Selective forwarding from an internal only name server

anup albal anupalbal at
Fri Aug 19 06:25:40 UTC 2016


To clarify a bit.

The server that runs ns1 has named listening on two addresses.

One is an external facing address providing resolution to the queries coming from the internet.

Lets call this

The other one internal facing and which is what ns1 is pointing to.

There are certain zones that is hosting authoritatively to the internet

example we have as authoritative for on the internet.

I have confirmed that ns1 has recursion enabled for all ip ranges within the organization.

I have also now added the below options to the named.conf on dns1 as well .

 recursion yes;
 allow-recursion { ip.range.internal.clients;; localhost; };
 allow-recursion-on { any; };

After that I cannot run a "dig" or "dig" from dns1. However it can resolve it if i run a "dig +trace" or "dig +trace"

On the internal clients talking to dns1, I get an NXDOMAIN response.


From: anup albal <anupalbal at>
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Hi Kevin

Does that mean I setup another forwarding zone called or or both?

And then do i need to add NS record entries similar to in the fake root file?


From: anup albal <anupalbal at>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Hi Chris

Below is without "+trace" option. Also there is a firewall between internal (dns1) and external (ns1) name servers and

we have opened up TCP/UDP port 53 from dns1 to ns1.

; <<>> DiG 9.3.4-P1 <<>>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;                        IN      A

;; AUTHORITY SECTION:         86400   IN      NS

;; ADDITIONAL SECTION: 86400   IN      A       ip.of.ns1

;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE  rcvd: 84


From: Chris Buxton <clists at>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Try it without "+trace".


On Aug 17, 2016, at 2:59 AM, anup albal <anupalbal at<mailto:anupalbal at>> wrote:


First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g<>) resolved on clients being served by dns1.

On dns1 I have setup a forward only zone called '<>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below<>.          NS<>.

when i run a dig +trace<> from dns1 I can resolve<>
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
        directory "/var/dns";
        forwarders { ip.of.ns1; };
        listen-on  { ip.of.dns1;; };
        query-source address ip.of.dns1;
        notify-source ip.of.dns1;
        transfer-source ip.of.dns1;
        allow-transfer {; };
        transfer-format one-answer;    // BIND9 (deal with Windows Server 2003)


zone "." in {
        type master;
        file "fake/root";

zone "." in {
        type hint;
        file "/var/dns/fake/named.root";
zone "<>." in {
        type forward;
        forward only;
        forwarders {ip.of.ns1;};

The file fake/root has entries like below (ip and domain names changed for security)

$TTL 86400
; NOTE:  TTL based on from Bind8 SOA record
; This file contains *fake* DNS Resource Records for the root domain (.)

.       IN      SOA<>.<>.  (
                                     2016081608      ; serial
                                     10800   ; refresh
                                     3600    ; retry
                                     3600000 ; expire
                                     86400 ) ; minimum

.                       NS<>.
;.                      NS<>.<>.                 NS<>.<>.         NS<>.<>.             NS<>.   NS<>.   NS<>.

localhost.              A

; Glue<>. A      ip.of.dns1<>.  A      ip.of.ns1
;<>. A

The root hints file (named.root) has below

.       3600    IN NS<>
dns1    3600        A   ip.of.dns1

nslookup on a client returns this
Server:         ip.of.dns1
Address:        ip.of.dns1#53

Non-authoritative answer:
*** Can't find<>: No answer

And running dig on a client returns this
 dig +trace<>

; <<>> DiG 9.3.4-P1 <<>> +trace<>
;; global options:  printcmd
.                       86400   IN      NS<>.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms<>.         86400   IN      NS<>.
;; Received 84 bytes from ip.of.dns1#53(<>) in 0 ms

;; connection timed out; no servers could be reached

Please visit to unsubscribe from this list

bind-users mailing list
bind-users at<mailto:bind-users at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list