This question/scenario confuses me a lot. Please help!
Let's say we have 3 DNS servers - A,B, and C.
A: cache server; it servers recursive lookup for dns names on the Internet.
B: Master DNS server which serves example.com
C: Master DNS server which servers sub.example.com <- sub domain name server of example.com
B has a [forward only] statement, and [forwarders] statement contains of A's IP.
B has [recursive] set to 'no'.
For non authoritative queries, such as google.com, the request comes from B and goes to A.
The server A responds to B with google.com IP address.
C does not have example.com zone and it forward all traffic to A.
I think the query for example.com goes to A, and A responds to B with example.com.
Since, B has a [forwards only] statement and it has [A's IP address] as [forwarders] statement list.
B has [recursion] set to 'no'
Question is ... What would happen if C tries to lookup google.com's IP address?
If C does not get response for google.com from B then what should I do? Please give me your advice!
答案 0 :(得分:2)
C永远不应该这样做。
权威名称服务器(如示例中的B和C)应该只响应对其具有权威性的区域的查询。对于任何其他查询,他们应回答REFUSED或SERVFAIL。这既出于安全原因(您不希望您的服务器滥用DDoS攻击)以及管理员的理智。由此可见,权威服务器不应该发送自己的查询,它们只响应它们发送的查询。因此,在您的情况下,当被问及google.com时,B和C都应该拒绝回答。
递归服务器(例如,在您的示例中为A)是那些外出并向其他服务器发送查询的服务器。 A应该通过以正常方式从根递归来响应google.com的查询。
由此产生的另一件事是,在B和C上运行的其他进程无法使用本地名称服务器守护进程进行名称解析(因为它们只会回答其身份验证区域)。所以在B和C上,resolv.conf应指向服务器A.如果他们的查询是针对example.com或sub.example.com,那么A将返回并查询B或C上的auth服务器,因此它可以回复原始查询。
(当然,所有这些都假设您没有进行水平分割或其他更复杂的设置,但即使这样,如果您可以清楚地分离权威服务器和解析服务器,它也会使事情变得更容易理解。)
这会让你更清楚吗?