Split DNS & Forwarding

[The Tanster]

Tim Smithers <mouse at dmouse.com.au> wrote:

> Hi, I am implementing what could closest be called a split DNS system & am
> attempting to use forwarding (which doesn't work the way I expect it to).
> From trawling through the archives, I am pretty sure that the answer from
> the list will be "don't use forwarding", but I wanted to understand why my
> configuration didn't work.
> 
> I have an internal DNS server running BIND 9.2.5 which is configured for
> I have an the zone dmouse.com. All works okay. external DNS (provided by a
> I have an DNS hosting company) which manages the external DNS records for
> I have an dmouse.com & ftp.dmouse.com etc.
> 
> I wanted to set my system up so that internal queries are answered, normal
> queries and anything to ftp.dmouse.com is forwarded to my ISP servers.
> 
> I have global forwarding set on my normal "dmouse.com" zone set up with A
> I have records & reverse mapping (all works ok).
> 
> I then tried adding
> 
> zone "ftp.dmouse.com" IN { type forward; forward only; forwarders {
> ISP_Server1; ISP_Server2; }; };
> 
> I have also tried forwarding directly to my DNS hosting nameservers (eg:
> 
> zone "ftp.dmouse.com" IN { type forward; forward only; forwarders {
> External_DNS_NameServer; }; };
> 
> Again it doesn't forward. I don't have any NS setup for the
> "ftp.dmouse.com" locally. I expected to be able to just forward it to
> another 'external' DNS which would handle the query (I know this may not
> be the case if the external DNS was not set to recurse, but it should work
> if I set it to the NS for ftp.dmouse.com" directly
>  
> Why does the zone level forwarding not work for a subdomain? I know I can
> get around this by maintaining all of the NS information for each
> subdomain locally, but wanted to understand why I can't just forward
> directly to them.
> 
> Thanks, - Tim

I actually have the above working.  But you need to create a subdomain.
e.g. Since your domain is dmouse.com, create a subdomain called, say,
hq.dmouse.com so that all internal hosts are named, say,
host1.hq.dmouse.com, host2.hq.dmouse.com, etc.  Then create a master
domain for hq.dmouse.com and the necessary mapping tables served by an
internal DNS server.  Then set all internal hosts to look at that
internal DNS server for resolution.  Next add a "forwarders" statement
in the "options" section of your /etc/named.conf file (there is a
difference between using the "forward" statement in the way you have
done and a "forwarders" statement in the "options" section).  Then
you're ready to go.

If you need a host named ftp.dmouse.com that is accessible from both
internally and externally located hosts, then it must be done in your
external DNS because the external DNS is responsible for the domain
dmouse.com.  However, if you create the internal subdomain hq.dmouse.com
and make your internal DNS server the master of that, then, along with
the "forwarders" statement, you can achieve what you had originally
intended (with the exception of the ftp.dmouse.com which you'll need the
cooperation of your external DNS people to set up).

Hope this helps.