<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p></p>
<div>Hi<br>
<br>
First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.<br>
<br>
We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "." This serves all internal clients.<br>
We are running 9.6-ESV-R11-P2 for this.<br>
<br>
And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.<br>
<br>
Now we have a requirement to have certain domains (e.g sharepoint.com) resolved on clients being served by dns1.
<br>
<br>
On dns1 I have setup a forward only zone called 'sharepoint.com' with ns1 set as the forwarder.<br>
And on the fake root zone file, I have added an entry for sharepoint like below<br>
sharepoint.com. NS ns1.org.domain.name.au.<br>
<br>
when i run a dig +trace sharepoint.com from dns1 I can resolve sharepoint.com <br>
But when i run it from an internal client it gets a Non-authoritative: No answer <br>
<br>
Below are my snippets of my named.conf on dns1 (internal)<br>
<br>
options {<br>
directory "/var/dns";<br>
forwarders { ip.of.ns1; };<br>
listen-on { ip.of.dns1; 127.0.0.1; };<br>
query-source address ip.of.dns1;<br>
notify-source ip.of.dns1;<br>
transfer-source ip.of.dns1;<br>
allow-transfer { xxx.xxx/16; }; <br>
transfer-format one-answer; // BIND9 (deal with Windows Server 2003)<br>
<br>
};<br>
<br>
<.....><br>
zone "." in {<br>
type master;<br>
file "fake/root";<br>
};<br>
<br>
zone "." in {<br>
type hint;<br>
file "/var/dns/fake/named.root";<br>
};<br>
zone "sharepoint.com." in {<br>
type forward;<br>
forward only;<br>
forwarders {ip.of.ns1;};<br>
};<br>
<br>
The file fake/root has entries like below (ip and domain names changed for security)<br>
<br>
$TTL 86400<br>
; NOTE: TTL based on from Bind8 SOA record<br>
;<br>
; This file contains *fake* DNS Resource Records for the root domain (.)<br>
;<br>
<br>
. IN SOA dns1.org.domain.name.au. xxx.dns1.org.domain.name.au. (<br>
2016081608 ; serial<br>
10800 ; refresh<br>
3600 ; retry<br>
3600000 ; expire<br>
86400 ) ; minimum<br>
<br>
. NS dns1.org.domain.name.au.<br>
;. NS dns2.org.domain.name.au.<br>
<br>
com.au. NS dns1.org.domain.name.au.<br>
sharepoint.com. NS ns1.org.domain.name.au.<br>
difforg.diffdomain.au. NS dns1.org.domain.name.au.<br>
<br>
0.0.127.in-addr.arpa. NS dns1.org.domain.name.au.<br>
<br>
xxx.xxx.in-addr.arpa. NS dns1.org.domain.name.au.<br>
<br>
localhost. A 127.0.0.1<br>
<br>
; Glue<br>
dns1.org.domain.name.au. A ip.of.dns1<br>
ns1.org.domain.name.au. A ip.of.ns1<br>
;dns2.org.domain.name.au. A xxx.xxx.xxx.xxx<br>
<br>
The root hints file (named.root) has below <br>
<br>
. 3600 IN NS dns1.org.domain.name.au<br>
dns1 3600 A ip.of.dns1<br>
<br>
<br>
nslookup on a client returns this<br>
nslookup sharepoint.com<br>
Server: ip.of.dns1<br>
Address: ip.of.dns1#53<br>
<br>
Non-authoritative answer:<br>
*** Can't find sharepoint.com: No answer<br>
<br>
And running dig on a client returns this<br>
dig +trace sharepoint.com<br>
<br>
; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com<br>
;; global options: printcmd<br>
. 86400 IN NS dns1.org.domain.name.au.<br>
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms<br>
<br>
sharepoint.com. 86400 IN NS ns1.org.domain.name.au.<br>
;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au) in 0 ms<br>
<br>
;; connection timed out; no servers could be reached<br>
</div>
<br>
<p></p>
<p><br>
Regards</p>
<p>Anup<br>
</p>
</div>
</body>
</html>