problem: pointing root hints to forwarder only delivers forwarder s root file
Van Bemmel, Berend
VanBemmel.Berend at kpmg.nl
Thu Jul 5 14:36:57 UTC 2001
Hi All,
I have a problem with a test Bind setup. What I have is an internal domain
tree that works as a fully delegated tree, with DNS servers all around
serving their child domains. All this is an internal namespace. To resolve
internet names there is a Bind 9.1.2 installed on one of our DMZ's that runs
in forwarding only mode, which I call the 'Gateway DNS'. Further, on the
internal DNS servers I cant really configure forwarders, since that would
stop the internal namespace delegation from working. Hence I have created my
own root hints file, with one entry in it, pointing to the gateway DNS
server.
In theory this should work, actually it also works in practice, as our
production environment uses the same scheme but there the gateway has some
DNS caching only forwarding firewall type thingy running, which for some
reason we can't keep on using forever, that's why I am testing now with Bind
9.1.2 on a DMZ segment.
Anyways, what happens is that my internal Bind 8.2.3 when confronted with a
query for something outside my internal domain it forwards it to the gateway
DNS on the DMZ, but surprisingly it gets an answer in the form of the root
file being used on the gateway server (which is of course the Internet root
file) instead of the right answer. I don't understand this since it is in
forwarding only mode, and should resolve the query recursively for my
internal DNS - if I understand correctly. If I query the gateway server
directly with dig, both recursive as well as non-recursive queries get the
propper response.
What could be the problem here, why do I get answered with the root file of
the gateway DNS when quering for Internet DNS to my internal DNS in this
setup?
For clarity I'll include the configs below, any help will be greatly
appreciated,
Cheers,
Berend
---- options in named.conf on gateway DNS, installed on a DMZ, able to do
resolve Internet:
options {
directory "/var/named";
query-source address * port 53;
auth-nxdomain yes;
forward only;
forwarders { x.x.x.x; y.y.y.y; };
allow-query { any; };
allow-recursion { any; };
};
--- named.conf on internal DNS
options {
directory "/prog/named";
notify yes;
named-xfer "/usr/local/sbin/named-xfer";
check-names master ignore;
check-names slave ignore;
check-names response ignore;
query-source address * port 53;
pid-file "/usr/local/etc/named.pid";
min-roots 1;
};
zone "." in {
type hint;
file "db.cache";
};
Rest of zones deleted... they are there however ;-)
-- db.cache on internal DNS:
;
; Root hints point to DNS machine on special segment conencted to Internet
;
. 3600000 IN NS gatewaydns.mydomain.com.
gatewaydns.mydomain.com. 3600000 A 10.1.1.1
--
Berend W. van Bemmel
KPMG - OGCIO
gsm +31 (0)65 352 8972
SMTP vanbemmel.berend at kpmg.nl
> X.400 c=NL;a=CONCERT;p=KPMG;s=vanbemmel;g=berend
>
>
**********************************************************************
De informatie verzonden met dit e-mailbericht (en bijlagen)
is uitsluitend bestemd voor de geadresseerde(n) en zij die
van de geadresseerde(n) toestemming kregen dit bericht te
lezen. Gebruik door anderen dan geadresseerde(n) is
verboden. De informatie in dit e-mailbericht (en bijlagen)
kan vertrouwelijk van aard zijn en kan binnen het bereik
vallen van een geheimhoudingsplicht en een verschonings-
recht.
Any information transmitted by means of this email (and any
of its attachments) is intended exclusively for the addressee
or addressees and for those authorized by the addressee
or addressees to read this message. Any use by a party
other than the addressee or addressees is prohibited.
The information contained in this email (or any of its
attachments) may be confidential in nature and fall under a
pledge of secrecy and the attorney-client privilege.
**********************************************************************
More information about the bind-users
mailing list