<div>Hi Torinthiel, </div>
<div>You have not understood my requirement. We are not looking for * to point all A records to 1.2.3.4, but we want to delegate all * DNS request to another Name Server, which will be taking care of request. In this case the Name Server to which I want to delegate all * records is a GLB (Global Load Balance).</div>
<div>Can you suggest on this, how to do this.</div>
<div> </div>
<div>Thanks</div>
<div>Parashar<br><br></div>
<div class="gmail_quote">On Mon, Apr 11, 2011 at 8:00 AM, <span dir="ltr"><<a href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Send bind-users mailing list submissions to<br> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<br>To subscribe or unsubscribe via the World Wide Web, visit<br> <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:bind-users-request@lists.isc.org">bind-users-request@lists.isc.org</a><br><br>You can reach the person managing the list at<br> <a href="mailto:bind-users-owner@lists.isc.org">bind-users-owner@lists.isc.org</a><br>
<br>When replying, please edit your Subject line so it is more specific<br>than "Re: Contents of bind-users digest..."<br><br><br>Today's Topics:<br><br> 1. DNS record delegation (Parashar Singh)<br> 2. Re: DNS record delegation (Torinthiel)<br>
3. Re: A beginners question regarding a caching-only name server<br> (Patrick Rynhart)<br> 4. Re: BIND9 fails resolving after connecting to VPN (kapetr)<br><br><br>----------------------------------------------------------------------<br>
<br>Message: 1<br>Date: Mon, 11 Apr 2011 00:12:36 +0530<br>From: Parashar Singh <<a href="mailto:parashar.singh2003@gmail.com">parashar.singh2003@gmail.com</a>><br>Subject: DNS record delegation<br>To: <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
Message-ID: <<a href="mailto:BANLkTikxAywQFB7LO5TGXVyyCVtpyPs_NQ@mail.gmail.com">BANLkTikxAywQFB7LO5TGXVyyCVtpyPs_NQ@mail.gmail.com</a>><br>Content-Type: text/plain; charset="windows-1252"<br><br>We want to be able to point the wild card (*.<a href="http://domain.com/" target="_blank">domain.com</a>) and the root domain<br>
(<a href="http://domain.com/" target="_blank">domain.com</a>) to the GLB?s while not breaking the other custom prefixes<br>within that domain?s record (<a href="http://stage.domain.com/" target="_blank">stage.domain.com</a>, <a href="http://foo.domain.com/" target="_blank">foo.domain.com</a>, etc.).<br>
Except some 10-20 A records, as declared in zone file, for all other DNS<br>lookup request shall be forwarded to Global Load Balancer.<br>Allow any records on the DNS server to resolve to the respective records on<br>DNS.<br>
All other records are captured by the wildcard and load balanced.<br>The load balancers will forward the queries to the Apache web servers which<br>will direct users to the appropriate website.<br><br>Can you suggest, how we can configure BIND to do above setup.<br>
-------------- next part --------------<br>An HTML attachment was scrubbed...<br>URL: <<a href="https://lists.isc.org/pipermail/bind-users/attachments/20110411/6c8c2e77/attachment-0001.html" target="_blank">https://lists.isc.org/pipermail/bind-users/attachments/20110411/6c8c2e77/attachment-0001.html</a>><br>
<br>------------------------------<br><br>Message: 2<br>Date: Sun, 10 Apr 2011 22:38:05 +0200<br>From: Torinthiel <<a href="mailto:torinthiel@data.pl">torinthiel@data.pl</a>><br>Subject: Re: DNS record delegation<br>
To: <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>Message-ID: <<a href="mailto:4DA2152D.90004@data.pl">4DA2152D.90004@data.pl</a>><br>Content-Type: text/plain; charset="windows-1252"<br>
<br>On 04/10/11 20:42, Parashar Singh wrote:<br>> We want to be able to point the wild card (*.<a href="http://domain.com/" target="_blank">domain.com</a><br>> <<a href="http://domain.com/" target="_blank">http://domain.com</a>>) and the root domain (<a href="http://domain.com/" target="_blank">domain.com</a><br>
> <<a href="http://domain.com/" target="_blank">http://domain.com</a>>) to the GLB?s while not breaking the other custom<br>> prefixes within that domain?s record (<a href="http://stage.domain.com/" target="_blank">stage.domain.com</a><br>
> <<a href="http://stage.domain.com/" target="_blank">http://stage.domain.com</a>>, <a href="http://foo.domain.com/" target="_blank">foo.domain.com</a> <<a href="http://foo.domain.com/" target="_blank">http://foo.domain.com</a>>, etc.).<br>
