Web Services
NetReg
NetMon
VPN
Dialup

Documentation
Services

Software

Groups
Data Communications
Network Development
Network Engineering

Internal
[WebISO]
  

Configuring Campus Recursive Nameservers

Guidelines

The Recursive DNS Server Operation Guidelines describe the background and purpose of this guidelines. The specific guidelines are:
  1. All on-campus recursive/caching DNS servers must be configured in such a manner that queries for the Local Use Zones (listed below) will not be sent to the root name servers. We recommend one of the following three strategies for complying with this requirement:
    • Configure your DNS servers to forward all unknown queries to the Computing Services recursive DNS servers, AC-CDNS1.NET.CMU.EDU and AC-CDNS2.NET.CMU.EDU. Doing this also helps achieve maximum efficiency in on-campus caching of DNS information.
    • Configure your DNS servers to forward queries for the specific Local Use Zones to the authoritative servers for the zones, AC-LDNS1.NET.CMU.EDU and AC-LDNS2.NET.CMU.EDU.
    • Configure your DNS servers to mirror the zone contents of the Local Use zones.
      Sample configurations of these strategies is listed below.
  2. All use of RFC1918 address space should be coordinated with the Network Group to ensure proper implementation and avoid unexpected conflicts.
  3. Finally, in following best common practices, we recommend any DNS records containing an RFC1918 address should be in a "private" zone tree, such as the CMU.LOCAL zone. Requests for CMU.LOCAL subdomains should be sent to the contact address below.

Local Use Zones

Additional zones may be added to this list in the future.
  • 10.IN-ADDR.ARPA (10.0.0.0/8)
  • {16-31}.172.IN-ADDR.ARPA (172.16.0.0/12)
  • 254.169.IN-ADDR.ARPA (169.254.0.0/16)
  • 168.192.IN-ADDR.ARPA (192.168.0.0/16)
  • LOCAL.

Sample Configurations

There are three recommended strategies for complying with the requirements of these guidelines.

Note that all authoritative servers should be configured to reject recursive (caching) requests or implement one of the recommended strategies.

Rejecting Recursive Requests

Authoritative nameservers with no clients configured to use the server as a recursive resolver should disable recursion.

BIND 8/9

This document also describes the method for disabling recursion.
In named.conf: 
  options {
 	recursion no; 
	fetch-glue no;
  };

djbdns/dnscache

By default the djbdns authoritative nameserver does not provide recursive service. If dnscache is being used to provide caching service, please implement one of the options below.

Microsoft DNS

To open the DNS Management Console:
Click Start, point to Programs, point to Administrative Tools, and then click DNS to start the DNS Management Console.

To disable recursive operation of a Microsoft DNS server:

  1. Right-click the DNS Server object for your server in the left pane of the console, and click Properties.
  2. Click the Advanced Tab.
  3. Check the Disable Recursion check-box.
  4. Click OK

PowerDNS

By default PowerDNS operates as an authoritative nameserver only. Make sure the configuration file does not contain the "recursor" option to disable this service.

Option One: Forward all recursive queries to Computing Services' nameservers.

This option makes the most efficient use of campus DNS caching. It does not require administrators configure specific zones in nameservers.

BIND 8/9

In named.conf: 
options {
	forward only;
	forwarders { 128.2.1.10; 128.2.1.11; };
};

djbdns/dnscache

dnscache can be configured to forward queries to specific addresses. Assuming /etc/dnscache is your service directory, you want to: 
  echo "128.2.1.10\n128.2.1.11" > /etc/dnscache/root/servers/@
  echo 1 > /etc/dnscache/env/FORWARDONLY

Microsoft DNS

To open the DNS Management Console:
Click Start, point to Programs, point to Administrative Tools, and then click DNS to start the DNS Management Console.

  1. Right-click the DNS Server object for your server in the left pane of the console, and click Properties.
  2. Click the Forwarders tab.
  3. Check the Enable forwarders check-box.
  4. In the IP address box enter the following IP addresses: 128.2.1.10 and 128.2.1.11. You can also move them up or down; the highest in the list gets the first try. If the first IP does not respond within a given time, the query will be forwarded to the next server in the list.

PowerDNS

Details of the PowerDNS recursive configuration are described here.
In the PowerDNS configuration: 
  recursor=128.2.1.10

Option Two: Configure your server to forward queries for specific zones to our authoritative nameservers.

