Forwarding pre-empts subdomains?

Kevin Darcy kcd at daimlerchrysler.com
Tue Jun 19 21:10:39 UTC 2001 

Jack Aubert wrote:

> I'm running a large internal DNS domain (state.gov) with an extensive, but
> flat, list of subdomains: (paris.state.gov, rome.state.gov,
> someoffice.state.gov and so forth).  These subdomains are all delegated from
> the internal root to local authoritative DNS servers, all of which are set
> to forward back up to the internal root server.  All this is  behind a
> firewall and we are using Cisco Network Registrar's (dynamic) DNS.

Hmmm... For a pure internal-root setup, I'm not sure why the local
authoritative nameservers need to forward back up to the root. Why not just get
rid of forwarding and let the nameservers resolve names from each other? Seems
like you're creating an artificial name-resolution bottleneck.

> We are finally about to permit a proxy server to allow internal users some
> outside access to the Internet and I am trying to set up a split-brain DNS
> that resolves outside names via a proxy firewall and inside names
> internally.

Okay, that sounds similar to our setup. In this case, only the proxy
firewall(s) need(s) to be able to resolve external names, correct?

> My problem seems to be that if I set the internal root
> server(s) to forward to the proxy firewall, the system stops resolving
> internal delegated subdomains.

Now you've lost me. If you're proxying, why do regular boxes on your intranet
need to resolve Internet names? We configure our proxy firewalls with a
"hybrid" configuration, i.e. stub zones for each internal domain (e.g.
chrysler.com), so that all internal names can be resolved, and a root hints
file so that it can resolve Internet names as well. But only the proxy
firewalls have this special DNS configuration -- as far as the rest of our
intranet is concerned, the internal root is *the* root, and Internet DNS names
don't exist. Among other benefits, this means we can use our internal DNS to
route mail (via MX wildcards in the internal root zone).

> It will resolve Internet domains and domains
> for which the internal root is authoritative, but will not resolve the
> internally delegated domains.   It knows that subdomain have been delegated
> and has the glue records for the delegations, but ignores this information
> and forwards for everything it is not personally authoritative for.  Is this
> normal behavior?  Shouldn't forwarding not apply to delegated subdomains?
> Do I have to specify an exception for every delegated subdomain?

It is normal, but you can "cancel" forwarding for a whole branch of the
namespace by specifying "forwarders { }" in the very apex zone, e.g. the
master-zone definition of state.gov. The nameserver will then use iterative
resolution for that whole domain.


- Kevin

More information about the bind-users mailing list