Authoritative NS as a proxy to a type forward zone

Sunny suen snpsuen at yahoo.com.hk
Sat May 14 13:38:41 UTC 2005


> Nope, won't work. Nameserver-to-nameserver traffic is non-recursive
> (RD=0), and non-recursive queries are never forwarded.

> Just run a network-level NAT of some sort.

Thanks and fine, but what if those real, hidden name servers are
publicly addressed? The catch is that we are reluctant to pass these
addresses to our ISP for the NS records of their DNS server.

For example, suppose the zone is named "foo.com" and want our ISP to
set the NS record of the zone to the forwarding BIND server
"proxy.bar.com" in their named.hosts file:
foo.com.	IN	NS	proxy.bar.com.

The we add these lines ourselves to named.conf on proxy.bar.com and set
up the real name servers properly.
zone "foo.com" {
	type forward;
	forward	only;
	forwarders {
		202.XXX.XXX.XXX; // Public IP of real master NS
		202.YYY.YYY.YYY; // Public IP of real slave NS
	}
}

Does it mean that proxy.bar.com can't return to a client-side DNS a
referral to the real NS 202.XXX.XXX.XXX or 202.YYY.YYY.YYY, as they are
merely forwarder addresses (BIND specific?), instead of some standard
RR values of the NS type?



More information about the bind-users mailing list