forward question

CT groups at obsd.us
Thu Sep 1 12:06:13 UTC 2011 

> Hello,
>
> Do add "forward only;" to this zone statement.
>
> Is this name server available/visible to the Internet ?
> -->  add "allow-query" statement to limit who can query for your internal
> zone.
>
> Kind regards,
>
> Marc Lampo
> Security Officer
> EURid
>
>
>
> -----Original Message-----
> From: CT [mailto:groups at obsd.us]
> Sent: 31 August 2011 11:17 PM
> To: bind-users at lists.isc.org
> Subject: forward question
>
> We have a public DNS in our DMZ
>
> - Some of the servers in the DMZ provide certain services to services on
> the
> inside.
> - Currently, certain servers use the Internal AD DNS Servers for
> resolution
> on a internal DNS domain to provide the services via firewall rules.
>
> I would like all DMZ clients to use the Public DNS and "forward" the
> internal
> DNS queries to the Internal AD DNS servers.
>
> zone transfer to the Public DNS from Internal DNS is not an option..
>
> *****************
> zone "internal.zone" in {
>           type forward;
>           forwarders {
>                   xxx.xxx.xxx.1;  // ad server 1
>                   xxx.xxx.xxx.2; // ad server 2
>                   };
> };
> *****************
> Thx
> CT
>
>
>
Marc,
Thanks for the reply..

The Internal AD DNS is not visible to the Internet
and does not do queries directly to the Internet.

The Public DNS does allow recursion for the subnets in the DMZ via acl.

the allow-query statement does not work in a forward zone
-----
checking named.conf
/etc/namedb/named.conf:72: option 'allow-query' is not allowed in 
'forward' zone 'internal.zone'
  now running rndc reload
rndc: 'reload' failed: failure
----

 From all the searching, it seems the forward statement should work..

ns.example.com = Public DNS
ns.internal.example.com = Internal DNS

successful dig.. - PTR also successful.

-------------
-------------
root at ns.example.com dig @192.168.100.1 internal-host.internal.example.com

; <<>> DiG 9.8.0-P4 <<>> @192.168.100.1 internal-host.internal.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21754
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;internal-host.internal.example.com.        IN    A

;; ANSWER SECTION:
internal-host.internal.example.com.    3600    IN    A    172.25.231.242

;; Query time: 0 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Thu Sep  1 06:56:27 2011
;; MSG SIZE  rcvd: 55
-------------
-------------

CT

More information about the bind-users mailing list