<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi</p>
<p><br>
</p>
<p>To clarify a bit.</p>
<p>The server that runs ns1 has named listening on two addresses.</p>
<p><br>
</p>
<p>One is an external facing address providing resolution to the queries coming from the internet.
<br>
</p>
<p>Lets call this ns.org.domain.name.au</p>
<p>The other one internal facing and which is what ns1 is pointing to.<br>
</p>
<p>There are certain zones that ns.org.domain.name.au is hosting authoritatively to the internet <br>
</p>
<p><br>
</p>
<p>example we have ns.org.domain.name.au as authoritative for application.org.domain.name.au on the internet.
<br>
</p>
<p><br>
</p>
<p>I have confirmed that ns1 has recursion enabled for all ip ranges within the organization.
<br>
</p>
<p>I have also now added the below options to the named.conf on dns1 as well .</p>
<p><br>
</p>
<p></p>
<div> recursion yes;<br>
 allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };<br>
 allow-recursion-on { any; };</div>
<p></p>
<p><br>
</p>
<p>After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig +trace microsoft.com"</p>
<p><br>
</p>
<p>On the internal clients talking to dns1, I get an NXDOMAIN response.<br>
</p>
<p><br>
</p>
<p>--Anup<br>
</p>
<p><br>
</p>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> anup albal <anupalbal@hotmail.com><br>
<b>Sent:</b> Thursday, 18 August 2016 10:04 AM<br>
<b>To:</b> BIND Users<br>
<b>Subject:</b> Re: Selective forwarding from an internal only name server</font>
<div> </div>
</div>
<div>
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hi Kevin</p>
<p><br>
</p>
<p>Does that mean I setup another forwarding zone called microsoft.com or sharepoint.microsoft.com or both?</p>
<p><br>
</p>
<p>And then do i need to add NS record entries similar to sharepoint.com in the fake root file?<br>
</p>
<p><br>
</p>
<div id="Signature">
<div>
<div><strong></strong>Regards<br>
Anup<br>
</div>
</div>
</div>
<br>
<br>
<div style="color:rgb(0,0,0)">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> anup albal <anupalbal@hotmail.com><br>
<b>Sent:</b> Thursday, 18 August 2016 9:47 AM<br>
<b>To:</b> Chris Buxton<br>
<b>Cc:</b> BIND Users<br>
<b>Subject:</b> Re: Selective forwarding from an internal only name server</font>
<div> </div>
</div>
<div>
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hi Chris</p>
<p><br>
</p>
<p>Below is without "+trace" option. Also there is a firewall between internal (dns1) and external (ns1) name servers and</p>
<p>we have opened up TCP/UDP port 53 from dns1 to ns1. <br>
</p>
<p><br>
</p>
<p></p>
<div>; <<>> DiG 9.3.4-P1 <<>> sharepoint.com<br>
;; global options:  printcmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1<br>
<br>
;; QUESTION SECTION:<br>
;sharepoint.com.                        IN      A<br>
<br>
;; AUTHORITY SECTION:<br>
sharepoint.com.         86400   IN      NS      ns1.org.domain.name.au<br>
<br>
;; ADDITIONAL SECTION:<br>
ns1.org.domain.name.au. 86400   IN      A       ip.of.ns1<br>
<br>
;; Query time: 26 msec<br>
;; SERVER: ip.of.dns1#53(ip.of.dns1)<br>
;; WHEN: Thu Aug 18 09:38:09 2016<br>
;; MSG SIZE  rcvd: 84</div>
<br>
<p></p>
<p><br>
</p>
<div id="Signature">
<div>
<div><strong></strong>Regards <br>
Anup<br>
</div>
</div>
</div>
<br>
<br>
<div style="color:rgb(0,0,0)">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Chris Buxton <clists@buxtonfamily.us><br>
<b>Sent:</b> Thursday, 18 August 2016 2:26 AM<br>
<b>To:</b> anup albal<br>
<b>Cc:</b> BIND Users<br>
<b>Subject:</b> Re: Selective forwarding from an internal only name server</font>
<div> </div>
</div>
<div>Try it without "+trace".
