 EDT 2012


From: "Leam Hall" <leamhall at gmail.com>
To: "Atlanta Linux Enthusiasts" <ale at ale.org>
Sent: Tuesday, May 08, 2012 5:00 PM
Subject: Re: [ale] cacheing DNS?


> On 05/08/2012 05:46 PM, John Heim wrote:
>> I'm confused about caching DNS and recursion. I keep reading that best
>> practice is to not use the same dns servers for the machines on your LAN 
>> as
>> you do for those outside your LAN. So if I'm the admin of example.org and 
>> if
>> I want redundant DNS servers for both internal and external queries, do I
>> have to run four DNS servers?  Do people really do that?
>>
>
> Hey John,
>
> I think the normal process is to have your DNS servers also cache
> external info.

That's what I'm doing. But I got a message that says I'm running an open 
resolver.  If I really am running an open resolver, I don't want to publish 
the IP address here.  So I changed its IP in the text below. But the text 
below shows that if I'm outside our own LAN and if I direct a lookup at my 
DNS server, it refuses to answer.  Yet, 
http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl says I'm 
running an open resolver.

$ host lambeau.johnheim.net. 11.22.33.44
Using domain server:
Name: 11.22.33.44
Address: 11.22.33.44#53
Aliases:

Host lambeau.johnheim.net not found: 5(REFUSED)

So apparently, I don't understand what an open resolver is.  It does not 
look as if you can use my DNS server to do an external lookup from outside. 
It works from inside, on our own LAN, of course.

I understand that if you're on hacker.net,  you shouldn't be able to direct 
a name lookup for example.com to a server at bogus.org. But according to my 
results posted above, you can't do that. So why then is my DNS server 
regarded as "open"?




More information about the Ale mailing list