"forward first" set on a master zone not working as expected

Taylor Vierrether taylor at viertaxa.com
Wed Sep 2 15:00:44 UTC 2020 

Hello,

I am attempting to set up an internal DNS server that is authoritative for internal resources, but also will respond for external resources on the same domain that it does not have records for.

For example, I have a domain sub.example.com <http://sub.example.com/>, and I want to have internal entries in the BIND zone file for host1.sub.example.com <http://host1.sub.example.com/> and host2.sub.example.com <http://host2.sub.example.com/>. That part is working fine. However, there is a publicly available DNS entry for sub.example.com <http://sub.example.com/> that I want my internal clients to be able to resolve, but I don’t want to have the IP in the BIND zone file, because the IP is dynamic. There are also some hosts (host3.sub.example.com <http://host3.sub.example.com/>) and (host4.sub.example.com <http://host4.sub.example.com/>) that are externally resolvable that I don’t want to put in my internal BIND file because they are not controlled by me. (Think CNAME to a SaaS application)

I’ve attempted to do this as follows, and it seems to make sense that it would work, but it does not. 


named.conf:

zone “sub.example.com" IN {
        type master;
        file "/etc/bind/sub.example.com.zone";
        forward first;
        forwarders { 1.1.1.1; 1.0.0.1; };
};

sub.example.com <http://sub.example.com/>.zone:

$ORIGIN sub.example.com.
$ttl 600
@                      300 SOA   dns.sub.example.com. (
                              taylor.viertaxa.com.      ; address of responsible party
                              2020090101                ; serial number
                              300                       ; refresh period
                              300                       ; retry period
                              604800                    ; expire time
                              300                     ) ; minimum ttl
                      300 NS    elinore.ns.cloudflare.com.
                      300 NS    hal.ns.cloudflare.com.
host1                   60  A     10.x.x.x
host2                   60  A     10.x.x.x

What I would expect to happen, is that BIND sees “forward first” and attempts to look up the hostname host3.sub.example.com <http://host3.sub.example.com/> on the listed forwarders, and succeeds (there’s an entry publicly available for that one. 

What actually happens, is if I query for sub.example.com <http://sub.example.com/> I get the following from nslookup:
*** Can't find sub.example.com: No answer

And if I query for host3.example.com <http://host3.example.com/>, I get the following from nslookup:
** server can't find host3.sub.example.com: NXDOMAIN


BIND version:

Package: bind9
Version: 1:9.11.5.P4+dfsg-5.1+deb10u2


Thank you in advance for any help you might be able to provide. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200902/9f58b0a6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 839 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200902/9f58b0a6/attachment.bin>

More information about the bind-users mailing list