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Chris</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 17, 2016, at 2:59 AM, anup albal <<a href="mailto:anupalbal@hotmail.com" class="">anupalbal@hotmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div id="divtagdefaultwrapper" class="" style="font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; font-size:12pt; background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
<div class="">Hi<br class="">
<br class="">
First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all.<br class="">
<br class="">
We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "."  This serves all internal clients.<br class="">
We are running 9.6-ESV-R11-P2 for this.<br class="">
<br class="">
And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients.<br class="">
<br class="">
Now we have a requirement to have certain domains (e.g<span class="Apple-converted-space"> </span><a href="http://sharepoint.com/" class="">sharepoint.com</a>) resolved on clients being served by dns1.<span class="Apple-converted-space"> </span><br class="">
<br class="">
On dns1 I have setup a forward only zone called '<a href="http://sharepoint.com/" class="">sharepoint.com</a>' with ns1 set as the forwarder.<br class="">
And on the fake root zone file, I have added an entry for sharepoint like below<br class="">
<a href="http://sharepoint.com/" class="">sharepoint.com</a>.          NS    <span class="Apple-converted-space"> </span><a href="http://ns1.org.domain.name.au/" class="">ns1.org.domain.name.au</a>.<br class="">
<br class="">
when i run a dig +trace<span class="Apple-converted-space"> </span><a href="http://sharepoint.com/" class="">sharepoint.com</a><span class="Apple-converted-space"> </span>from dns1 I can resolve<span class="Apple-converted-space"> </span><a href="http://sharepoint.com/" class="">sharepoint.com</a><span class="Apple-converted-space"> </span><br class="">
But when i run it from an internal client it gets a Non-authoritative: No answer<span class="Apple-converted-space"> </span><br class="">
<br class="">
Below are my snippets of my named.conf on dns1 (internal)<br class="">
<br class="">
options {<br class="">
        directory "/var/dns";<br class="">
        forwarders { ip.of.ns1; };<br class="">
        listen-on  { ip.of.dns1; 127.0.0.1; };<br class="">
        query-source address ip.of.dns1;<br class="">
        notify-source ip.of.dns1;<br class="">
        transfer-source ip.of.dns1;<br class="">
        allow-transfer { xxx.xxx/16; };<span class="Apple-converted-space"> </span><br class="">
        transfer-format one-answer;    // BIND9 (deal with Windows Server 2003)<br class="">
<br class="">
};<br class="">
<br class="">
<.....><br class="">
zone "." in {<br class="">
        type master;<br class="">
        file "fake/root";<br class="">
};<br class="">
<br class="">
zone "." in {<br class="">
        type hint;<br class="">
        file "/var/dns/fake/named.root";<br class="">
};<br class="">
zone "<a href="http://sharepoint.com/" class="">sharepoint.com</a>." in {<br class="">
        type forward;<br class="">
        forward only;<br class="">
        forwarders {ip.of.ns1;};<br class="">
};<br class="">
<br class="">
The file fake/root has entries like below (ip and domain names changed for security)<br class="">
<br class="">
$TTL 86400<br class="">
; NOTE:  TTL based on from Bind8 SOA record<br class="">
;<br class="">
; This file contains *fake* DNS Resource Records for the root domain (.)<br class="">
;<br class="">
<br class="">
.       IN      SOA    <span class="Apple-converted-space"> </span><a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>.        xxx.dns1.<a href="http://org.domain.name.au/" class="">org.domain.name.au</a>.  (<br class="">
                                     2016081608      ; serial<br class="">
                                     10800   ; refresh<br class="">
                                     3600    ; retry<br class="">
                                     3600000 ; expire<br class="">
                                     86400 ) ; minimum<br class="">
<br class="">
.                       NS     <span class="Apple-converted-space"> </span><a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>.<br class="">
;.                      NS     <span class="Apple-converted-space"> </span><a href="http://dns2.org.domain.name.au/" class="">dns2.org.domain.name.au</a>.<br class="">
<br class="">
