<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
What you're suggesting is not really the "inverse" of "forward
first".<br>
<br>
"Forward first" is basically: (try forwarding) -> [TIMEOUT FROM
ALL FORWARDERS] -> (try iterative resolution)<br>
The inverse would be: (try iterative resolution) -> [TIMEOUT FROM
ALL AUTHORITATIVE NAMESERVERS] -> (try forwarding)<br>
<br>
But you're not talking about timeouts, right? You're talking about
perfectly-valid responses that you don't like. This is "not found"
forwarding and in all the years people have been asking for it, it
has not been implemented in BIND because (at a minimum) a) there are
ambiguities with respect to what constitutes "not found" (NXDOMAIN
only? NODATA? REFUSED? SERVFAIL? DNSSEC validation failure?), and b)
it complicates and confuses resolution, and
maintenance/troubleshooting of same.<br>
<br>
In your case, what you might end up having to do is either<br>
a) start duplicating all of your external records in the internal
version(s) of your zone(s), and have your business partner use that,
or<br>
b) have your business partner look generally at the external
version(s) of your zone(s), and then have them create a zone, with
just a single leaf-node entry in it, for each name that they need to
access, which does not exist in the external version of the zone,
e.g. "foo.bar.example.com". This could potentially add up to a lot
of zone definitions.<br>
c) the inverse of the above: have your business partner look
generally at the internal version(s) of your zone(s), and then
create individual zones for each external name that they need to
access.<br>
<br>
Note that for browser-based traffic *only*, a slightly-less ugly
solution than (b) or (c) above is for your business partner to use a
proxy auto-config (PAC) file with their clients (or modify their
existing PAC). Then you can selectively control whether the client
looks up the DNS itself (DIRECT), or uses a particular proxy, and
then co-ordinate that with whether the clients or the proxy/proxies
see the internal or external version(s) of the zone(s),
respectively.<br>
<br>
E.g. internal sites go DIRECT and clients resolve the internal
version of the zone, while external sites are proxied and the proxy
sees the external version of the zone, or<br>
external sites go DIRECT and clients resolve the external
version of the zone, while internal sites are proxied and the proxy
sees the internal version of the zone, or<br>
internal sites go to proxyA and proxyA resolves the internal
DNS, external sites go to proxyB and proxyB resolves the external
DNS<br>
<br>
- Kevin<br>
<br>
P.S. If your internal and external DNS are completely distinct from
each other, how do your own internal users get to your own external
websites? If you're already solved that problem for your own
clients, why not just use the same solution with your business
partner, if possible?<br>
<br>
On 11/10/2010 3:08 PM, Stéphanas Schaden wrote:
<blockquote cite="mid:002b01cb8113$1ceac220$56c04660$@com.br"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EstiloDeEmail17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal" style="text-indent: 35.4pt;">Hi all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> <span lang="EN-US">we have
a situation on our
company today that is: We have a external authoritative zone
in our public DNS.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Have
have a partner company
that connect to our network and need to use a internal IP
address of our
company but using the internal link and the name of the FQDN
of this access is
configured on our external zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> We were
looking about the
forward configuration on BIND and we found that there is the
“forward
only” and “forward first” option. If our partner configure
our external zone on their DNS and configured just this
specific entry on the
zone and configure the forward of the zone to our public DNS
will not work
because our public DNS have this entry and this entry is
appointing to the
public IP. So the entry on our customer DNS will be used
just after it query our
public DNS.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> So we
were looking for if
there is a option on BIND (we did not found anything yet) to
do the inverse of
the “forward first”. Something link “forward after”.
So, if our customer DNS receive a query and it have that
entry on the zone it
will answer to the source. If it did not find this entry in
the zone it will do
the forward process to our public DNS.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> There is
something that
could do this using BIND ?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Thank
you very much.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span>Stéphanas
Schaden<o:p></o:p></p>
<p class="MsoNormal"> <a class="moz-txt-link-abbreviated" href="mailto:stephanass@ctbc.com.br">stephanass@ctbc.com.br</a><o:p></o:p></p>
<p class="MsoNormal"> Brazil<o:p></o:p></p>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>