5

So I've got a domain registered with Dreamhost, which apparently does not do recursive lookups, and an app on Heroku. Heroku apps are always configured to use a CNAME record to proxy.heroku.com.

So:

Authoritative DNS:  ns1.dreamhost.com (for foo.com)

CNAME record:       app.foo.com -> proxy.heroku.com

Resolves to:        Set of A records for EC2 IPs

I've been told by some folks trying to connect to the app from behind a Windows Server 2003 DNS Server that it handles SERVFAIL differently and cannot resolve the DNS. I'm trying to understand if this is truly a configuration issue on my side or theirs, notably, per the title:

Must the authoritative DNS server for a domain be recursive to allow CNAME records pointing to other domains?

scotchi
  • 153
  • 2
  • 5

4 Answers4

6

No you don't need to have recursion on for authoritative DNS servers. Depending on who you ask it's even considered good practice that (if possible) your authoritative server not be recursive as it's a line of defence against some DoS attacks. (Cisco's document is here for example)

A sample from my domain is below (Server is running Bind 9 and is non-recursive).

; <<>> DiG 9.5.1-P3 <<>> mail.<snip> @<my authoritative master>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1216
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;mail.<snip>.       IN  A

;; ANSWER SECTION:
mail.<snip>.        86400   IN  CNAME   ghs.google.com.
ghs.google.com.     158151  IN  CNAME   ghs.l.google.com.
ghs.l.google.com.   33    IN  A       74.125.47.121

;; AUTHORITY SECTION:
google.com.     153556  IN  NS  ns4.google.com.
google.com.     153556  IN  NS  ns2.google.com.
google.com.     153556  IN  NS  ns3.google.com.
google.com.     153556  IN  NS  ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.     169823  IN  A   216.239.32.10
ns2.google.com.     169823  IN  A   216.239.34.10
ns3.google.com.     169823  IN  A   216.239.36.10
ns4.google.com.     169823  IN  A   216.239.38.10

It sounds more like a DNS misconfiguration at the Windows 2003 DNS than anything else.

Frenchie
  • 1,272
  • 9
  • 14
  • 7
    To emphasize the point...you'll be hard pressed to find anyone who knows anything about DNS who will suggest recursion on authoritative servers is a good idea. Most of the nasty DNS-related bugs require recursion to be enabled and whenever possible, you should separate those roles. – icky3000 Feb 10 '10 at 07:26
3

Authoritative servers should NOT be configured to offer recursive service. Not even to work around a potential Microsoft bug.

I can't quote chapter and verse at the moment (if I find it I'll update). However this is very much the accepted "best common practise" for operation of DNS servers.

If some resolver in your lookup chain is returning SERVFAIL then that simply indicates a misconfiguration somewhere or that you're asking the wrong question (or the right question with the wrong flags).

In your case, the dreamhost.com servers return SERVFAIL if you ask for a recursive answer (which happens to be what nslookup does by default). They're perfectly entitled to do that, they're authoritative servers, not recursive.

On my system, if I use dig instead and specifically disable recursion I get:

% dig +norecurse @ns1.dreamhost.com mail.scotchi.net.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec @ns1.dreamhost.com mail.scotchi.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54426
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;mail.scotchi.net.  IN A

;; ANSWER SECTION:
mail.scotchi.net. 14400 IN CNAME ghs.google.com.
Alnitak
  • 20,901
  • 3
  • 48
  • 81
2

Dreamhost uses powerdns (ugh), just as bad .. but Windows recursive resolvers do indeed suck.

The question is , why are the Windows dns boxes at your client sites getting SERVFAIL? They shouldnt be.

And, the above poster is correct - if you're authoritative to a domain, you can have it cname, A, fail, you name it, to any domain/ip (you don't have to know the glue to the other domain).

Perhaps that's it - that the DNS resolvers that asked for your A record (and got a cname) stuck thinking it would also know the glue for heroku.com .

You could analyse the listed nameservers for the original query to see what's happening , but in a 'worse case' scenario you could just serve out 'A' records .. it'd just be a P-I-T-A.

If you want to post a realworld fail-domain that's cool; you could also PM or AIM nerdNG :p (I love finding root-cause probs with dns. Go fig)

jrishaw
  • 71
  • 2
  • Here's what I get searching for my own mail domain (not the real example, but also on Dreamhost): `nslookup mail.scotchi.net ns1.dreamhost.com` I get a `SERVFAIL`, however, if I just do a dig / nslookup / whatever without specifying the nameserver, everything is spiffy. – scotchi Feb 10 '10 at 08:02
0

I've been looking for "similar" questions to my own here and there seems to be quite a few similar points (e.g. Windows2003 DNS servers and SERVFAIL response)

If anyone has any link to the "potential Microsoft bug" above, would they mind posting details.

Much appreciated.

Community
  • 1
Steven_W
  • 252
  • 3
  • 10