Forward only some subdomains?

Mon Feb 9 14:24:00 UTC 2004

bind-users-bounce at isc.org wrote on 02/06/2004 08:08:56 PM:
> > >It is set up to 
> > > forward all queries except for our domain name.
> > 
> > Probably a bad idea if the name servers to which you forward go away, 
> > change IP, etc...
> > 
> > > 
> > > Before, we checked and sent our mail with our ISP's domain name 
> > > (pop.chartermi.net, smtp.chartermi.net), but now they want us to use 

> > > pop.ourdomain.com and smtp.ourdoamin.com.  Since our internal DNS 
> > > catches all ourdomain.com queries, we can't get an IP for pop. and 
smtp.
> > 
> > 
> > I am not sure what you mean by "can't get"???
> 
> I mean, a query inside the firewall for pop or smtp will return no 
> domain found.

Yes, that is what I thought, and I think you know that the reason you get 
NXDOMAIN is that your name server has the zone in question loaded and you 
have not put these RR's in the zone.

> 
> >Anyway, put to RR's into 
> > your internal zone, one for pop... and the other for smtp... each with 
the 
> > IP address of the pop and smtp servers respectively (or the same IP if 

> > both service run on the same box).
> > 
> that's what I'm doing now.  It just doesn't seem right, since they may 
> change their mail server IPs, and I would have to keep an eye on that 
> and change the internal zone whenever that happens.

Yes, this situation is a little unfortunate, however, that is the price 
you pay if you do not run your own name servers. 

However, you could make pop. and smpt. CNAMEs for charter's domain names. 
That way, if they change the IP address associated with their domain 
names, you won't care.

Just make sure that you do not use a CNAME RR in the RDATA field of an MX 
RR.

> 
> > > 
> > > So, is there a way to forward certain subdomain queries and catch 
all 
> > > others?  Bind 9.2.2
> > > 
> > > Currently the named.conf looks like:
> > > 
> > > options {
> > >     directory "/var/named";
> > >     allow-transfer {none;};
> > >     recursion true;
> > >     notify no;
> > >     forward first;
> > >     forwarders {
> > >             24.196.64.39;
> > >             24.196.64.40;
> > >         };
> > 
> > Don't forward unless you have to.  Let your name server use a normal 
> > resolution process to get the answers it needs.
> 
> Hm, I got this from some examples somewhere (I forget) some years ago - 
> for a private intranet DNS behind a firewall.  I recently updated it a 
> bit after going thru the OReilly DNS books, but the whole DNS thing 
> still gives me headaches.

Once upon a time when firewalls were alomost exclusively proxy based, you 
were forced into "forwarding" to the internal interface of your firewall. 
Then, along came stateful inspection and I think (just a guess) that 
people thought "forwarding" was a requirement, so they started forwarding 
to their ISP.  If you can forward to your ISP, then you can certainly turn 
off forwarding and use normal resolution / iteration to answer internal 
queries.

> 
> IS there a way to do this then? - handling only PART of a domain?

You can do part of a domain if you are talking about subdomains, however, 
you cannot do "part" of a zone.  If a name server has loaded a zone 
(either as master or slave), then that name server will never look for 
data on any other server for data that is in that zone.

> 
> Maybe I should just get the mail server going - I've been thinking about 

> it.  Save us some $$$ - Charter likes to charge for every little thing. 
> :)  Their mail service kinda sucks too.

Even better yet, run your own mail server.

Hope this helps.

Dave...

> 
> 
> - WoK
> 
> -- 
> Don't Panic.
> 