forwarding subdomain to internal box

Ben Croswell ben.croswell at gmail.com
Fri Feb 13 18:45:35 UTC 2009


The zone forwarder you put in the conf of ns1/ns2 are only going to work for
people actually using ns1/ns2 as their resolver.  This is why when you get
on a remote client and actually dig ns1 for the subdomain it works.
However, when someone on the Internet as a whole asks for
something.sub.company.com they will be referred to ns1 or ns2 and your
external servers will respond that the correct NS server(s) to talk to would
be your internal box.  At that point they would try to reach it and fail.

I haven't specifically tried this to see if it works, but you could try
delegating the subdomain to ns1/ns2 as far as the Internet is concerned then
have your zone forwarder in place.   I don't know for sure how ns1/ns2 would
react to having a zone forwarder statement and then recieving an iterative
query for it.
-- 
-Ben Croswell, RHCE GSEC

On Fri, Feb 13, 2009 at 1:31 PM, Wim Livens <wli at escaux.com> wrote:

>
> I'm trying to delegate a subdomain to a server that is not directly
> accessible from the internet, yet be able to resolve names in the
> subdomain from the internet.  I understood 'forwarding' would be the
> solution but I can't get it to work completely:
>
> I have on both ns1 and ns2 which are authoritive for company.com
> (irrelevant parts ommited):
>
> zone "company.com" {
>       type master;
> }
>
> zone "sub.company.com" {
>       type forward;
>       forwarders { 10.0.0.10; }; //devbox
> };
>
> options {
>       allow-recursion { any; };  //temporary, just to test
> };
>
> And the company.com zonefile:
>             NS      ns1.company.com.
>             NS      ns2.company.com.
> sub        NS      devbox.company.com.
> devbox.company.com A 10.0.0.10
>
> devbox is an internal box running a specialized DNS server written in
> Perl that answers:
>  stuff.sub.company.com.    A      X.X.X.X
>  sub.company.com.         NS        devbox.company.com.
>
> ns1/ns2 are dual homed (internet/intranet). devbox is accessible from
> ns1/ns2 but not from the internet.
>
> Resolving from a client somewhere outside on the internet seems to work:
>
> client:~$ dig stuff.sub.company.com a @ns1.company.com
>
> ;; ANSWER SECTION:
> stuff.sub.company.com.  1M IN A  X.X.X.X
>
> ;; AUTHORITY SECTION:
> sub.company.com.    1H IN NS        devbox.company.com.
>
> ;; ADDITIONAL SECTION:
> devbox.company.com.      1H IN A         10.0.0.10
>
> However:
>
> client:~$ dig stuff.sub.company.com a
> ...times out
>
> I tried from various known-to-work clients with various nameservers in
> resolv.conf, none work except for ns1/ns2 itself.
>
> Any ideas what I'm doing wrong ? How is it possible that a direct query
> from anywhere in the world to ns1/ns2 works, but a caching/forwarder is
> unable to resolve it ?
>
> Thanks,
>
> Wim.
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090213/4126e8a3/attachment.html>


More information about the bind-users mailing list