bind public/private domain question

Marseglia, Michael Michael.marseglia at chartercare.org
Tue Feb 21 21:19:43 UTC 2012 

The domain, myDomain.org, is registered publicly on the Internet but we also use it privately.  The DNS records we publish to the Internet are entirely different than our internal DNS and reside on separate servers.  I am not performing 'split horizon'.  I don't allow the Internet to query my internal DNS server.  We have one or two records, like "www.myDomain.org" that uses a public address, the rest of the addresses are private.

I'll start with how my config files are laid out, I have three.

named.conf
named.conf.local
named.conf.options

/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

         forwarders { 8.8.8.8; };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };

        version "not currently available";

        allow-query { any; };

        recursion yes;
};


named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "myDomain.org" {
        type forward;
        forward only;
        forwarders { 1.1.1.1; 2.2.2.2; };
};

Here are the commands I'm running and the corresponding output.
1. restart bind
2. flush cache
3. query localhost using the target's fqdn
4. query localhost for the NS records for the domain
5. query localhost using the target's fqdn a second time

1. restart bind
:/etc/bind# /etc/init.d/bind9 restart
 * Stopping domain name service... bind9                                                                                                                                                       [ OK ]
 * Starting domain name service... bind9                                                                                                                                                       [ OK ]

2. flush cache
root at lookup1b:/etc/bind# rndc flush

3. query localhost using the target's fqdn
root at lookup1b:/etc/bind# dig host-dc1.myDomain.org

; <<>> DiG 9.7.0-P1 <<>> host-dc1.myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36091
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;host-dc1.myDomain.org.                IN      A

;; ANSWER SECTION:
host-dc1.myDomain.org. 2558    IN      A       1.1.1.1

;; AUTHORITY SECTION:
.                       511538  IN      NS      i.root-servers.net.
.                       511538  IN      NS      e.root-servers.net.
.                       511538  IN      NS      c.root-servers.net.
.                       511538  IN      NS      k.root-servers.net.
.                       511538  IN      NS      m.root-servers.net.
.                       511538  IN      NS      a.root-servers.net.
.                       511538  IN      NS      d.root-servers.net.
.                       511538  IN      NS      f.root-servers.net.
.                       511538  IN      NS      h.root-servers.net.
.                       511538  IN      NS      g.root-servers.net.
.                       511538  IN      NS      l.root-servers.net.
.                       511538  IN      NS      b.root-servers.net.
.                       511538  IN      NS      j.root-servers.net.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 15:21:03 2012
;; MSG SIZE  rcvd: 267


4. query localhost for the NS records for the domain
root at lookup1b:/etc/bind# dig -t ns myDomain.org

; <<>> DiG 9.7.0-P1 <<>> -t ns myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32179
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 8

;; QUESTION SECTION:
;myDomain.org.               IN      NS

;; ANSWER SECTION:
myDomain.org.        3600    IN      NS      host-dc4.myDomain.org.
myDomain.org.        3600    IN      NS      host-dc2.myDomain.org.
myDomain.org.        3600    IN      NS      host-dc2.subA.myDomain.org.
myDomain.org.        3600    IN      NS      host-dc1.subB.myDomain.org.
myDomain.org.        3600    IN      NS      host-dc1.myDomain.org.
myDomain.org.        3600    IN      NS      host-dc1.subA.myDomain.org.
myDomain.org.        3600    IN      NS      host-dc2.subB.myDomain.org.
myDomain.org.        3600    IN      NS      host-dc3.subB.myDomain.org.

