"forward first" set on a master zone not working as expected

Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Sep 3 07:51:28 UTC 2020

On 02.09.20 15:00, Taylor Vierrether via bind-users wrote:
> I am attempting to set up an internal DNS server that is authoritative for
> internal resources, but also will respond for external resources on the
> same domain that it does not have records for.
> For example, I have a domain sub.example.com , and I want to have internal
> entries in the BIND zone file for host1.sub.example.com and
> host2.sub.example.com.  That part is working fine.  However, there is a
> publicly available DNS entry for sub.example.com that I want my internal
> clients to be able to resolve, but I don’t want to have the IP in the BIND
> zone file, because the IP is dynamic.

you can delegate that entry elsewhere.

>  There are also some hosts (host3.sub.example.com ) and
> (host4.sub.example.com) that are externally resolvable that I don’t want
> to put in my internal BIND file because they are not controlled by me. 
> (Think CNAME to a SaaS application)

you can delegate those records somewhere.

>I’ve attempted to do this as follows, and it seems to make sense that it
> would work, but it does not.
>zone “sub.example.com" IN {
>        type master;
>        file "/etc/bind/sub.example.com.zone";
>        forward first;
>        forwarders {;; };

forwarding is not used for zone other than "type forward".

>What actually happens, is if I query for sub.example.com I get the following from nslookup:
>*** Can't find sub.example.com: No answer

if you search for "sub.example.com" record, you can not delegate that one,
of course.

you apparently should use redesign your DNS. Easiest way would be using
different domain internally.

>And if I query for host3.example.com , I get the following from nslookup:
>** server can't find host3.sub.example.com: NXDOMAIN

note that nslookup is very bad program for tracking DNS errors.
use "host" or "dig" for that case.

Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.

More information about the bind-users mailing list