> Except some 10-20 A records, as declared in zone file, for all other DNS<br>> lookup request shall be forwarded to Global Load Balancer.<br>> Allow any records on the DNS server to resolve to the respective records<br>
> on DNS.<br>> All other records are captured by the wildcard and load balanced.<br>> The load balancers will forward the queries to the Apache web servers<br>> which will direct users to the appropriate website.<br>
><br>> Can you suggest, how we can configure BIND to do above setup.<br><br><br>if you type<br>*.<a href="http://domain.com/" target="_blank">domain.com</a>. IN A 1.2.3.4<br>in your zone file, bind interprets this as<br>
"every record that is not configured otherwise should get a record of<br>type A and value 1.2.3.4"<br><br>So, if I understand correctly what you want to do, just specify normal A<br>records for special domains and root domain as well, and add the<br>
wildcard record.<br><br>For this example assume 1.2.3.4 is IP of GLB, and 4.3.2.1 is IP of<br>machine serving other stuff.<br>So the following zone fragment should work<br><br>$ORIGIN <a href="http://domain.com/" target="_blank">domain.com</a>.<br>
@ SOA (...)<br>@ NS ...<br>@ A 1.2.3.4<br>stage A 4.3.2.1<br>foo A 4.3.2.1<br>* A 1.2.3.4<br>END FRAGMENT<br><br>of course stage and foo can have different IP addresses, and you<br>probably want to add MX and other records as well.<br>
Torinthiel<br><br>-------------- next part --------------<br>A non-text attachment was scrubbed...<br>Name: signature.asc<br>Type: application/pgp-signature<br>Size: 262 bytes<br>Desc: OpenPGP digital signature<br>URL: <<a href="https://lists.isc.org/pipermail/bind-users/attachments/20110410/2bfe661c/attachment-0001.bin" target="_blank">https://lists.isc.org/pipermail/bind-users/attachments/20110410/2bfe661c/attachment-0001.bin</a>><br>
<br>------------------------------<br><br>Message: 3<br>Date: Mon, 11 Apr 2011 17:02:22 +1200<br>From: Patrick Rynhart <<a href="mailto:P.Rynhart@massey.ac.nz">P.Rynhart@massey.ac.nz</a>><br>Subject: Re: A beginners question regarding a caching-only name server<br>
To: <a href="mailto:bind-users@isc.org">bind-users@isc.org</a><br>Message-ID: <inu20v$uk8$<a href="mailto:1@dough.gmane.org">1@dough.gmane.org</a>><br>Content-Type: text/plain; charset=ISO-8859-1<br><br>Hi Andrew,<br>
<br>On 9/04/2011 12:37 a.m., andrew wales wrote:<br>><br>> Remember that rndc dumpdb doesn't actually dump the cache to stdout.<br>> Has it actually written to named_dump.db in named's working directory?<br>
> Regards,<br>><br>> Andrew<br><br>Thanks - you are spot on here :-) I was expecting the DB to be written<br>to stdout. One thing that I have noticed, however, is that only<br>information relating to the most recently resolved DNS hostname is being<br>
dumped. (If I set my /etc/resolv.conf on my client accordingly and then<br>ping a bunch of different domains then I only get results for the last<br>query.) Perhaps this because I have a "forwarders" directive (i.e. BIND<br>
is not actually functioning as a caching name server at present ?).<br><br>Cheers,<br><br>Patrick<br><br><br><br><br>------------------------------<br><br>Message: 4<br>Date: Mon, 11 Apr 2011 13:18:39 +0200 (CEST)<br>From: "kapetr" <<a href="mailto:kapetr@mizera.cz">kapetr@mizera.cz</a>><br>
Subject: Re: BIND9 fails resolving after connecting to VPN<br>To: <a href="mailto:stacey.marshall@gmail.com">stacey.marshall@gmail.com</a>, <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>Message-ID: <<a href="mailto:437b144354563f43d8fba089177a18f4@mail2.volny.cz">437b144354563f43d8fba089177a18f4@mail2.volny.cz</a>><br>
Content-Type: text/plain; charset="iso-8859-2"<br><br>Hello,<br><br>interesting ...<br><br>----- P?VODN? ZPR?VA -----<br>Od: "Stacey Marshall" <<a href="mailto:stacey.marshall@gmail.com">stacey.marshall@gmail.com</a>><br>
Komu: "kapetr" <<a href="mailto:kapetr@mizera.cz">kapetr@mizera.cz</a>><br>P?edm?t: Re: BIND9 fails resolving after connecting to VPN<br>Datum: 9.4.2011 - 22:50:44<br><br>> I' wondering if the network your attaching to via<br>
> VPN allows direct DNS<br>> lookups?<br>><br>> I know of networks where the provided servers have<br>> firewall rules that allow<br>> them to make queries but other servers are not.<br>><br>> You could test this theory by trying to connect to<br>
> a root server with dig<br>> when connected to VPN. For example:<br>><br>> $ dig @<a href="http://h.root-servers.net/" target="_blank">h.root-servers.net</a>. <a href="http://www.seznam.cz/" target="_blank">www.seznam.cz</a><br>