This configuration requires the creation of zone information for each Local Use Zone in your nameserver.

BIND 8/9

In your named.conf: 
  zone "local" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "10.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "16.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "17.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "18.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "19.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "20.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "21.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "22.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "23.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "24.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "25.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "26.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "27.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "28.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "29.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "30.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "31.172.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "168.192.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };
  zone "254.169.in-addr.arpa" { type forward; forward only; forwarders {128.2.1.25;128.2.1.26;}; };

djbdns/dnscache

Assuming your service directory is /etc/dnscache, run the following commands: 
  cd /etc/dnscache/root/servers
  echo "128.2.1.25\n128.2.1.26" > local
  echo "128.2.1.25\n128.2.1.26" > cmu
  echo "128.2.1.25\n128.2.1.26" > 10.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 16.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 17.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 18.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 19.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 20.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 21.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 22.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 23.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 24.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 25.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 26.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 27.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 28.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 29.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 30.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 31.172.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 168.192.in-addr.arpa
  echo "128.2.1.25\n128.2.1.26" > 254.169.in-addr.arpa

Microsoft DNS

The Microsoft DNS server does not, as of the time of this writing, appear to support the ability to forward specific zone questions to alternate nameservers. We recommend the use of the first or third options instead.

PowerDNS

The PowerDNS system does not, as of the time of this writing, appear to support the ability to forward specific zone questions to alternate nameservers. We recommend the use of the first or third options instead.

Option Three: Slave the contents of the local zones.

This option requires a nameserver that acts as a unified authoritative and recursive nameserver.

BIND 8/9

In your named.conf: 
  zone "local" { type slave; file "local.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "10.in-addr.arpa" { type slave; file "10.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "16.172.in-addr.arpa" { type slave; file "16.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "17.172.in-addr.arpa" { type slave; file "17.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "18.172.in-addr.arpa" { type slave; file "18.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "19.172.in-addr.arpa" { type slave; file "19.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "20.172.in-addr.arpa" { type slave; file "20.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "21.172.in-addr.arpa" { type slave; file "21.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "22.172.in-addr.arpa" { type slave; file "22.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "23.172.in-addr.arpa" { type slave; file "23.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "24.172.in-addr.arpa" { type slave; file "24.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "25.172.in-addr.arpa" { type slave; file "25.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "26.172.in-addr.arpa" { type slave; file "26.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "27.172.in-addr.arpa" { type slave; file "27.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "28.172.in-addr.arpa" { type slave; file "28.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "29.172.in-addr.arpa" { type slave; file "29.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "30.172.in-addr.arpa" { type slave; file "30.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "31.172.in-addr.arpa" { type slave; file "31.172.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "168.192.in-addr.arpa" { type slave; file "168.192.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };
  zone "254.169.in-addr.arpa" { type slave; file "254.169.in-addr.arpa.zone";
                 masters {128.2.1.25;128.2.1.26;}; };

djbdns/dnscache

The djbdns architecture separates the authoritative and recursing nameserver components. As such, this option does not fit with the djbdns architecture. We recommend the use of the first or second option instead.

Microsoft DNS

To open the DNS Management Console:
Click Start, point to Programs, point to Administrative Tools, and then click DNS to start the DNS Management Console.

For each zone on the Local Use Zones list:

  1. Right click the DNS Server object for your server in the left pane of the console, and click New Zone.
  2. Click Next.
  3. Click the "Standard Secondary" radio button and click Next.
  4. Make sure "Forward lookup zone" is selected and click Next.
  5. Enter the name of the Local Use Zone and click Next.
  6. In the IP address box enter the following IP addresses: 128.2.1.25 and 128.2.1.26.
  7. Click Next
  8. Click Finish

PowerDNS

PowerDNS offers many different backends, each of which could be configured to retrieve the zones from the master nameservers, 128.2.1.25 and 128.2.1.26. The "BindBackend", for example, could be configured similarly to the BIND8/9 configuration above.

Contact Information

Any questions about these guidelines or implementation should be directed to: net-dev@andrew.cmu.edu.

Revision History

  • February 17, 2003: Initial revision (Kevin Miller)
Home | Webmaster | Copyright | Carnegie Mellon Home