Bind9 "split zones"

Mon Mar 4 17:06:49 UTC 2024

Hi.
If I understand you correctly, you are trying to get your resolver to go to
two different places (main_hidden_dns_server and other_dns_server) for
answers to the same question, and then want it combine those answers into a
single response to the client, which contains PTR records for both names?

If I got that correct, then it won't. If you want multiple PTR records to
be associated with different names then they have to be in the same
zone/zone file.

A few comments:
- The statement "forward first' means, try forwarding first and only if
that fails, then try recursion.
- Adding forwarders to a secondary zone tells the server what to do for
names delegated from that zone. e.g. if the zone is "example.com" and it
contains "sub NS another.server.somewhere.else." then a query to it for "
name.sub.example.com" will follow the "forwarders" statement because "
sub.example.com" has been delegated away.
- Do you really want to be forwarding to your hidden primary anyway?
- Why are two different servers both authoritative for
"100.168.192.in-addr.arpa"? That's asking for trouble.

Hope that helps.
Greg

On Mon, 4 Mar 2024 at 15:35, Taavi Ansper via bind-users <
bind-users at lists.isc.org> wrote:

> Hi
>
> I am trying to understand bind9 more thorughly.
>
> Backstory: We have been using bind9 for a long time and overhauling it
> for more "usage".
>
> We have been using a "hidden master dns" logic with views for different
> usages.
>
> E.g. Client -> Slave DNS Server <- (Transfer zones from hidden master)->
> Hidden Master.
>
> We had two views "external" and "internal" and now we added a new view
> "dmz" aswell.
>
> In one of those zones we had an interesting DNS "thingy" where for
> example a CIDR 192.168.100.0/24 was generating entries to the main
> "hidden dns" server via includes. It uses a domain called example.com.
> Now another DNS server created DNS entries for the same CIDR
> 192.168.100.0/24 but it had a different domain "subdomain.example.com".
> Including that info was easy.
>
> In the Slave DNS
>
> zone "example.com" {
>      file blaah
>      type slave
>      masters { main_hidden_dns_server }
> }
>
> zone "subdomain.example.com" {
>      file blaah
>      type slave;
>      masters { other_dns_server }
> }
>
> But now comes the problem. When generating a PTR record
> 100.168.192.in-addr.arpa, I wish to combine both of these "results" into
> one lookup. How can I do that? I tried to add:
>
> zone "100.168.192.in-addr.arpa" {
>      file blaah
>      type slave;
>      masters { other_dns_server }
>      forward first;
>      forwarders {  main_hidden_dns_server }
> }
>
> But this forwarding logic doesnt work. I have a feeling the forwarding
> only works specific zones.  and you can't combine two of the same
> "names" into one. Am I correct and in order for PTR records to work I
> need to get them into a single file?
>
> --
> ----
> Taavi Ansper
> taavi.ansper at cyber.ee
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240304/3fead782/attachment.htm>