transparently forwarding a zone

Philippe.Simonet at Philippe.Simonet at
Mon Jan 21 06:59:34 UTC 2013


you could do a small script, running e.g. on you public dns server, that make a zone xfer of the zone on storage,
and replace the NS / SOA of your storage box by the public DNS NSs.


From: at [ at] On Behalf Of Garsiot, Thomas
Sent: Friday, January 18, 2013 4:34 PM
To: bind-users at
Subject: transparently forwarding a zone


I have an issue with domain forwarding.
I'm managing public DNS servers for, say,

We're currently setting a storage system which relies on DNS for load balancing.  The system is made of 4 nodes with IP addresses, 2, 3, 4.
The vendor recommands a stub zone to be created with forwarders set to the 4 IP addresses (i.e their storage system acts as a mini-DNS server).
However, we need this resolution to occur over the internet, so obviously the stub zone solution does not work because DNS resolvers on the internet would retrieve the NS list for the subdomain and try to query it directly.

We need to be able to resolve on the internet anything of the format : or

so what I need is my public DNS servers to be owners of the but still rely on the storage system for more specific host resolution.
Some kind of a stealth DNS server but with a forward rather than a master-slave scheme.

We've tried several solutions but none was fully successful.
in zone file :
storage IN NS
ns-storage IN A
where is a public VIP on the internet that load balances DNS traffic to -> 4

SOLUTION 1 results :
partially works :
when querying google's resolving DNS server for test, both or resolve fine to the 4 private IP addresses.

however, in certain environments, works but not
My guess is that google for some reason sent a recursive query for to the NS of while the other environment was sending an iterative query and thus tried to query the internal addresses of the storage box.
In the situation that fails what I think is happening is :
Resolver -> NS servers : query NS NS servers -> resolver :'s NS is ns-storage which translates to
Resolver -> : query NS for -> resolver : returns 4 NS records corresponding to ->4
Resolver ->,2,3 or 4 : fails because private IP is not reachable.

in named.conf :
zone "" {
type forward;
forwarders {; };
//forward only;

I've tried with and without the "forward only directive" - no change.
Tried it with the internal IP addresses 10.x.x.x and external VIP

SOLUTION 2 results :

a dig for gives no answer.  Only the authority section pointing to & ns2.

in named.conf :
zone "" {
type forward;
forwarders {; };
//forward only;

in zone file for
storage IN NS
storage IN NS

SOLUTION 3 results :
Direct recursive query to name servers works fine
Requests through another resolver do not work.

dig +trace gives :              172800  IN      NS              172800  IN      NS
;; Received 117 bytes from in 102 ms                 300     IN      NS                           300     IN      NS                        300     IN      SOA xxxxxxxx
2013011801 3600 900 604800 10800

I sometimes get loops with the following messages :                 300     IN      NS                           300     IN      NS          
;; Received 117 bytes from xx in 6 ms

 Any advice on how to get this done ?

 Thanks in advance !


Thomas Garsiot
Architecture Réseau/Network Architecture, GISSC, CGI Inc.

* (514) 415-3000 #1015293 (SVP ne pas laisser de messages vocaux/ please do not use voice mail)
Ê (514) 415-3965

P Avant d'imprimer, pensez à l'environnement...

Avis de confidentialité : ce message peut contenir des renseignements confidentiels appartenant exclusivement au Groupe CGI Inc. ou à ses filiales. Si vous n'êtes pas le destinataire indiqué ou prévu dans ce message (ou responsable de livrer ce message à la personne indiquée ou prévue) ou si vous pensez que ce message vous a été adressé par erreur, vous ne pouvez pas utiliser ou reproduire ce message, ni le livrer à quelqu'un d'autre. Dans ce cas, vous devez le détruire et vous êtes prié d'avertir l'expéditeur en répondant au courriel.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list