><br>> Regards, Stace<br><br><br>Why should VPN provider filter (disable) direct queries and allow<br>only recursive queries ?<br><br>The results are (for me) surprising:<br><br>1. before VPN: my (127.0.0.1) and ISPs servers work OK and:<br>
********************************************************************<br><br>hugo@duron650:~$ dig @<a href="http://h.root-servers.net/" target="_blank">h.root-servers.net</a>. <a href="http://www.seznam.cz/" target="_blank">www.seznam.cz</a><br>
<br>; <<>> DiG 9.7.1-P2 <<>> @<a href="http://h.root-servers.net/" target="_blank">h.root-servers.net</a>. <a href="http://www.seznam.cz/" target="_blank">www.seznam.cz</a><br>; (1 server found)<br>
;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20035<br>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 10<br>;; WARNING: recursion requested but not available<br>
<br>;; QUESTION SECTION:<br>;<a href="http://www.seznam.cz/" target="_blank">www.seznam.cz</a>. IN A<br><br>;; AUTHORITY SECTION:<br>cz. 172800 IN NS <a href="http://a.ns.nic.cz/" target="_blank">a.ns.nic.cz</a>.<br>
cz. 172800 IN NS <a href="http://b.ns.nic.cz/" target="_blank">b.ns.nic.cz</a>.<br>cz. 172800 IN NS <a href="http://c.ns.nic.cz/" target="_blank">c.ns.nic.cz</a>.<br>
cz. 172800 IN NS <a href="http://d.ns.nic.cz/" target="_blank">d.ns.nic.cz</a>.<br>cz. 172800 IN NS <a href="http://f.ns.nic.cz/" target="_blank">f.ns.nic.cz</a>.<br>
<br>;; ADDITIONAL SECTION:<br><a href="http://a.ns.nic.cz/" target="_blank">a.ns.nic.cz</a>. 172800 IN A 194.0.12.1<br><a href="http://b.ns.nic.cz/" target="_blank">b.ns.nic.cz</a>. 172800 IN A 194.0.13.1<br>
<a href="http://c.ns.nic.cz/" target="_blank">c.ns.nic.cz</a>. 172800 IN A 194.0.14.1<br><a href="http://d.ns.nic.cz/" target="_blank">d.ns.nic.cz</a>. 172800 IN A 193.29.206.1<br>
<a href="http://f.ns.nic.cz/" target="_blank">f.ns.nic.cz</a>. 172800 IN A <a href="tel:193.171.255.48" value="+19317125548">193.171.255.48</a><br><a href="http://a.ns.nic.cz/" target="_blank">a.ns.nic.cz</a>. 172800 IN AAAA 2001:678:f::1<br>
<a href="http://b.ns.nic.cz/" target="_blank">b.ns.nic.cz</a>. 172800 IN AAAA 2001:678:10::1<br><a href="http://c.ns.nic.cz/" target="_blank">c.ns.nic.cz</a>. 172800 IN AAAA 2001:678:11::1<br>
<a href="http://d.ns.nic.cz/" target="_blank">d.ns.nic.cz</a>. 172800 IN AAAA 2001:678:1::1<br><a href="http://f.ns.nic.cz/" target="_blank">f.ns.nic.cz</a>. 172800 IN AAAA 2001:628:453:420::48<br>
<br>;; Query time: 144 msec<br>;; SERVER: 128.63.2.53#53(128.63.2.53)<br>;; WHEN: Mon Apr 11 12:56:18 2011<br>;; MSG SIZE rcvd: 338<br><br>hugo@duron650:~$<br><br>2. after VPN up:<br>****************************************************************<br>
- my (127.0.0.1) fails again - "connection timed out; no servers<br>could be reached"<br>- ISPs server OK again - I get normal "A" answer<br>- DNS root server - by name (IP get from ISPs server) or by IP<br>
gives:<br>hugo@duron650:~$ dig @<a href="http://h.root-servers.net/" target="_blank">h.root-servers.net</a>. <a href="http://www.seznam.cz/" target="_blank">www.seznam.cz</a><br><br>; <<>> DiG 9.7.1-P2 <<>> @<a href="http://h.root-servers.net/" target="_blank">h.root-servers.net</a>. <a href="http://www.seznam.cz/" target="_blank">www.seznam.cz</a><br>
; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2758<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0<br><br>;; QUESTION SECTION:<br>
;<a href="http://www.seznam.cz/" target="_blank">www.seznam.cz</a>. IN A<br><br>;; ANSWER SECTION:<br><a href="http://www.seznam.cz/" target="_blank">www.seznam.cz</a>. 203 IN A 77.75.72.3<br>
<br>;; Query time: 67 msec<br>;; SERVER: 128.63.2.53#53(128.63.2.53)<br>;; WHEN: Mon Apr 11 12:58:52 2011<br>;; MSG SIZE rcvd: 47<br><br>hugo@duron650:~$<br>*************************************************<br><br>So why the <a href="http://h.root-servers.net/" target="_blank">h.root-servers.net</a> == 128.63.2.53 in case 2 (over VPN)<br>
gives the recursive answer ?<br><br>Do You thing, that this VPN provider<br>- blocks direct (not recursive) DNS questions and<br>- manipulates recursive queries ? [catch them, make query itself and<br>answers with manipulated server IP]<br>
<br>???<br><br>--kapetr<br><br><br><br><br><br>------------------------------<br><br>_______________________________________________<br>bind-users mailing list<br><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br><br>End of bind-users Digest, Vol 828, Issue 1<br>******************************************<br>
</blockquote></div><br>