Bind DNS Question

Kevin Darcy kcd at daimlerchrysler.com
Tue Jun 29 03:12:09 UTC 2004 

Lucas, David wrote:

>Hello Everyone,
>
>I was wondering if any Bind experts can help me out with this one.  I'm
>working on our campus network registration system and would like to
>accomplish the following:
>
>1. A computer when they are in the Unknown state they will get a "Bogus" DNS
>server.  That DNS server thinks it's the root server for everything.  So
>when a user types www.cnn.com they resolve to a webpage that we specify.
>(This is working today)
>
>2. I want a user to be able to get to windowsupdate.microsoft.com from our
>private addresses that are assigned when a computer is in the unknown state.
>Now, I have half this working.  I have a proxy server that is restricting
>access to only Microsoft.  When I bring everything onto the same DNS server
>it does not work.  Basically for the proxy server to work correctly I need
>to have the public addresses resolved via DNS.  I only want public addresses
>to be handed out for domains that I specify.
>
>This is what I have tried:
>
>- I have tried to set a forward for zone microsoft.com, well it forwards all
>requests to the public DNS servers, which in turn gives me public addresses
>for everything.
>
How did you specify forwarding? With a "type forward" zone, e.g.

zone "microsoft.com" {
    type forward;
    forwarders { x.x.x.x; y.y.y.y; };
    forward only;
};

? Or did you put the "forwarders" and/or "forward only" in the "options" 
block? I can't imagine how "everything" could have started forwarding if 
forwarding was only defined for microsoft.com...

>  I don't want this I only want Microsoft's public addresses.
>- I've tried to specify a NS record for Microsoft and that to didn't work,
>actually it killed everything for resolving the names.
>
Actually, you may need to do *both* delegation and a "type forward" 
zone. If you have a "fake" root zone with a wildcard A record in it (I 
assume this is how you implemented #1 above), named may need to see a 
delegation for microsoft.com before it will forward queries for that 
domain. Otherwise, since it is authoritative for the root zone, it'll 
just "know" that microsoft.com doesn't exist. In this case, it doesn't 
really matter to _what_ you delegate microsoft.com, since all of the 
queries will be forwarded anyway. Just make up some bogus nameserver 
names and addresses.

                                                                         
                                                - Kevin

More information about the bind-users mailing list