Avoiding side effects of the forwarding

Kevin Darcy kcd at chrysler.com
Tue Sep 30 02:53:28 UTC 2008


Andrey G. Sergeev (AKA Andris) wrote:
> Hello,
>
>
> I'm trying to avoid one annoying side effect from the forwarding queries 
> for some private TLDs to their authoritative servers. Here is the 
> disposition.
>
> 1. There is a private TLD "private-tld." served by 192.168.28.1 and 
> 192.168.28.2;
>
> 2. The 192.168.28.1 and 192.168.28.2 servers are authoritative for both 
> the "legitimate-zone.private-tld." *and* the "private-tld." zone.
>
> 3. I want to be able to resolve hostnames in 
> "legitimate-zone.private-tld." but I have no direct DNS access to and 
> even any network connectivity with the 192.168.28.1 and 192.168.28.2 
> boxes. However there is a local DNS server available which *has* an 
> ability to communicate with these private hosts. I configure my local 
> server like this:
>
> --- named.conf on the forwarding box ---
> zone "legitimate-zone.private-tld" IN {
> 	type forward;
> 	forward only;
> 	forwarders {
> 		192.168.28.1;
> 		192.168.28.2;
> 	};
> };
> --- named.conf on the forwarding box ---
>
> Using this the forwarding server will got and store in its cache the 
> authority RRs for the "private-tld." just after the first attempt to 
> resolve names such as "ftp.legitimate-zone.private-tld.". Within the TTL 
> timeframe any subsequent queries for the *nonexistent* names like 
> "hostname.nonexistent-zone.private-tld." will be also directed to the 
> 192.168.28.1 and 192.168.28.2. This can be annoying and even undesirable.
>
> Is there a way to setup the forwarding server to ignore the authority 
> RRs beyond the forwarding scope?
>   
Set up a fake master zone for "private-tld", containing nothing but the 
apex info (SOA, NS) and a delegation for legitimate-zone.private-tld. As 
counter-intuitive as it may be, you actually *need* that delegation 
underneath private-tld, otherwise the selective forwarding for 
legitimate-zone.private-tld won't work. It doesn't really matter what 
the delegation records point to, it just needs to be there.

Everything in legitimate-zone.private-tld will be forwarded selectively, 
as it is now; everything else under private-tld will be considered 
directly answerable -- without forwarding -- from the private-tld 
authoritative zone, which, being empty, will always give NXDOMAIN.

                                                                         
                                 - Kevin



More information about the bind-users mailing list