Selective forwarding from an internal only name server
anup albal
anupalbal at hotmail.com
Wed Aug 17 23:47:59 UTC 2016
Hi Chris
Below is without "+trace" option. Also there is a firewall between internal (dns1) and external (ns1) name servers and
we have opened up TCP/UDP port 53 from dns1 to ns1.
; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;sharepoint.com. IN A
;; AUTHORITY SECTION:
sharepoint.com. 86400 IN NS ns1.org.domain.name.au
;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400 IN A ip.of.ns1
;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE rcvd: 84
Regards
Anup
________________________________
From: Chris Buxton <clists at buxtonfamily.us>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Try it without "+trace".
Regards,
Chris
On Aug 17, 2016, at 2:59 AM, anup albal <anupalbal at hotmail.com<mailto:anupalbal at hotmail.com>> wrote:
Hi
First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.
We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "." This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.
And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.
Now we have a requirement to have certain domains (e.g sharepoint.com<http://sharepoint.com/>) resolved on clients being served by dns1.
On dns1 I have setup a forward only zone called 'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com<http://sharepoint.com/>. NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can resolve sharepoint.com<http://sharepoint.com/>
But when i run it from an internal client it gets a Non-authoritative: No answer
Below are my snippets of my named.conf on dns1 (internal)
options {
directory "/var/dns";
forwarders { ip.of.ns1; };
listen-on { ip.of.dns1; 127.0.0.1; };
query-source address ip.of.dns1;
notify-source ip.of.dns1;
transfer-source ip.of.dns1;
allow-transfer { xxx.xxx/16; };
transfer-format one-answer; // BIND9 (deal with Windows Server 2003)
};
<.....>
zone "." in {
type master;
file "fake/root";
};
zone "." in {
type hint;
file "/var/dns/fake/named.root";
};
zone "sharepoint.com<http://sharepoint.com/>." in {
type forward;
forward only;
forwarders {ip.of.ns1;};
};
The file fake/root has entries like below (ip and domain names changed for security)
$TTL 86400
; NOTE: TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;
. IN SOA dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. xxx.dns1.org.domain.name.au<http://org.domain.name.au/>. (
2016081608 ; serial
10800 ; refresh
3600 ; retry
3600000 ; expire
86400 ) ; minimum
. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;. NS dns2.org.domain.name.au<http://dns2.org.domain.name.au/>.
com.au<http://com.au/>. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
sharepoint.com<http://sharepoint.com/>. NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
difforg.diffdomain.au<http://difforg.diffdomain.au/>. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
0.0.127.in-addr.arpa. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
xxx.xxx.in-addr.arpa. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
localhost. A 127.0.0.1
; Glue
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. A ip.of.dns1
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>. A ip.of.ns1
;dns2.org.domain.name.au<http://dns2.org.domain.name.au/>. A xxx.xxx.xxx.xxx
The root hints file (named.root) has below
. 3600 IN NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>
dns1 3600 A ip.of.dns1
nslookup on a client returns this
nslookup sharepoint.com<http://sharepoint.com/>
Server: ip.of.dns1
Address: ip.of.dns1#53
Non-authoritative answer:
*** Can't find sharepoint.com<http://sharepoint.com/>: No answer
And running dig on a client returns this
dig +trace sharepoint.com<http://sharepoint.com/>
; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com<http://sharepoint.com/>
;; global options: printcmd
. 86400 IN NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms
sharepoint.com<http://sharepoint.com/>. 86400 IN NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au<http://dns1.org.domain.name.au/>) in 0 ms
;; connection timed out; no servers could be reached
Regards
Anup
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160817/5a817dec/attachment-0001.html>
More information about the bind-users
mailing list