;; ADDITIONAL SECTION:
host-dc1.myDomain.org. 2554    IN      A       1.1.1.1
host-dc2.myDomain.org. 3594    IN      A       2.2.2.2
host-dc4.myDomain.org. 3596    IN      A       3.3.3.3
host-dc1.subA.myDomain.org. 3502 IN  A       4.4.4.4
host-dc2.subA.myDomain.org. 3595 IN  A       5.5.5.5
host-dc1.subB.myDomain.org. 3591 IN  A       6.6.6.6
host-dc2.subB.myDomain.org. 2706 IN  A       7.7.7.7
host-dc3.subB.myDomain.org. 327 IN   A       8.8.8.8

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 15:21:07 2012
;; MSG SIZE  rcvd: 349


5. query localhost using the target's fqdn a second time
root at lookup1b:/etc/bind# dig host-dc1.myDomain.org

; <<>> DiG 9.7.0-P1 <<>> host-dc1.myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61403
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 7

;; QUESTION SECTION:
;host-dc1.myDomain.org.                IN      A

;; ANSWER SECTION:
host-dc1.myDomain.org. 2549    IN      A       1.1.1.1

;; AUTHORITY SECTION:
myDomain.org.        3595    IN      NS      host-dc2.subA.myDomain.org.
myDomain.org.        3595    IN      NS      host-dc1.myDomain.org.
myDomain.org.        3595    IN      NS      host-dc3.subB.myDomain.org.
myDomain.org.        3595    IN      NS      host-dc1.subA.myDomain.org.
myDomain.org.        3595    IN      NS      host-dc2.myDomain.org.
myDomain.org.        3595    IN      NS      host-dc1.subB.myDomain.org.
myDomain.org.        3595    IN      NS      host-dc4.myDomain.org.
myDomain.org.        3595    IN      NS      host-dc2.subB.myDomain.org.

;; ADDITIONAL SECTION:
host-dc2.myDomain.org. 3589    IN      A       2.2.2.2
host-dc4.myDomain.org. 3591    IN      A       3.3.3.3
host-dc1.subA.myDomain.org. 3497 IN  A       4.4.4.4
host-dc2.subA.myDomain.org. 3590 IN  A       5.5.5.5
host-dc1.subB.myDomain.org. 3586 IN  A       6.6.6.6
host-dc2.subB.myDomain.org. 2701 IN  A       7.7.7.7
host-dc3.subB.myDomain.org. 322 IN   A       8.8.8.8

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 15:21:12 2012
;; MSG SIZE  rcvd: 349

To answer your questions:
The Windows DNS servers should be authoritative for the Active Directory domain.  host-dc1.myDomain.org and host-dc2.myDomain.org are two of the NS servers.
The zone "myDomain.org" is Active Directory integrated.
The Windows DNS servers' forwarding configuration is to use opendns and if that fails resort to the root hints.
The Forward Lookup Zones for "myDomain.org" contains 99% private addresses.  There are one or two external address, for www.myDomain.org, which are hosted outside the private network.

Also, when I query host-dc1 directly I get the following answer.  I notice there is no additional or authority section but I don't know why.
dig host-dc1.myDomain.org @host-dc1.myDomain.org
; <<>> DiG 9.7.0-P1 <<>> host-dc1.myDomain.org @host-dc1.myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10793
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;host-dc1.myDomain.org.                IN      A

;; ANSWER SECTION:
host-dc1.myDomain.org. 3600    IN      A       1.1.1.1

;; Query time: 0 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Feb 21 16:03:35 2012
;; MSG SIZE  rcvd: 56


I don't understand why I get the root servers at step 3.  Sometimes when I perform these steps I will get the external DNS servers returned as the name servers or in the authoritative section.

Thank you,

  Mike

-----Original Message-----
From: Spain, Dr. Jeffry A. [mailto:spainj at countryday.net] 
Sent: Tuesday, February 21, 2012 3:15 PM
To: Marseglia, Michael
Cc: bind-users at lists.isc.org
Subject: RE: bind public/private domain question

> I'm looking for advice on an issue.  I have a publicly registered domain which we also use internally.  I have bind configured as a caching DNS server.  Bind is configured to use four other Windows DNS servers as forwarders for the domain.  Bind should be using the root servers for anything not configured to forward.

I'm having difficulty understanding your configuration. Would you please provide relevant portions of your bind configuration files and some configuration details for your Windows DNS servers. In particular with regard to the Windows DNS servers, are they authoritative for your Active Directory domain? Are the zones for which they are authoritative Active Directory integrated? What is their forwarding configuration? Do their Forward Lookup Zones contain internal or external addresses?

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list