Selective forwarding from an internal only name server

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Wed Aug 17 19:13:22 UTC 2016 

Well, sharepoint.com is a CNAME to sharepoint.microsoft.com, so you might need to make arrangements for that to be resolvable as well.

                                                                                                                                                                - Kevin

P.S. I don't think it matters - and I'm too lazy to check right now - but it's remotely possible that the trailing period in your forwarding-zone definition ("sharepoint.com.") might be problematic. Easy enough to confirm/deny.

[FCA_Pantone_email]
----------------------------------------------------------------------
Kevin Darcy
NAFTA Information Security Projects

FCA US LLC
1075 W Entrance Dr,
Auburn Hills, MI 48326
USA

Telephone: +1 (248) 838-6601
Mobile: +1 (810) 397-0103
Email: kevin.darcy at fcagroup.com

From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of anup albal
Sent: Wednesday, August 17, 2016 6:00 AM
To: bind-users at lists.isc.org
Subject: Selective forwarding from an internal only name server

Hi

First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g sharepoint.com) resolved on clients being served by dns1.

On dns1 I have setup a forward only zone called 'sharepoint.com' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com.          NS     ns1.org.domain.name.au.

when i run a dig +trace sharepoint.com from dns1 I can resolve sharepoint.com
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
        directory "/var/dns";
        forwarders { ip.of.ns1; };
        listen-on  { ip.of.dns1; 127.0.0.1; };
        query-source address ip.of.dns1;
        notify-source ip.of.dns1;
        transfer-source ip.of.dns1;
        allow-transfer { xxx.xxx/16; };
        transfer-format one-answer;    // BIND9 (deal with Windows Server 2003)

};

<.....>
zone "." in {
        type master;
        file "fake/root";
};

zone "." in {
        type hint;
        file "/var/dns/fake/named.root";
};
zone "sharepoint.com." in {
        type forward;
        forward only;
        forwarders {ip.of.ns1;};
};

The file fake/root has entries like below (ip and domain names changed for security)

$TTL 86400
; NOTE:  TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;

.       IN      SOA     dns1.org.domain.name.au.        xxx.dns1.org.domain.name.au.  (
                                     2016081608      ; serial
                                     10800   ; refresh
                                     3600    ; retry
                                     3600000 ; expire
                                     86400 ) ; minimum

.                       NS      dns1.org.domain.name.au.
;.                      NS      dns2.org.domain.name.au.

com.au.                 NS      dns1.org.domain.name.au.
sharepoint.com.         NS      ns1.org.domain.name.au.
difforg.diffdomain.au.             NS      dns1.org.domain.name.au.

0.0.127.in-addr.arpa.   NS      dns1.org.domain.name.au.

xxx.xxx.in-addr.arpa.   NS      dns1.org.domain.name.au.

localhost.              A       127.0.0.1

; Glue
dns1.org.domain.name.au. A      ip.of.dns1
ns1.org.domain.name.au.  A      ip.of.ns1
;dns2.org.domain.name.au. A      xxx.xxx.xxx.xxx

The root hints file (named.root) has below

.       3600    IN NS   dns1.org.domain.name.au
dns1    3600        A   ip.of.dns1


nslookup on a client returns this
nslookup sharepoint.com
Server:         ip.of.dns1
Address:        ip.of.dns1#53

Non-authoritative answer:
*** Can't find sharepoint.com: No answer

And running dig on a client returns this
 dig +trace sharepoint.com

; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com
;; global options:  printcmd
.                       86400   IN      NS      dns1.org.domain.name.au.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms

sharepoint.com.         86400   IN      NS      ns1.org.domain.name.au.
;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au) in 0 ms

;; connection timed out; no servers could be reached


Regards

Anup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160817/9a60c7bb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3764 bytes
Desc: image001.jpg
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160817/9a60c7bb/attachment-0001.jpg>

More information about the bind-users mailing list