<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">What do you have against Internet
clients querying the storage device? It's obvious that the storage
device wants to serve that part of the DNS namespace. If you don't
want the clients to query the device "directly" you could do it
through a NAT, or proxy, or whatever. Anything other than "direct"
client/server interaction, e.g. transparent DNS redirection, is
going to be a hack job. I wouldn't want to support it.<br>
<br>
- Kevin<br>
<br>
<br>
On 1/18/2013 10:33 AM, Garsiot, Thomas wrote:<br>
</div>
<blockquote
cite="mid:5BF5269023126E45978888795BF184E50E8BE31B@CORPOWM-16"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Palatino Linotype";
panose-1:2 4 5 2 5 5 5 3 3 4;}
@font-face
{font-family:Webdings;
panose-1:5 3 1 2 1 5 9 6 7 3;}
@font-face
{font-family:Centaur;
panose-1:2 3 5 4 5 2 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have an issue with domain forwarding.<o:p></o:p></p>
<p class="MsoNormal">I'm managing public DNS servers for, say,
mydomain.com.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We're currently setting a storage system
which relies on DNS for load balancing. The system is made of
4 nodes with IP addresses 10.0.0.1, 2, 3, 4.<o:p></o:p></p>
<p class="MsoNormal">The vendor recommands a stub zone to be
created with forwarders set to the 4 IP addresses (i.e their
storage system acts as a mini-DNS server).
<o:p></o:p></p>
<p class="MsoNormal">However, we need this resolution to occur
over the internet, so obviously the stub zone solution does
not work because DNS resolvers on the internet would retrieve
the NS list for the subdomain and try to query it directly.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We need to be able to resolve on the
internet anything of the format :
<o:p></o:p></p>
<p class="MsoNormal">xxxx.storage.mydomain.com or
yyyy.xxxx.storage.mydomain.com<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">so what I need is my public DNS servers to
be owners of the storage.mydomain.com but still rely on the
storage system for more specific host resolution.<o:p></o:p></p>
<p class="MsoNormal">Some kind of a stealth DNS server but with
a forward rather than a master-slave scheme.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We've tried several solutions but none was
fully successful.<o:p></o:p></p>
<p class="MsoNormal">SOLUTION 1:<o:p></o:p></p>
<p class="MsoNormal">============<o:p></o:p></p>
<p class="MsoNormal">in mydomain.com zone file : <o:p></o:p></p>
<p class="MsoNormal">storage IN NS ns-storage.mydomain.com.<o:p></o:p></p>
<p class="MsoNormal">ns-storage IN A 2.2.2.2 <o:p></o:p></p>
<p class="MsoNormal">where 2.2.2.2 is a public VIP on the
internet that load balances DNS traffic to 10.0.0.1 -> 4<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">SOLUTION 1 results : <o:p></o:p></p>
<p class="MsoNormal">====================<o:p></o:p></p>
<p class="MsoNormal">partially works :<o:p></o:p></p>
<p class="MsoNormal">when querying google's resolving DNS server
for test, both xxxx.storage.mydomain.com or
yyyy.xxxx.storage.mydomain.com resolve fine to the 4 private
IP addresses.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">however, in certain environments,
xxxx.storage.mydomain.com works but not
yyyy.xxxx.storage.mydomain.com.
<o:p></o:p></p>
<p class="MsoNormal">My guess is that google for some reason
sent a recursive query for yyyy.xxxx.storage.mydomain.com to
the NS of storage.mydomain.com while the other environment was
sending an iterative query and thus tried to query the
internal addresses of the storage box.<o:p></o:p></p>
<p class="MsoNormal">In the situation that fails what I think is
happening is :<o:p></o:p></p>
<p class="MsoNormal">Resolver -> mydomain.com NS servers :
query NS storage.mydomain.com<o:p></o:p></p>
<p class="MsoNormal">mydomain.com NS servers -> resolver :
storage.mydomain.com's NS is ns-storage which translates to
2.2.2.2<o:p></o:p></p>
<p class="MsoNormal">Resolver -> 2.2.2.2 : query NS for
xxxx.storage.mydomain.com
<o:p></o:p></p>
<p class="MsoNormal">2.2.2.2 -> resolver : returns 4 NS
records corresponding to 10.0.0.1 ->4<o:p></o:p></p>
<p class="MsoNormal">Resolver -> 10.0.0.1,2,3 or 4 : fails
because private IP is not reachable.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">SOLUTION 2: <o:p></o:p></p>
<p class="MsoNormal">============<o:p></o:p></p>
<p class="MsoNormal">in named.conf :<o:p></o:p></p>
<p class="MsoNormal">zone "storage.mydomain.com" {<o:p></o:p></p>
<p class="MsoNormal">type forward;<o:p></o:p></p>
<p class="MsoNormal">forwarders { 2.2.2.2; };<o:p></o:p></p>
<p class="MsoNormal">//forward only;<o:p></o:p></p>
<p class="MsoNormal">};<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I've tried with and without the "forward
only directive" - no change.<o:p></o:p></p>
<p class="MsoNormal">Tried it with the internal IP addresses
10.x.x.x and external VIP 2.2.2.2.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">SOLUTION 2 results : <o:p></o:p></p>
<p class="MsoNormal">====================<o:p></o:p></p>
<p class="MsoNormal">fails<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">a dig for xxxx.storage.mydomain.com gives
no answer. Only the authority section pointing to
ns1.mydomain.com & ns2.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">SOLUTION 3 :<o:p></o:p></p>
<p class="MsoNormal">============<o:p></o:p></p>
<p class="MsoNormal">in named.conf :<o:p></o:p></p>
<p class="MsoNormal">zone "storage.mydomain.com" {<o:p></o:p></p>
<p class="MsoNormal">type forward;<o:p></o:p></p>
<p class="MsoNormal">forwarders { 2.2.2.2; };<o:p></o:p></p>
<p class="MsoNormal">//forward only;<o:p></o:p></p>
<p class="MsoNormal">};<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">in zone file for mydomain.com <o:p></o:p></p>
<p class="MsoNormal">storage IN NS ns1.mydomain.com <o:p></o:p></p>
<p class="MsoNormal">storage IN NS ns2.mydomain.com<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">SOLUTION 3 results :<o:p></o:p></p>
<p class="MsoNormal">====================<o:p></o:p></p>
<p class="MsoNormal">Direct recursive query to mydomain.com name
servers works fine<o:p></o:p></p>
<p class="MsoNormal">Requests through another resolver do not
work. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">dig xxx.storage.mydomain.com +trace gives :<o:p></o:p></p>
<p class="MsoNormal">mydomain.com. 172800 IN
NS ns1.mydomain.com.<o:p></o:p></p>
<p class="MsoNormal">mydomain.com. 172800 IN
NS ns2.mydomain.com.<o:p></o:p></p>
<p class="MsoNormal">;; Received 117 bytes from
192.42.93.30#53(192.42.93.30) in 102 ms<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">storage.mydomain.com.