<a href="http://com.au/" class="">com.au</a>.                 NS     <span class="Apple-converted-space"> </span><a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>.<br class="">
<a href="http://sharepoint.com/" class="">sharepoint.com</a>.         NS     <span class="Apple-converted-space"> </span><a href="http://ns1.org.domain.name.au/" class="">ns1.org.domain.name.au</a>.<br class="">
<a href="http://difforg.diffdomain.au/" class="">difforg.diffdomain.au</a>.             NS     <span class="Apple-converted-space"> </span><a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>.<br class="">
<br class="">
0.0.127.in-addr.arpa.   NS     <span class="Apple-converted-space"> </span><a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>.<br class="">
<br class="">
xxx.xxx.in-addr.arpa.   NS     <span class="Apple-converted-space"> </span><a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>.<br class="">
<br class="">
localhost.              A       127.0.0.1<br class="">
<br class="">
; Glue<br class="">
<a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>. A      ip.of.dns1<br class="">
<a href="http://ns1.org.domain.name.au/" class="">ns1.org.domain.name.au</a>.  A      ip.of.ns1<br class="">
;<a href="http://dns2.org.domain.name.au/" class="">dns2.org.domain.name.au</a>. A      xxx.xxx.xxx.xxx<br class="">
<br class="">
The root hints file (named.root) has below<span class="Apple-converted-space"> </span><br class="">
<br class="">
.       3600    IN NS  <span class="Apple-converted-space"> </span><a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a><br class="">
dns1    3600        A   ip.of.dns1<br class="">
<br class="">
<br class="">
nslookup on a client returns this<br class="">
nslookup<span class="Apple-converted-space"> </span><a href="http://sharepoint.com/" class="">sharepoint.com</a><br class="">
Server:         ip.of.dns1<br class="">
Address:        ip.of.dns1#53<br class="">
<br class="">
Non-authoritative answer:<br class="">
*** Can't find<span class="Apple-converted-space"> </span><a href="http://sharepoint.com/" class="">sharepoint.com</a>: No answer<br class="">
<br class="">
And running dig on a client returns this<br class="">
 dig +trace<span class="Apple-converted-space"> </span><a href="http://sharepoint.com/" class="">sharepoint.com</a><br class="">
<br class="">
; <<>> DiG 9.3.4-P1 <<>> +trace<span class="Apple-converted-space"> </span><a href="http://sharepoint.com/" class="">sharepoint.com</a><br class="">
;; global options:  printcmd<br class="">
.                       86400   IN      NS     <span class="Apple-converted-space"> </span><a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>.<br class="">
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms<br class="">
<br class="">
<a href="http://sharepoint.com/" class="">sharepoint.com</a>.         86400   IN      NS     <span class="Apple-converted-space"> </span><a href="http://ns1.org.domain.name.au/" class="">ns1.org.domain.name.au</a>.<br class="">
;; Received 84 bytes from ip.of.dns1#53(<a href="http://dns1.org.domain.name.au/" class="">dns1.org.domain.name.au</a>) in 0 ms<br class="">
<br class="">
;; connection timed out; no servers could be reached<br class="">
</div>
<br class="">
<p class="" style="margin-top:0px; margin-bottom:0px"></p>
<div class="" style="margin-top:0px; margin-bottom:0px"><br class="">
Regards</div>
<div class="" style="margin-top:0px; margin-bottom:0px">Anup<br class="">
</div>
</div>
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">_______________________________________________</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">Please
 visit<span class="Apple-converted-space"> </span></span><a href="https://lists.isc.org/mailman/listinfo/bind-users" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">https://lists.isc.org/mailman/listinfo/bind-users</a><span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important"><span class="Apple-converted-space"> </span>to
 unsubscribe from this list</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">bind-users
 mailing list</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<a href="mailto:bind-users@lists.isc.org" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">bind-users@lists.isc.org</a><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<a href="https://lists.isc.org/mailman/listinfo/bind-users" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">https://lists.isc.org/mailman/listinfo/bind-users</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>