Selective forwarding from an internal only name server

Chris Buxton clists at buxtonfamily.us
Wed Aug 17 16:26:08 UTC 2016 

Try it without "+trace".

Regards,
Chris

> On Aug 17, 2016, at 2:59 AM, anup albal <anupalbal at hotmail.com> wrote:
> 
> Hi
> 
> First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.
> 
> We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "."  This serves all internal clients.
> We are running 9.6-ESV-R11-P2 for this.
> 
> And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.
> 
> Now we have a requirement to have certain domains (e.g sharepoint.com <http://sharepoint.com/>) resolved on clients being served by dns1. 
> 
> On dns1 I have setup a forward only zone called 'sharepoint.com <http://sharepoint.com/>' with ns1 set as the forwarder.
> And on the fake root zone file, I have added an entry for sharepoint like below
> sharepoint.com <http://sharepoint.com/>.          NS     ns1.org.domain.name.au <http://ns1.org.domain.name.au/>.
> 
> when i run a dig +trace sharepoint.com <http://sharepoint.com/> from dns1 I can resolve sharepoint.com <http://sharepoint.com/> 
> But when i run it from an internal client it gets a Non-authoritative: No answer 
> 
> Below are my snippets of my named.conf on dns1 (internal)
> 
> options {
>         directory "/var/dns";
>         forwarders { ip.of.ns1; };
>         listen-on  { ip.of.dns1; 127.0.0.1; };
>         query-source address ip.of.dns1;
>         notify-source ip.of.dns1;
>         transfer-source ip.of.dns1;
>         allow-transfer { xxx.xxx/16; }; 
>         transfer-format one-answer;    // BIND9 (deal with Windows Server 2003)
> 
> };
> 
> <.....>
> zone "." in {
>         type master;
>         file "fake/root";
> };
> 
> zone "." in {
>         type hint;
>         file "/var/dns/fake/named.root";
> };
> zone "sharepoint.com <http://sharepoint.com/>." in {
>         type forward;
>         forward only;
>         forwarders {ip.of.ns1;};
> };
> 
> The file fake/root has entries like below (ip and domain names changed for security)
> 
> $TTL 86400
> ; NOTE:  TTL based on from Bind8 SOA record
> ;
> ; This file contains *fake* DNS Resource Records for the root domain (.)
> ;
> 
> .       IN      SOA     dns1.org.domain.name.au <http://dns1.org.domain.name.au/>.        xxx.dns1.org.domain.name.au <http://org.domain.name.au/>.  (
>                                      2016081608      ; serial
>                                      10800   ; refresh
>                                      3600    ; retry
>                                      3600000 ; expire
>                                      86400 ) ; minimum
> 
> .                       NS      dns1.org.domain.name.au <http://dns1.org.domain.name.au/>.
> ;.                      NS      dns2.org.domain.name.au <http://dns2.org.domain.name.au/>.
> 
> com.au <http://com.au/>.                 NS      dns1.org.domain.name.au <http://dns1.org.domain.name.au/>.
> sharepoint.com <http://sharepoint.com/>.         NS      ns1.org.domain.name.au <http://ns1.org.domain.name.au/>.
> difforg.diffdomain.au <http://difforg.diffdomain.au/>.             NS      dns1.org.domain.name.au <http://dns1.org.domain.name.au/>.
> 
> 0.0.127.in-addr.arpa.   NS      dns1.org.domain.name.au <http://dns1.org.domain.name.au/>.
> 
> xxx.xxx.in-addr.arpa.   NS      dns1.org.domain.name.au <http://dns1.org.domain.name.au/>.
> 
> localhost.              A       127.0.0.1
> 
> ; Glue
> dns1.org.domain.name.au <http://dns1.org.domain.name.au/>. A      ip.of.dns1
> ns1.org.domain.name.au <http://ns1.org.domain.name.au/>.  A      ip.of.ns1
> ;dns2.org.domain.name.au <http://dns2.org.domain.name.au/>. A      xxx.xxx.xxx.xxx
> 
> The root hints file (named.root) has below 
> 
> .       3600    IN NS   dns1.org.domain.name.au <http://dns1.org.domain.name.au/>
> dns1    3600        A   ip.of.dns1
> 
> 
> nslookup on a client returns this
> nslookup sharepoint.com <http://sharepoint.com/>
> Server:         ip.of.dns1
> Address:        ip.of.dns1#53
> 
> Non-authoritative answer:
> *** Can't find sharepoint.com <http://sharepoint.com/>: No answer
> 
> And running dig on a client returns this
>  dig +trace sharepoint.com <http://sharepoint.com/>
> 
> ; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com <http://sharepoint.com/>
> ;; global options:  printcmd
> .                       86400   IN      NS      dns1.org.domain.name.au <http://dns1.org.domain.name.au/>.
> ;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms
> 
> sharepoint.com <http://sharepoint.com/>.         86400   IN      NS      ns1.org.domain.name.au <http://ns1.org.domain.name.au/>.
> ;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au <http://dns1.org.domain.name.au/>) in 0 ms
> 
> ;; connection timed out; no servers could be reached
> 
> 
> Regards
> Anup
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160817/647a34d2/attachment.html>

More information about the bind-users mailing list