Question
Why is my bind accessing root-ns server although I have forwarders?
Answer
There are two main cases of requests that are sent:
- Root Priming Requests:
Right after restarting bind, the first DNS request will also cause a Root-Priming request to be sent. This has mainly the purpose of getting the cache ready for #2, but also for DNSSEC validation by RFC 8109.
These requests will look as follows, given univention.de is tried to resolve:
08:10:22.971598 lo In IP 10.150.2.21.52460 > 10.150.2.21.53: 32130+ [1au] A? univention.de. (54)
08:10:22.972194 ens18 Out IP 10.150.2.21.58865 > 10.150.2.2.53: 6469+% [1au] A? univention.de. (54)
08:10:22.972739 ens18 Out IP 10.150.2.21.45522 > 170.247.170.2.53: 18400 [1au] NS? . (40)
08:10:22.975092 ens18 In IP 170.247.170.2.53 > 10.150.2.21.45522: 18400*- 14/0/27 NS m.root-servers.net., NS f.root-servers.net., NS a.root-servers.net., NS b.root-servers.net., NS i.root-servers.net., NS d.root-servers.net., NS c.root-servers.net., NS l.root-servers.net., NS k.root-servers.net., NS j.root-servers.net., NS h.root-servers.net., NS e.root-servers.net., NS g.root-servers.net., RRSIG (1125)
08:10:22.976889 ens18 In IP 10.150.2.2.53 > 10.150.2.21.58865: 6469 1/0/1 A 78.47.5.12 (58)
08:10:22.977094 lo In IP 10.150.2.21.53 > 10.150.2.21.52460: 32130 1/0/1 A 78.47.5.12 (86)
- The forwarder is not available:
If the forwarders are (temporary) unreachable, the UCS will switch by default from forwarding to recursive mode and ask the root-nameservers directly to resolve the domains. This could be disabled by the forward only; option in the root-zone of the bind configuration. A corresponding bug to make this available by ucr or similar is open at:
https://forge.univention.org/bugzilla/show_bug.cgi?id=59195