Best way to handle a delegation...

Ray Van Dolson rvandolson at
Sat Jan 21 00:24:17 UTC 2017

So I have, controlled by AD, but want to delegate to an external DNS server on the Internet (Amazon

This is easy to do for my external version of as I can just
add        NS

However, our AD servers aren't allowed to talk to the Internet, so it's
not quite so straightforward.

What works is to set up a conditional forwarder on the AD side to route
any requests for to the IP's of our internal BIND
cache resolvers.  Now, on those cache resolvers I need to create a zone
called "" and either:

(1) Configure as a forward zone forwarding directly to the IP's of the
Amazon DNS servers (I don't like this because those IP's might

(2) Configure as a forward zone forwarding to my DMZ authoritative
DNS servers for  I don't like this because not all of my
caching servers can talk to my DMZ DNS server, so I have to chain them
which is ugly to say the least.

Both 1 & 2 work, but what I *wish* I could do is:

(3) Configure as a master zone, but have NS records pointing to the
Amazon servers (referenced by canonical name rather than IP)...


(4) Configure my DMZ server version of as a master
zone (w/ NS pointed to Amazon) and have one of my internal caching
servers configured as a slave to pull the zone in, then redistribute to
other caching servers around the company.

I haven't tried 4 as it's basically a more complex version of 3, but 3
doesn't work for some reason.  The caching server has access to the
Internet, but when I point dig at it and ask for, I just get the SOA record back rather than
full recursion via the delegation via the defined NS servers.  I
suspect the fact that is defined as a master zone,
I can't really delegate the whole thing elsewhere...

Is there a cleaner way to approach this (short of renaming our
domain!)?  Maybe forwarding is the best approach.


More information about the bind-users mailing list