Forwarding requests when DNS name doesn't exist?

Marc Lampo marc.lampo.ietf at
Thu Oct 10 10:54:31 UTC 2013

An unwise decision, from security point of view !

You are about to open the DNS channel - public DNS resolving available for
internal clients.
Consequently data leakage, file transfer in/out over DNS become possible ...

As far as the question about internal fake zones is concerned :
if the name server has knowledge, because it is authoritative, it will use
that knowledge and will not try to query name servers on the Internet.
It becomes "bogus" for that zone : no delegation, but having knowledge.

Kind regards,


On Thu, Oct 10, 2013 at 10:28 AM, Peter Olsson <pol at> wrote:

> (This is probably a silly question, but I
> want to explore every possibility.)
> We have a proxy firewall, with no contact
> between inside and outside. We have a fake
> internal DNS root for zones that we use
> internally. This works fine, since lookup
> of external names are only made from the
> outside of the proxy servers.
> We are about to change to a transparent
> firewall, which means that we remove the
> proxy servers. Then we have to let the
> inside get access to real outside DNS.
> Is there any way with bind, or any other
> DNS product, to keep our internal fake zones
> and have them selectively forwarded to external
> DNS for all names that don't exist in the
> internal fake zones?
> Clients would first ask internal DNS, and if
> the name exists there they will use that, but
> if the name doesn't exist internally they won't
> get a negative response. Instead their request
> would be forwarded to external DNS.
> Thanks!
> Peter Olsson
> _______________________________________________
> Please visit to
> unsubscribe from this list
> bind-users mailing list
> bind-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list