different result between normal query and zone transfer

MAYER Hans Hans.Mayer at iiasa.ac.at
Thu Jul 6 11:29:39 UTC 2017 


Dear All,

In my environment we have internal DNS servers and 6 external server all running BIND. 
4 of these 6 are located in our network. These are slaves for our domain and fetching the data from one internal server.
And the remaining 2 are maintained by our ISP and doing a zone transfer from our external server.
For some reason we want to have that one DNS name get resolved different depending if the query goes to the internal server or to the external. 
So I configured in the external DNS server a subzone which overrides the information coming from the internal server. 
This works really fine for our internal and external server. I get the answer I expect. 
But not so if the servers of our ISP are queried. There I get the data which was originally defined in our internal DNS server. 
The same issue if I do a zone transfer with "dig axfr" from our external server. 

For me this looks like a bug. Why is the answer for a normal query different than the answer from a zone transfer ? 
Or do I miss a special flag for this setup ? 
I am using BIND 9.11.1 <id:e3dc2e7> but I had the same issue with older versions too. 

BTW: I tried the same with RPZ but there I have the identical issues. 


Kind regards 
Hans 

-- 

This is the part of "named.conf" 

zone "test44.iiasa.ac.at" in {
  type master ;
  file "db.test44.iiasa.ac.at" ;
} ;

This is the db-file of our external DNS server. 

#  cat "db.test44.iiasa.ac.at"

$TTL 3600
$ORIGIN test44.iiasa.ac.at.

@       IN SOA ns2.iiasa.ac.at.  dnsmaster.localhost. (
                                2222000000       ; serial
                                21600      ; refresh (6 hours)
                                3600       ; retry (1 hour)
                                1209600    ; expire (2 weeks)
                                86400      ; minimum (1 day)
                                )
@       IN             NS      ns2.iiasa.ac.at.
test44.iiasa.ac.at. 600 IN A 147.125.5.5
test44.iiasa.ac.at. 600 IN AAAA 2001:628:21f0:5::5:5

Here a normal query from anywhere 

# dig +short test44.iiasa.ac.at @ns2.iiasa.ac.at
147.125.5.5

And here a zone transfer from an IP where a zone transfer is allowed 

# dig axfr iiasa.ac.at @ns2.iiasa.ac.at | grep test44
test44.iiasa.ac.at.     86400   IN      AAAA    2001:628:21f0:4::4:4
test44.iiasa.ac.at.     86400   IN      A       147.125.4.4

More information about the bind-users mailing list