"chase DS servers" while setting up a Split-DNS-Server with
MURTARI, JOHN
jm5903 at att.com
Tue Feb 14 12:24:06 UTC 2017
Johannes,
Noted your message below. I might suggest you check out the 'views' feature of BIND. You may find it a lot easier to setup/manage. Some starting info: https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html
Best regards!
John
------------------------
Date: Tue, 14 Feb 2017 12:51:24 +0100
From: Johannes Kastl <mail at ojkastl.de>
Hi all,
I am trying to get more familiar with named/bind, and thus I am
experimenting a little. I am seeking for guidance in setting up a
split-dns server (aka resolving internal hosts that the outside does
not see and know about).
Host_1
I have bind running as caching resolver in my home dmz, only
accessible on the internal net. All DNS queries go through this one,
works like a charm, even with DNSSEC validation enabled.
Host_2
Then I set up another bind as master for my zone ojkastl.de, which has
all the internal hosts, that the external one does and should not
have. The hosts is set as NS in the SOA of the zone and has an A
record for itself in the zone. Querying this host directly with dig
+norecurse lets me resolve my internal hosts.
I added the following to my named.conf on Host_1, and it works.
-- snip --
zone "ojkastl.de" {
type static-stub;
server-addresses { 192.168.99.3; };
};
-- snip --
The only thing I notice are these lines in the logs:
Host_1
-- snip --
error (chase DS servers) resolving 'ojkastl.de/DS/IN': 192.168.99.3#53
-- snip --
Host_2
-- snip --
client 192.168.99.2#22059 (ojkastl.de): query (cache)
'ojkastl.de/DS/IN' denied
-- snip --
Is this actually something to worry about?
I guess that DS might be DNSSEC related, but apparently one cannot
disable dnssec validation for only one zone (or rather I could not get
it to work). And as this zone is not signed (yet) it might not matter.
When using a forward-type zone I got lots of additional NS records for
de (nic.de etc.) in my dig tests, so I tried the static stub.
Thanks in advance for your help!
Johannes
More information about the bind-users
mailing list