Selective forwarding from an internal only name server
anup albal
anupalbal at hotmail.com
Fri Aug 19 08:02:40 UTC 2016
Hi
Below are the options on the external name server.
options {
directory "/var/named";
pid-file "/var/named/tmp/named.pid";
forwarders { list.external.isp.forwarders; 127.0.0.1; };
query-source address externalLooking.ip.of.ns ;
notify-source externalLooking.ip.of.ns;
transfer-source externalLooking.ip.of.ns;
allow-query { any; };
allow-recursion { full.range.org.ips ; 127.0.0.1; localhost; };
allow-transfer { full.range.org.ips;
external.isp.ip.1;
external.isp.ip.2;
};
notify yes;
listen-on {
127.0.0.1;
externalLooking.ip.of.ns;
internalLooking.ip.of.ns; //ns1
};
version "unknown";
};
Below is output from dig run on dns1 (internal)
dig sharepoint.com
; <<>> DiG 9.6-ESV-R11-P2 <<>> sharepoint.com
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.6-ESV-R11-P2 <<>> microsoft.com
;; global options: +cmd
;; connection timed out; no servers could be reached
And from dig from a client being served by dns1
dig sharepoint.com
; <<>> DiG 9.6-ESV-R11-P6 <<>> sharepoint.com
;; global options: +cmd
;; connection timed out; no servers could be reached
dig microsoft.com
; <<>> DiG 9.6-ESV-R11-P6 <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30044
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;microsoft.com. IN A
;; Query time: 915 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Fri Aug 19 17:47:46 AEST 2016
;; MSG SIZE rcvd: 31
and when done again
dig microsoft.com
; <<>> DiG 9.6-ESV-R11-P6 <<>> microsoft.com
;; global options: +cmd
;; connection timed out; no servers could be reached
At this stage I am at a complete loss as to why this is not working.
There is a firewall between the internal and external name servers. Other than ensuring that port53 is open between the two name servers for TCP and UDP traffic, is there anything else i need to check?
Thanks
Anup
________________________________
From: anup albal <anupalbal at hotmail.com>
Sent: Friday, 19 August 2016 4:25 PM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi
To clarify a bit.
The server that runs ns1 has named listening on two addresses.
One is an external facing address providing resolution to the queries coming from the internet.
Lets call this ns.org.domain.name.au
The other one internal facing and which is what ns1 is pointing to.
There are certain zones that ns.org.domain.name.au is hosting authoritatively to the internet
example we have ns.org.domain.name.au as authoritative for application.org.domain.name.au on the internet.
I have confirmed that ns1 has recursion enabled for all ip ranges within the organization.
I have also now added the below options to the named.conf on dns1 as well .
recursion yes;
allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };
allow-recursion-on { any; };
After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig +trace microsoft.com"
On the internal clients talking to dns1, I get an NXDOMAIN response.
--Anup
________________________________
From: anup albal <anupalbal at hotmail.com>
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi Kevin
Does that mean I setup another forwarding zone called microsoft.com or sharepoint.microsoft.com or both?
And then do i need to add NS record entries similar to sharepoint.com in the fake root file?
Regards
Anup
________________________________
From: anup albal <anupalbal at hotmail.com>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi Chris
Below is without "+trace" option. Also there is a firewall between internal (dns1) and external (ns1) name servers and
we have opened up TCP/UDP port 53 from dns1 to ns1.
; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;sharepoint.com. IN A
;; AUTHORITY SECTION:
sharepoint.com. 86400 IN NS ns1.org.domain.name.au
;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400 IN A ip.of.ns1
;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE rcvd: 84
Regards
Anup
________________________________
From: Chris Buxton <clists at buxtonfamily.us>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Try it without "+trace".
Regards,
Chris
On Aug 17, 2016, at 2:59 AM, anup albal <anupalbal at hotmail.com<mailto:anupalbal at hotmail.com>> wrote:
Hi
First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.
We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "." This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.
And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.
Now we have a requirement to have certain domains (e.g sharepoint.com<http://sharepoint.com/>) resolved on clients being served by dns1.
On dns1 I have setup a forward only zone called 'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com<http://sharepoint.com/>. NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can resolve sharepoint.com<http://sharepoint.com/>
But when i run it from an internal client it gets a Non-authoritative: No answer
Below are my snippets of my named.conf on dns1 (internal)
options {
directory "/var/dns";
forwarders { ip.of.ns1; };
listen-on { ip.of.dns1; 127.0.0.1; };
query-source address ip.of.dns1;
notify-source ip.of.dns1;
transfer-source ip.of.dns1;
allow-transfer { xxx.xxx/16; };
transfer-format one-answer; // BIND9 (deal with Windows Server 2003)
};
<.....>
zone "." in {
type master;
file "fake/root";
};
zone "." in {
type hint;
file "/var/dns/fake/named.root";
};
zone "sharepoint.com<http://sharepoint.com/>." in {
type forward;
forward only;
forwarders {ip.of.ns1;};
};
The file fake/root has entries like below (ip and domain names changed for security)
$TTL 86400
; NOTE: TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;
. IN SOA dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. xxx.dns1.org.domain.name.au<http://org.domain.name.au/>. (
2016081608 ; serial
10800 ; refresh
3600 ; retry
3600000 ; expire
86400 ) ; minimum
. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;. NS dns2.org.domain.name.au<http://dns2.org.domain.name.au/>.
com.au<http://com.au/>. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
sharepoint.com<http://sharepoint.com/>. NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
difforg.diffdomain.au<http://difforg.diffdomain.au/>. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
0.0.127.in-addr.arpa. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
xxx.xxx.in-addr.arpa. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
localhost. A 127.0.0.1
; Glue
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. A ip.of.dns1
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>. A ip.of.ns1
;dns2.org.domain.name.au<http://dns2.org.domain.name.au/>. A xxx.xxx.xxx.xxx
The root hints file (named.root) has below
. 3600 IN NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>
dns1 3600 A ip.of.dns1
nslookup on a client returns this
nslookup sharepoint.com<http://sharepoint.com/>
Server: ip.of.dns1
Address: ip.of.dns1#53
Non-authoritative answer:
*** Can't find sharepoint.com<http://sharepoint.com/>: No answer
And running dig on a client returns this
dig +trace sharepoint.com<http://sharepoint.com/>
; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com<http://sharepoint.com/>
;; global options: printcmd
. 86400 IN NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms
sharepoint.com<http://sharepoint.com/>. 86400 IN NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au<http://dns1.org.domain.name.au/>) in 0 ms
;; connection timed out; no servers could be reached
Regards
Anup
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160819/2898be78/attachment-0001.html>
More information about the bind-users
mailing list