300 IN NS ns1.mydomain.com<o:p></o:p></p>
<p class="MsoNormal">storage.mydomain.com.
300 IN NS ns2.mydomain.com<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">mydomain.com. 300 IN
SOA ns1.mydomain.com. xxxxxxxx<o:p></o:p></p>
<p class="MsoNormal">2013011801 3600 900 604800 10800<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">I sometimes get loops with the following
messages : <o:p></o:p></p>
<p class="MsoNormal">storage.mydomain.com.
300 IN NS ns1.mydomain.com<o:p></o:p></p>
<p class="MsoNormal">storage.mydomain.com.
300 IN NS ns2.mydomain.com<o:p></o:p></p>
<p class="MsoNormal">;; BAD (HORIZONTAL) REFERRAL<o:p></o:p></p>
<p class="MsoNormal">;; Received 117 bytes from xx in 6 ms <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> Any advice on how to get this done ?<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"> Thanks in advance !<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"> Thomas<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:navy;mso-fareast-language:EN-CA">___________________________________________<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-CA">Thomas
Garsiot<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-CA"
lang="FR-CA">Architecture Réseau/Network Architecture,
GISSC, CGI Inc.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:EN-CA"
lang="FR-CA"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:Wingdings;color:navy;mso-fareast-language:EN-CA"
lang="FR-CA">(</span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-CA"
lang="FR-CA">
</span><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-CA"
lang="FR-CA">(514) 415-3000 #1015293 (SVP ne pas laisser de
messages vocaux/ please do not use voice mail)</span><span
style="font-size:9.0pt;font-family:"Centaur","serif";color:navy;mso-fareast-language:EN-CA"
lang="FR-CA"><br>
</span><b><span
style="font-size:10.0pt;font-family:Webdings;color:navy;mso-fareast-language:EN-CA">Ê</span></b><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-CA">
</span><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-CA"
lang="FR-CA">(514) 415-3965</span><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:EN-CA"
lang="FR-CA"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:EN-CA"
lang="FR-CA"> <o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:Webdings;color:green;mso-fareast-language:EN-CA;layout-grid-mode:line"
lang="FR">P</span></b><b><span
style="font-size:17.0pt;font-family:Webdings;color:green;mso-fareast-language:EN-CA;layout-grid-mode:line"
lang="FR">
</span></b><span
style="font-size:8.0pt;font-family:"Palatino
Linotype","serif";color:green;mso-fareast-language:EN-CA"
lang="FR">Avant d'imprimer, pensez à l'environnement</span><span
style="font-size:7.0pt;font-family:"Palatino
Linotype","serif";color:green;mso-fareast-language:EN-CA"
lang="FR">...</span><span
style="font-size:9.0pt;font-family:"Palatino
Linotype","serif";color:navy;mso-fareast-language:EN-CA"
lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:navy;mso-fareast-language:EN-CA"
lang="FR-CA"><br>
</span><span style="font-size:10.0pt;font-family:"Times
New
Roman","serif";color:#8080C0;mso-fareast-language:EN-CA"
lang="FR-CA">Avis de confidentialité : ce message peut
contenir des renseignements confidentiels appartenant
exclusivement au Groupe CGI Inc. ou à ses filiales. Si vous
n’êtes pas le destinataire indiqué ou prévu dans ce message
(ou responsable de livrer ce message à la personne indiquée
ou prévue) ou si vous pensez que ce message vous a été
adressé par erreur, vous ne pouvez pas utiliser ou
reproduire ce message, ni le livrer à quelqu’un d’autre.
Dans ce cas, vous devez le détruire et vous êtes prié
d’avertir l’expéditeur en répondant au courriel.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:navy;mso-fareast-language:EN-CA"
lang="FR-CA"> ___________________________________________<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";color:navy;mso-fareast-language:EN-CA"> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>