Selective forwarding from an internal only name server

anup albal anupalbal at hotmail.com
Fri Aug 19 08:02:40 UTC 2016


Hi


Below are the options on the external name server.

options {
        directory "/var/named";
        pid-file  "/var/named/tmp/named.pid";
        forwarders { list.external.isp.forwarders; 127.0.0.1; };

        query-source    address externalLooking.ip.of.ns ;
        notify-source   externalLooking.ip.of.ns;
        transfer-source externalLooking.ip.of.ns;

        allow-query { any; };
        allow-recursion { full.range.org.ips ; 127.0.0.1; localhost; };
        allow-transfer { full.range.org.ips;
                         external.isp.ip.1;
                         external.isp.ip.2;
        };
        notify yes;
listen-on {
       127.0.0.1;
       externalLooking.ip.of.ns;
       internalLooking.ip.of.ns;  //ns1
};

        version "unknown";

};

Below is output from dig run on dns1 (internal)

 dig sharepoint.com

; <<>> DiG 9.6-ESV-R11-P2 <<>> sharepoint.com
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.6-ESV-R11-P2 <<>> microsoft.com
;; global options: +cmd
;; connection timed out; no servers could be reached


And from dig from a client being served by dns1
dig sharepoint.com

; <<>> DiG 9.6-ESV-R11-P6 <<>> sharepoint.com
;; global options: +cmd
;; connection timed out; no servers could be reached

dig microsoft.com

; <<>> DiG 9.6-ESV-R11-P6 <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30044
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;microsoft.com.                 IN      A

;; Query time: 915 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Fri Aug 19 17:47:46 AEST 2016
;; MSG SIZE  rcvd: 31

and when done again
dig microsoft.com

; <<>> DiG 9.6-ESV-R11-P6 <<>> microsoft.com
;; global options: +cmd
;; connection timed out; no servers could be reached



At this stage I am at a complete loss as to why this is not working.

There is a firewall between the internal and external name servers. Other than ensuring that port53 is open between the two name servers for TCP and UDP traffic, is there anything else i need to check?

Thanks
Anup

________________________________
From: anup albal <anupalbal at hotmail.com>
Sent: Friday, 19 August 2016 4:25 PM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi


To clarify a bit.

The server that runs ns1 has named listening on two addresses.


One is an external facing address providing resolution to the queries coming from the internet.

Lets call this ns.org.domain.name.au

The other one internal facing and which is what ns1 is pointing to.

There are certain zones that ns.org.domain.name.au is hosting authoritatively to the internet


example we have ns.org.domain.name.au as authoritative for application.org.domain.name.au on the internet.


I have confirmed that ns1 has recursion enabled for all ip ranges within the organization.

I have also now added the below options to the named.conf on dns1 as well .


 recursion yes;
 allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };
 allow-recursion-on { any; };


After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig +trace microsoft.com"


On the internal clients talking to dns1, I get an NXDOMAIN response.


--Anup


________________________________
From: anup albal <anupalbal at hotmail.com>
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Kevin


Does that mean I setup another forwarding zone called microsoft.com or sharepoint.microsoft.com or both?


And then do i need to add NS record entries similar to sharepoint.com in the fake root file?


Regards
Anup


________________________________
From: anup albal <anupalbal at hotmail.com>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Chris


Below is without "+trace" option. Also there is a firewall between internal (dns1) and external (ns1) name servers and

we have opened up TCP/UDP port 53 from dns1 to ns1.


; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;sharepoint.com.                        IN      A

;; AUTHORITY SECTION:
sharepoint.com.         86400   IN      NS      ns1.org.domain.name.au

;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400   IN      A       ip.of.ns1

;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE  rcvd: 84



Regards
Anup


________________________________
From: Chris Buxton <clists at buxtonfamily.us>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Try it without "+trace".

Regards,
Chris

On Aug 17, 2016, at 2:59 AM, anup albal <anupalbal at hotmail.com<mailto:anupalbal at hotmail.com>> wrote:


Hi

First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g sharepoint.com<http://sharepoint.com/>) resolved on clients being served by dns1.

On dns1 I have setup a forward only zone called 'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com<http://sharepoint.com/>.          NS     ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.

when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can resolve sharepoint.com<http://sharepoint.com/>
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
        directory "/var/dns";
        forwarders { ip.of.ns1; };
        listen-on  { ip.of.dns1; 127.0.0.1; };
        query-source address ip.of.dns1;
        notify-source ip.of.dns1;
        transfer-source ip.of.dns1;
        allow-transfer { xxx.xxx/16; };
        transfer-format one-answer;    // BIND9 (deal with Windows Server 2003)

};

<.....>
zone "." in {
        type master;
        file "fake/root";
};

zone "." in {
        type hint;
        file "/var/dns/fake/named.root";
};
zone "sharepoint.com<http://sharepoint.com/>." in {
        type forward;
        forward only;
        forwarders {ip.of.ns1;};
};

The file fake/root has entries like below (ip and domain names changed for security)

$TTL 86400
; NOTE:  TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;

.       IN      SOA     dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.        xxx.dns1.org.domain.name.au<http://org.domain.name.au/>.  (
                                     2016081608      ; serial
                                     10800   ; refresh
                                     3600    ; retry
                                     3600000 ; expire
                                     86400 ) ; minimum

.                       NS      dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;.                      NS      dns2.org.domain.name.au<http://dns2.org.domain.name.au/>.

com.au<http://com.au/>.                 NS      dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
sharepoint.com<http://sharepoint.com/>.         NS      ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
difforg.diffdomain.au<http://difforg.diffdomain.au/>.             NS      dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

0.0.127.in-addr.arpa.   NS      dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

xxx.xxx.in-addr.arpa.   NS      dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

localhost.              A       127.0.0.1

; Glue
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. A      ip.of.dns1
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.  A      ip.of.ns1
;dns2.org.domain.name.au<http://dns2.org.domain.name.au/>. A      xxx.xxx.xxx.xxx

The root hints file (named.root) has below

.       3600    IN NS   dns1.org.domain.name.au<http://dns1.org.domain.name.au/>
dns1    3600        A   ip.of.dns1


nslookup on a client returns this
nslookup sharepoint.com<http://sharepoint.com/>
Server:         ip.of.dns1
Address:        ip.of.dns1#53

Non-authoritative answer:
*** Can't find sharepoint.com<http://sharepoint.com/>: No answer

And running dig on a client returns this
 dig +trace sharepoint.com<http://sharepoint.com/>

; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com<http://sharepoint.com/>
;; global options:  printcmd
.                       86400   IN      NS      dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms

sharepoint.com<http://sharepoint.com/>.         86400   IN      NS      ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au<http://dns1.org.domain.name.au/>) in 0 ms

;; connection timed out; no servers could be reached


Regards
Anup
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160819/2898be78/attachment-0001.html>


More information about the bind-users mailing list