What is your preferred method to setup your local resolver?

  • What is your prefered method to setup your local resolver? 17

    1. I use a static /etc/resolv.conf file filled with static entries (12) 71%
    2. I use a dynamic /etc/resolv.conf file filled automatically by resolvconf(8). I put my DNS entries in the /etc/network/interfaces file (3) 18%
    3. I use another method which I'll explain below (2) 12%

    Dear community,


    We do this survey to known what is your preferred method for setting up your local resolver (on your servers). Depending on the result, we'll review the way i-MSCP is handling that part. If you use a method not specified here, please explain us.


    Thank you for your participation.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    account_detailed.gif

  • @f4Nm1Z9k2P


    Waiting for your explanations ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    account_detailed.gif

  • Personally i use the standard way provided by i-MSCP setup to use my local resolver. The resolv.conf file is static for me, the entries are managed by i-MSCP.
    I just use a listener in order to modify the DNS forwarders in /etc/bind/named.conf.options as shown below:


    Perl
    1. #!/usr/bin/perl=head1 NAME Listener::Bind9::Forwarders=cut# i-MSCP - internet Multi Server Control Panel# Copyright (C) 2013-2014 by Laurent Declercq## This program is free software; you can redistribute it and/or# modify it under the terms of the GNU General Public License# as published by the Free Software Foundation; either version 2# of the License, or (at your option) any later version.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.## @category i-MSCP# @copyright 2013-2014 by Laurent Declercq# @author Laurent Declercq <l.declercq@nuxwin.com># @link http://i-mscp.net i-MSCP Home Site# @license http://www.gnu.org/licenses/gpl-2.0.html GPL v2package Listener::Bind9::Forwarders;use iMSCP::EventManager;use iMSCP::TemplateParser;=head1 DESCRIPTION Hook file which lets you configure your own Nameserver forwarders. Hook file compatible with i-MSCP >= 1.1.0=head1 PUBLIC METHODS=over 4=item addBind9Forwarders Add Nameserver Forwarders. Return int 0=cutsub addBind9Forwarders{ my ($cfgTpl, $tplName) = @_; if($tplName eq 'named.conf.options') { # Insert here your comma separated DNS Forwarders my $myForwarders = "1.2.3.4,5.6.7.8"; # END DNS Forwarders my @forwardersvalues = split(',', $myForwarders); $mysplitForwarders = ""; foreach my $forwarder (@forwardersvalues) { $mysplitForwarders = $mysplitForwarders . " " . $forwarder . ";\n"; } $$cfgTpl = replaceBloc( " // forwarders {\n // 0.0.0.0;\n", " // };\n", " forwarders {" . getBloc( " // forwarders {\n // 0.0.0.0;", " // };\n", $$cfgTpl ) . $mysplitForwarders . " };\n", $$cfgTpl ); } 0;}iMSCP::EventManager->getInstance()->register('afterNamedBuildConf', \&addBind9Forwarders);=back=head1 AUTHOR Laurent Declercq <l.declercq@nuxwin.com>=cut1;

    File /etc/resolv.conf:

    Code
    1. # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    2. # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    3. nameserver 127.0.0.1
    4. search xxxyyyzzz.com
  • @kess


    Your /etc/resolv.conf file is not static. It is dynamically filled by resolvconf(8). The nameserver 127.0.0.1 entry is setup by the bind9-resolvconf service which uses resolvconf(8) to add it into your /etc/resolv.conf file.


    I've created that survey to take a decision regarding the way i-MSCP is handling the /etc/resolv.conf file. In near feature, I'll add some options allowing the administrator to disable the bind9-resolvconf service.


    For instance:

    • Someone could want use a static file: In that case, resolvconf(8) should be disabled
    • Someone could want use a dynamic file and set nameserver entries through the /etc/network/interfaces file: In that case, resolvconf(8) is needed but the bind9-resolvconf service should be disabled
    • Someone could want force usage of the local resolver (bind9): In that case resolvconf(8) and the bind9-resolvconf service are needed (this is the case with i-MSCP when you use bind9 and say yes for using the local resolver. This is your case.).

    Regarding your listener for setting up forwarders: In my eyes, that is useless. Your bind9 should be able to answer DNS queries without forwarding them to external DNS servers. I'm wondering why you're doing that.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    account_detailed.gif

  • In fact without that listener my bind 9 resolves perfectly DNS queries, but only for local domains or records directly inserted in the local database. I've built that listener (starting from one of yours) because my DNS wasn't able to resolve external names like google.com or security.debian.org or every other external domain.


    I must say that these are not fresh debian installations. I've started time ago with ispcp on lenny, then it became i-MSCP in squeeze, then wheezy and now jessie. So perhaps something strange during upgrades and/or server moves and now on VMware has happened.


    But the fact (in my specific situations) is that if I don't configure forwarders for bind9, external names are not resolved.


    If you'd like to investigate more, it's not a problem for me, just tell me which additional informations you need :-)

  • @kess


    By default, i-MSCP configures bind9 to allow recursive queries for localhost only (from your server only). Thus, if you don't use your DNS server outside of your server, this should work. Now, if you also use your DNS server as resolver for servers which are outside but still in your local network, this will not work by default and of course, a listener is available for such case: https://github.com/i-MSCP/imsc…med/10_bind9_localnets.pl


    However, if you want query your DNS server outside of your local network, the listener would not be sufficient. In such a case, you should simply modify the listener above to add your external network (or your host IP address). This would avoid to forward DNS queries to an external DNS server.


    To resume

    • Do you use your DNS server as resolver for other servers which are in your local network (network in which your DNS server is)
    • Do you're querying your DNS server from outside your local network

    Once you'll have answered those questions, you'll understand why this doesn't work as you expect by default.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    account_detailed.gif

  • @Nuxwin,
    sorry for late reply.


    To answer your questions:
    - Every DNS Server is configured as local resolver for himself only
    - I'm queringg my DNS Server from outside networks, to resolve names/services configured on that specific DNS server (not as forwarder)


    Another question: If I don't configure forwarders in the named .conf.options, and if my servers are configured to use 127.0.0.1 to resolve names, how can bind9 know where to forward queries of non locally managed records ?
    Does it use root hints ? (because I don't want to use them)...


    But anyway, if I remove the forwarders instruction, my servers can't resolve external names...

  • To answer your questions:
    - Every DNS Server is configured as local resolver for himself only
    - I'm queringg my DNS Server from outside networks, to resolve names/services configured on that specific DNS server (not as forwarder)

    So, this should work as long as you don't try to do an AXFR query from outside network, and as long as the queries are only for hosted services (zones for which your DNS server is authoritative).


    Another question: If I don't configure forwarders in the named .conf.options, and if my servers are configured to use 127.0.0.1 to resolve names, how can bind9 know where to forward queries of non locally managed records ?
    Does it use root hints ? (because I don't want to use them)...


    127.0.0.0 means your local DNS server so yes, Bind9 will resolve all itself by doing the needed queries. It will of course use the entries from the root hints file when needed. Why you don't want use those entries???

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    account_detailed.gif