How to redirect unofficial TLD queries with BIND9 ?

Kevin Darcy kcd at daimlerchrysler.com
Mon Sep 30 21:34:42 UTC 2002 

Jim Smith wrote:

> Shortly:
> W2k client makes a query of unofficial TLD (dig srv1.intra.)
> to its dns server, which is BIND9. I want to say to my BIND9 that
> don't ask from forwaders or root-servers, instead of that say to
> client: "please send your query to another DNS, the root of intra.
>
> Situation:
> I want to use own unofficial TLD for W2k AD domainname.
> How can I configure BIND9 so that it redirects all queries and updates
> about that unregistered "intra" domain to the primary dns server of that ?
> Currently my BIND forwards those queries to our ISP, when I try "dig srv1.intra".
>
> My testing machines are:
> 192.168.1.1     ux1.company.com.    #Unix BIND9
> 192.168.1.101   srv1.intra.         #W2k AD, DDNS, DHCP
> 192.168.1.102   win1.intra.         #W2k Pro, DHCP-client, dynamic update
>
> Background:
> I just want to keep all win* machines in their own sandbox
> and don't want them to allow dynamic update to BIND. Rather
> I want them to see that the primary of "intra" can be found
> on 192.168.1.101 and dynamic updates should be sent to there.
> I don't want to use our company name in domainname of AD
> ie. don't want use intra.company.com, because someone may
> want to rename our company and then i dont want new hassle
> with w-boxes.
>
> It would be simplier for me and others to let users keep
> their current dns ip's in all win and *nix machines. But
> if there is no solution, I have to ask them to change dns
> ip to 192.168.1.101 on all (non critical) win* machines.
>
> -- BTW, i think dns ip's should be same forever and
>    i don't like the situation where Bill drives us:
>    you should change your dns ip's or you should
>    code your company name to ad and you can't then
>    change your company name ever or... hassle,hassle,...

If you have a private root zone, then this is a no-brainer: just delegate
"intra" from the root zone.

If you don't have a private root zone, then you're pretty much stuck with defining
"intra" -- as a zone of type slave, stub, or forward -- on all of your nameservers
which would normally be consulted for resolving Internet names. The scope of this
could be anything from a single server, to every server in your enterprise,
depending on how you have Internet-name-resolution set up. Note that if you use
forwarding for Internet name resolution and you define "intra" as a stub or slave
zone on all of your forwarders, you'll have to take care to specify "forwarders
{ }" in the "intra" zone definition if you want those boxes to automatically resolve
names in its subzone. Without that parameter, you'd be required to create zone
definitions for every subzone as well as "intra" itself, which could quickly become
a maintenance nightmare.


- Kevin

More information about the bind-users mailing list