redirecting root hints to fake internal root server
Colin Harvey
colinedwardharvey at yahoo.com
Tue Aug 27 18:44:43 UTC 2013
Thanks for the information. Sorry for not posting my named.conf but privacy rules...
My landscape is on domain acquiredcompany.com for which I am wholly authoritative. Internally I need to resolve internal.hostname.com from Corporate. Thus I don't have the child/parent type delegation issue as you describe.
Colin
From: Ben Croswell <ben.croswell at gmail.com>
To: Colin Harvey <colinedwardharvey at yahoo.com>
Cc: bind-users at lists.isc.org; WBrown at e1b.org; "bind-users-bounces+wbrown=e1b.org at lists.isc.org" <bind-users-bounces+wbrown=e1b.org at lists.isc.org>
Sent: Tuesday, August 27, 2013 2:37 PM
Subject: Re: redirecting root hints to fake internal root server
If you load a parent domain, in this case ., you must have a delegation for the child domain in the parent the parent. Even though that delegation isn't used for resolution purposes it lets the parent know the child exists. The child won't be forwarded if the server believes it doesn't exist.
For example if I load foo.com and also want to forward blah.foo.com there must be an NS delegation for it. If there isn't the server says I load foo.com and blah.foo.com doesn't exist so there is no reason to forward.
Hard to tell if this is your issue with no config to look at, but it may be.
On Aug 27, 2013 2:14 PM, "Colin Harvey" <colinedwardharvey at yahoo.com> wrote:
Thanks. But I already have that option for the internal.hostname.com zone. Still not seeing traffic going to 192.168.1.1.
>
>Colin
>
>
>From: "WBrown at e1b.org" <WBrown at e1b.org>
>To: Colin Harvey <colinedwardharvey at yahoo.com>
>Cc: bind users <bind-users at lists.isc.org>; bind-users-bounces+wbrown=e1b.org at lists.isc.org
>Sent: Tuesday, August 27, 2013 1:20 PM
>Subject: Re: redirecting root hints to fake internal root server
>
>
>From: Colin Harvey <colinedwardharvey at yahoo.com>
>> My environment is firewalled from the real world. For queries on
>> zones to which I'm not master, I want to recurse to a corporate
>> server. nslookup some.internal.hostname.com
>> internal.corporate.server works fine. Setting "." to use this
>> internal server in the root.hints file does not. In fact I do not
>> even see my system trying to recurse. (I'm looking at network
>> traffic with a sniffer.)
>>
>> My root.hints:
>>
>> . 600 IN NS internal.corporate.server.
>> internal.corporate.server. 600 IN A 192.168.1.1
>>
>>
>> Alternatively I've setup a forwarding zone in named.conf to query
>> 192.168.1.1 for 'internal.hostname.com'. When monitoring the
>> network for udp data over port 53, I'm not even seeing the query
>> being forwarded. Why?
>
>Add these lines to your options section:
>
> forward only;
> forwarders {192.168.1.1;};
>
>see
>ftp://ftp.isc.org/isc/bind9/9.9.3-P2/doc/arm/Bv9ARM.ch06.html#id2578567
>
>
>
>Confidentiality Notice:
>This electronic message and any attachments may contain confidential or
>privileged information, and is intended only for the individual or entity
>identified above as the addressee. If you are not the addressee (or the
>employee or agent responsible to deliver it to the addressee), or if this
>message has been addressed to you in error, you are hereby notified that
>you may not copy, forward, disclose or use any part of this message or any
>attachments. Please notify the sender immediately by return e-mail or
>telephone and delete this message from your system.
>
>
>
>_______________________________________________
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
>bind-users mailing list
>bind-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130827/85a6e6db/attachment.html>
More information about the bind-users
mailing list