Forwarding to two servers

CLOSE Dave (DAE) Dave.Close at us.thalesgroup.com
Fri Aug 6 16:55:03 UTC 2010 

I asked:
> My company has two internal name servers accessible to me. One (PUB) is
> the usual Internet-facing server than can resolve most internal and all
> public names. The other (PRIV) is a special purpose server that only
> resolves names in a special private domain. If I list both servers in
> resolv.conf, some names cannot be resolved. If PUB is listed first,
> names in the special domain fail; if PRIV is listed first, all other
> names fail.
>
> It has been suggested that running a forwarding name server of my own
> might provide a solution. I have tried that, but without success. The
> BIND 9 Administrator Reference doesn't seem to address forwarding with
> any relevant examples, so perhaps I'm not doing something right. Here's
> what I have tried.
>
> I took the named.conf provided by Fedora 13 (bind-9.7.1-2.P2.fc13.i686),
> commented all the IPv6 lines, and added two options:
>    forwarders { PRIV; PUB; };
>    forward only;
> (Using the correct IP addresses for PRIV and PUB, of course.)
>
> After starting the service, only names in the private domain are
> resolved. "dig @localhost" for any other name returns an Authority
> section that shows the private domain's authority, but no Answer section.
>
> What is the right way to accomplish my purpose? If I'm on the right
> track, what did I do wrong?

Lyle Giese responded:
> Assuming your private domain is mydomain.com, in the named.conf for
> the public server put:
 >
 > zone "mydomain.com"{
 > type forward;
 > forward only;
 > forwarders { <ip address of priv server>;}; };
 >
 > The priv server needs to be authorative(and probably master) for
 > mydomain.com.
 >
 > In resolv.conf on the clients, you only need the pub server.

Nope, that won't help me. I have no ability to modify the PUB server 
(which is probably not BIND anyway). Further, there are actually 
multiple PRIV servers, depending on the physical location, and from most 
physical locations none of them are accessible. (When a PRIV server is 
accessible, only one is visible at a time.) If this problem is to be 
resolved at all, it must be done locally.
-- 
Dave Close

More information about the bind-users mailing list