Selective forwarding from an internal only name server

anup albal anupalbal at
Thu Aug 18 00:04:49 UTC 2016

Hi Kevin

Does that mean I setup another forwarding zone called or or both?

And then do i need to add NS record entries similar to in the fake root file?


From: anup albal <anupalbal at>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Hi Chris

Below is without "+trace" option. Also there is a firewall between internal (dns1) and external (ns1) name servers and

we have opened up TCP/UDP port 53 from dns1 to ns1.

; <<>> DiG 9.3.4-P1 <<>>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;                        IN      A

;; AUTHORITY SECTION:         86400   IN      NS

;; ADDITIONAL SECTION: 86400   IN      A       ip.of.ns1

;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE  rcvd: 84


From: Chris Buxton <clists at>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Try it without "+trace".


On Aug 17, 2016, at 2:59 AM, anup albal <anupalbal at<mailto:anupalbal at>> wrote:


First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g<>) resolved on clients being served by dns1.

On dns1 I have setup a forward only zone called '<>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below<>.          NS<>.

when i run a dig +trace<> from dns1 I can resolve<>
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
        directory "/var/dns";
        forwarders { ip.of.ns1; };
        listen-on  { ip.of.dns1;; };
        query-source address ip.of.dns1;
        notify-source ip.of.dns1;
        transfer-source ip.of.dns1;
        allow-transfer {; };
        transfer-format one-answer;    // BIND9 (deal with Windows Server 2003)


zone "." in {
        type master;
        file "fake/root";

zone "." in {
        type hint;
        file "/var/dns/fake/named.root";
zone "<>." in {
        type forward;
        forward only;
        forwarders {ip.of.ns1;};

The file fake/root has entries like below (ip and domain names changed for security)

$TTL 86400
; NOTE:  TTL based on from Bind8 SOA record
; This file contains *fake* DNS Resource Records for the root domain (.)

.       IN      SOA<>.<>.  (
                                     2016081608      ; serial
                                     10800   ; refresh
                                     3600    ; retry
                                     3600000 ; expire
                                     86400 ) ; minimum

.                       NS<>.
;.                      NS<>.<>.                 NS<>.<>.         NS<>.<>.             NS<>.   NS<>.   NS<>.

localhost.              A

; Glue<>. A      ip.of.dns1<>.  A      ip.of.ns1
;<>. A

The root hints file (named.root) has below

.       3600    IN NS<>
dns1    3600        A   ip.of.dns1

nslookup on a client returns this
Server:         ip.of.dns1
Address:        ip.of.dns1#53

Non-authoritative answer:
*** Can't find<>: No answer

And running dig on a client returns this
 dig +trace<>

; <<>> DiG 9.3.4-P1 <<>> +trace<>
;; global options:  printcmd
.                       86400   IN      NS<>.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms<>.         86400   IN      NS<>.
;; Received 84 bytes from ip.of.dns1#53(<>) in 0 ms

;; connection timed out; no servers could be reached

Please visit to unsubscribe from this list

bind-users mailing list
bind-users at<mailto:bind-users at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list