Authoritative NS as a proxy to a type forward zone
Guido Roeskens
groeskens at bluewin.ch
Tue May 17 18:42:38 UTC 2005
Sunny suen wrote:
>>Nope, won't work. Nameserver-to-nameserver traffic is non-recursive
>>(RD=0), and non-recursive queries are never forwarded.
>
>
>>Just run a network-level NAT of some sort.
>
>
> Thanks and fine, but what if those real, hidden name servers are
> publicly addressed? The catch is that we are reluctant to pass these
> addresses to our ISP for the NS records of their DNS server.
>
> For example, suppose the zone is named "foo.com" and want our ISP to
> set the NS record of the zone to the forwarding BIND server
> "proxy.bar.com" in their named.hosts file:
> foo.com. IN NS proxy.bar.com.
>
> The we add these lines ourselves to named.conf on proxy.bar.com and set
> up the real name servers properly.
> zone "foo.com" {
> type forward;
> forward only;
> forwarders {
> 202.XXX.XXX.XXX; // Public IP of real master NS
> 202.YYY.YYY.YYY; // Public IP of real slave NS
> }
> }
>
> Does it mean that proxy.bar.com can't return to a client-side DNS a
> referral to the real NS 202.XXX.XXX.XXX or 202.YYY.YYY.YYY, as they are
> merely forwarder addresses (BIND specific?), instead of some standard
> RR values of the NS type?
>
>
make proxy.bar.com a slave for the zone foo.com
in foo.com add NS records for proxy.bar.com.
This is the usual setup for hidden masters
Guido
More information about the bind-users
mailing list