How to be authoritative for some addresses but not for the whole domain?

cartergilmer at yahoo.com cartergilmer at yahoo.com
Wed Sep 21 21:50:28 UTC 2005


I am upgrading an internal DNS system from BIND 8 to BIND 9.3.1.  The
relevant facts include there is a VPN from our company (ourcomp.org) to
another company (domain.org), but we only want about 10 addresses to
resolve such that the VPN is used, all others go outside on the
internet.  That is,

<server1>.domain.org    all should resolve to an internal address (use
the VPN)
<server2>.domain.org
.
.
.
<server10>.domain.org
...but, www.domain.org resolves to an address that doesn't use the VPN.

OK, the current DNS setup is best described as "broken."  The internal
DNS has a certain zone "domain.org" (the other company) for which it
acts authoritative (but it shouldn't).  The only entries are the 10
servers.  Somehow, if the address isn't in the zone locally, DNS passes
the request out on the internet like usual.  There are no forwarders
defined, our zone is type master.

Now, with BIND 9.3.1, the same zone def. files, same named.conf files,
the local server responds to a request for one of the special 10, but
gives an NXDOMAIN for <anythingelse>.domain.org, which is what I would
expect.   The question is, how can I replicate the behavior of the old
system under the new BIND installation???

My first answer: create 10 little subzones called "server1.domain.org",
etc.  where the only address in each zone is "server1.domain.org", you
get the idea.  Then my internal DNS will be authoritative for those 10
addresses alone, but still pass www.domain.org out onto the internet.
This was shot down as "too cumbersome to maintain."

Is there a slicker way to make my internal DNS give special answers for
the 10 servers for the zone which we are not authoritative, but pass
everything else out to the rest of the world?  

Thanks, Carter



More information about the bind-users mailing list