Bind9 "split zones"

Taavi Ansper taavi.ansper at cyber.ee
Mon Mar 4 17:18:19 UTC 2024 

Hi

Thanks for the quick response!

Answering the last question. There are two different systems where DNS names are generated from. One is actually phpipam where we generate entries from 
and the second one is a virtualization platform, where we also dig in the DB to generate entries for VM-s

As I don't think we have had issues with PTR records so not having a "fix" is not an issue.

In the end the solution is not use one IP range for both use cases.

Taavi Ansper
taavi.ansper at cyber.ee

On 04.03.24 19:06, Greg Choules wrote:
> Hi.
> If I understand you correctly, you are trying to get your resolver to go to two different places (main_hidden_dns_server and other_dns_server) for 
> answers to the same question, and then want it combine those answers into a single response to the client, which contains PTR records for both names?
> 
> If I got that correct, then it won't. If you want multiple PTR records to be associated with different names then they have to be in the same zone/zone 
> file.
> 
> A few comments:
> - The statement "forward first' means, try forwarding first and only if that fails, then try recursion.
> - Adding forwarders to a secondary zone tells the server what to do for names delegated from that zone. e.g. if the zone is "example.com 
> <http://example.com>" and it contains "sub NS another.server.somewhere.else." then a query to it for "name.sub.example.com 
> <http://name.sub.example.com>" will follow the "forwarders" statement because "sub.example.com <http://sub.example.com>" has been delegated away.
> - Do you really want to be forwarding to your hidden primary anyway?
> - Why are two different servers both authoritative for "100.168.192.in-addr.arpa"? That's asking for trouble.
> 
> Hope that helps.
> Greg
> 
> On Mon, 4 Mar 2024 at 15:35, Taavi Ansper via bind-users <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>> wrote:
> 
>     Hi
> 
>     I am trying to understand bind9 more thorughly.
> 
>     Backstory: We have been using bind9 for a long time and overhauling it
>     for more "usage".
> 
>     We have been using a "hidden master dns" logic with views for different
>     usages.
> 
>     E.g. Client -> Slave DNS Server <- (Transfer zones from hidden master)->
>     Hidden Master.
> 
>     We had two views "external" and "internal" and now we added a new view
>     "dmz" aswell.
> 
>     In one of those zones we had an interesting DNS "thingy" where for
>     example a CIDR 192.168.100.0/24 <http://192.168.100.0/24> was generating entries to the main
>     "hidden dns" server via includes. It uses a domain called example.com <http://example.com>.
>     Now another DNS server created DNS entries for the same CIDR
>     192.168.100.0/24 <http://192.168.100.0/24> but it had a different domain "subdomain.example.com <http://subdomain.example.com>".
>     Including that info was easy.
> 
>     In the Slave DNS
> 
>     zone "example.com <http://example.com>" {
>           file blaah
>           type slave
>           masters { main_hidden_dns_server }
>     }
> 
>     zone "subdomain.example.com <http://subdomain.example.com>" {
>           file blaah
>           type slave;
>           masters { other_dns_server }
>     }
> 
>     But now comes the problem. When generating a PTR record
>     100.168.192.in-addr.arpa, I wish to combine both of these "results" into
>     one lookup. How can I do that? I tried to add:
> 
>     zone "100.168.192.in-addr.arpa" {
>           file blaah
>           type slave;
>           masters { other_dns_server }
>           forward first;
>           forwarders {  main_hidden_dns_server }
>     }
> 
>     But this forwarding logic doesnt work. I have a feeling the forwarding
>     only works specific zones.  and you can't combine two of the same
>     "names" into one. Am I correct and in order for PTR records to work I
>     need to get them into a single file?
> 
>     -- 
>     ----
>     Taavi Ansper
>     taavi.ansper at cyber.ee <mailto:taavi.ansper at cyber.ee>
> 
>     -- 
>     Visit https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list
> 
>     ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/
>     <https://www.isc.org/contact/> for more information.
> 
> 
>     bind-users mailing list
>     bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>     https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users>
>

More information about the bind-users mailing list