How to be authoritative for some addresses but not for the whole domain?
Kevin Darcy
kcd at daimlerchrysler.com
Wed Sep 21 22:08:25 UTC 2005
cartergilmer at yahoo.com wrote:
>I am upgrading an internal DNS system from BIND 8 to BIND 9.3.1. The
>relevant facts include there is a VPN from our company (ourcomp.org) to
>another company (domain.org), but we only want about 10 addresses to
>resolve such that the VPN is used, all others go outside on the
>internet. That is,
>
><server1>.domain.org all should resolve to an internal address (use
>the VPN)
><server2>.domain.org
>.
>.
>.
><server10>.domain.org
>...but, www.domain.org resolves to an address that doesn't use the VPN.
>
>OK, the current DNS setup is best described as "broken." The internal
>DNS has a certain zone "domain.org" (the other company) for which it
>acts authoritative (but it shouldn't). The only entries are the 10
>servers. Somehow, if the address isn't in the zone locally, DNS passes
>the request out on the internet like usual. There are no forwarders
>defined, our zone is type master.
>
>Now, with BIND 9.3.1, the same zone def. files, same named.conf files,
>the local server responds to a request for one of the special 10, but
>gives an NXDOMAIN for <anythingelse>.domain.org, which is what I would
>expect. The question is, how can I replicate the behavior of the old
>system under the new BIND installation???
>
>My first answer: create 10 little subzones called "server1.domain.org",
>etc. where the only address in each zone is "server1.domain.org", you
>get the idea. Then my internal DNS will be authoritative for those 10
>addresses alone, but still pass www.domain.org out onto the internet.
>This was shot down as "too cumbersome to maintain."
>
>Is there a slicker way to make my internal DNS give special answers for
>the 10 servers for the zone which we are not authoritative, but pass
>everything else out to the rest of the world?
>
Nope, you got it right.
- Kevin
More information about the bind-users
mailing list