Selective forwarding from an internal only name server
anup albal
anupalbal at hotmail.com
Fri Aug 19 06:25:40 UTC 2016
Hi
To clarify a bit.
The server that runs ns1 has named listening on two addresses.
One is an external facing address providing resolution to the queries coming from the internet.
Lets call this ns.org.domain.name.au
The other one internal facing and which is what ns1 is pointing to.
There are certain zones that ns.org.domain.name.au is hosting authoritatively to the internet
example we have ns.org.domain.name.au as authoritative for application.org.domain.name.au on the internet.
I have confirmed that ns1 has recursion enabled for all ip ranges within the organization.
I have also now added the below options to the named.conf on dns1 as well .
recursion yes;
allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };
allow-recursion-on { any; };
After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig +trace microsoft.com"
On the internal clients talking to dns1, I get an NXDOMAIN response.
--Anup
________________________________
From: anup albal <anupalbal at hotmail.com>
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi Kevin
Does that mean I setup another forwarding zone called microsoft.com or sharepoint.microsoft.com or both?
And then do i need to add NS record entries similar to sharepoint.com in the fake root file?
Regards
Anup
________________________________
From: anup albal <anupalbal at hotmail.com>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi Chris
Below is without "+trace" option. Also there is a firewall between internal (dns1) and external (ns1) name servers and
we have opened up TCP/UDP port 53 from dns1 to ns1.
; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;sharepoint.com. IN A
;; AUTHORITY SECTION:
sharepoint.com. 86400 IN NS ns1.org.domain.name.au
;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400 IN A ip.of.ns1
;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE rcvd: 84
Regards
Anup
________________________________
From: Chris Buxton <clists at buxtonfamily.us>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Try it without "+trace".
Regards,
Chris
On Aug 17, 2016, at 2:59 AM, anup albal <anupalbal at hotmail.com<mailto:anupalbal at hotmail.com>> wrote:
Hi
First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.
We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "." This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.
And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.
Now we have a requirement to have certain domains (e.g sharepoint.com<http://sharepoint.com/>) resolved on clients being served by dns1.
On dns1 I have setup a forward only zone called 'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com<http://sharepoint.com/>. NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can resolve sharepoint.com<http://sharepoint.com/>
But when i run it from an internal client it gets a Non-authoritative: No answer
Below are my snippets of my named.conf on dns1 (internal)
options {
directory "/var/dns";
forwarders { ip.of.ns1; };
listen-on { ip.of.dns1; 127.0.0.1; };
query-source address ip.of.dns1;
notify-source ip.of.dns1;
transfer-source ip.of.dns1;
allow-transfer { xxx.xxx/16; };
transfer-format one-answer; // BIND9 (deal with Windows Server 2003)
};
<.....>
zone "." in {
type master;
file "fake/root";
};
zone "." in {
type hint;
file "/var/dns/fake/named.root";
};
zone "sharepoint.com<http://sharepoint.com/>." in {
type forward;
forward only;
forwarders {ip.of.ns1;};
};
The file fake/root has entries like below (ip and domain names changed for security)
$TTL 86400
; NOTE: TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;
. IN SOA dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. xxx.dns1.org.domain.name.au<http://org.domain.name.au/>. (
2016081608 ; serial
10800 ; refresh
3600 ; retry
3600000 ; expire
86400 ) ; minimum
. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;. NS dns2.org.domain.name.au<http://dns2.org.domain.name.au/>.
com.au<http://com.au/>. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
sharepoint.com<http://sharepoint.com/>. NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
difforg.diffdomain.au<http://difforg.diffdomain.au/>. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
0.0.127.in-addr.arpa. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
xxx.xxx.in-addr.arpa. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
localhost. A 127.0.0.1
; Glue
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. A ip.of.dns1
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>. A ip.of.ns1
;dns2.org.domain.name.au<http://dns2.org.domain.name.au/>. A xxx.xxx.xxx.xxx
The root hints file (named.root) has below
. 3600 IN NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>
dns1 3600 A ip.of.dns1
nslookup on a client returns this
nslookup sharepoint.com<http://sharepoint.com/>
Server: ip.of.dns1
Address: ip.of.dns1#53
Non-authoritative answer:
*** Can't find sharepoint.com<http://sharepoint.com/>: No answer
And running dig on a client returns this
dig +trace sharepoint.com<http://sharepoint.com/>
; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com<http://sharepoint.com/>
;; global options: printcmd
. 86400 IN NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms
sharepoint.com<http://sharepoint.com/>. 86400 IN NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au<http://dns1.org.domain.name.au/>) in 0 ms
;; connection timed out; no servers could be reached
Regards
Anup
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160819/bf259cb2/attachment-0001.html>
More information about the bind-users
mailing list