problem: pointing root hints to forwarder only delivers forwarder s root file

Kevin Darcy kcd at daimlerchrysler.com
Fri Jul 6 23:58:17 UTC 2001


Barry already gave you the correct answer for this: configure your internal
servers to forward, and then selectively cancel forwarding on those servers
for your internal domain(s), using the "forwarders { }" syntax.

Didn't you see his response?


- Kevin

Van Bemmel, Berend wrote:

> > -----Original Message-----
> > From: chris [mailto:cherbst at hotpop.com]
> > Sent: Thursday, July 05, 2001 8:34 PM
> > To: comp-protocols-dns-bind at moderators.isc.org
> > Subject: Re: problem: pointing root hints to forwarder only delivers
> > forwarder s root file
> >
> >
> > --- Virus checked / op virussen gecontroleerd ---
> >
> >
> > In article <9i1uup$l8m at pub3.rc.vix.com>, "Van Bemmel, Berend"
> > <VanBemmel.Berend at kpmg.nl> wrote:
> >
> > > Anyways, what happens is that my internal Bind 8.2.3 when confronted
> > > with a query for something outside my internal domain it
> > forwards it to
> > > the gateway DNS on the DMZ, but surprisingly it gets an
> > answer in the
> > > form of the root file being used on the gateway server (which is of
> > > course the Internet root file)  instead of the right answer.
> >
> > <snip>
> >
> > What happens if you query one of the hosts you are forwarding to
> > (represented as x.x.x.x and y.y.y.y in your example) with dig
> > or nslookup
> > for a domain they are not authoritative for, like this:
> >
> > dig @ns1.google.com yahoo.com
>
> In that case the resolution works. In fact, if I query the gateway DNS with
> dig  +rec and +norec) I get a name resolved as well. It's only if the
> internal Bind itself queries the gateway that it gets the root file.
>
> I tried to debug this, because I first thought that maybe the internal DNS
> was quering a different gateway then I thought and such stufff, but I'm
> afraid that the above is just what happens :-/

> >
> > If they give you the root servers (as ns1.google.com did),
> > they probably
> > have recursion disabled for you.  Why not run a caching-only
> > nameserver on
> > the "gateway dns machine" and grab the records yourself? It's simple:
> >
> > ---
> >
> > options {
> >       directory "/var/named";
> >       auth-nxdomain yes;
> > };
> >
> > zone "." {
> >         type hint;
> >         file "named.ca";
> > };
>
> That's for security reasons, the gateway DNS is on a DMZ segment and we'd
> like to restrict it's access to the Internet as much as possible. With
> forwarding you can do that very well, only DNS traffic between my gateway
> and the forwarders is allowed.
> > ---
> >
> > You might also want to disable queries from anywhere but your
> > network, you
> > didn't in your example.
>
> I know, but because it didn't work, I though I'd simplify the config until
> it works and then complicate it again... in the end it never worked, that's
> why I send the messgage ;-)
>
> >
> > You could probably even leave out the root zone (zone ".")
> > with BIND 9, it
> > has compiled in defaults.  If you use it anyway, grab a
> > current named.ca
> > file.
>
> Ack. I'll remember that.
>
> > You might also be able to do all this with a single BIND 9
> > nameserver and
> > views. In your current config if either server stops clients
> > can't resolve
> > internet names, if you configure your servers to be
> > master/slave and do
> > caching, they can resolve any host if either server goes down.
>
> No, that's no option here. We are very strict on the security side of
> things. The internal DNS server (there are actually two internal root
> servers) is on the internal network and is not allowed to send traffic to
> the internet directly, hence the gateway DNS. In the final production
> environment, there will be two gateway servers (on in US, and other in
> Europe).
>
>





More information about the bind-users mailing list