<div dir="ltr">Hi Mike.<div>What version of BIND are you running?</div><div><br><div>Firstly, please clarify your question and example configuration.</div><div>You talk about "<a href="http://example.com">example.com</a>" and subdomains of "<a href="http://exmaple.com">exmaple.com</a>", but your config shows "<a href="http://example.net">example.net</a>". It's not easy to understand exactly what you're trying to achieve a) when your problem statement is confused and b) when you give made up names rather than the real names you actually want to use.</div><div><br></div><div>Secondly, "forward first" (the default) will forward if it can (i.e. try that first). If it works, all good, no recursion. If it tries to forward and fails, then it will recurse. I would recommend you add "forward only" for consistent behaviour. Then it either works, or it doesn't and you can fix that.</div><div><br></div><div>Lastly, root hints haven't been necessary for a very long time as they are now built in (unless you are running a VERY old version).</div></div><div><br></div><div>I hope that helps.</div><div>Greg</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 8 Dec 2024 at 23:31, Mike via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Folks,<br>
<br>
I have a domain "<a href="http://exmaple.com" rel="noreferrer" target="_blank">exmaple.com</a>" and two subdomains, tied to two subnets<br>
behind an ADSL line. Let's say <a href="http://dmz.exmaple.com" rel="noreferrer" target="_blank">dmz.exmaple.com</a> and<br>
<a href="http://internal.exmaple.com" rel="noreferrer" target="_blank">internal.exmaple.com</a>. Let's say the DMZ is <a href="http://10.0.1.0/24" rel="noreferrer" target="_blank">10.0.1.0/24</a> and for a laugh,<br>
let's imagine it's routable via the Interwebs. Let's say the internal<br>
zone is 10<br>
.0.2.0/24 and it not Internet routable.<br>
<br>
Let's say that .com has NS recording point <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> to 10.0.1.10 and<br>
10.0.1.11. Those are bind servers hosting zones for <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> and<br>
<a href="http://dmz.exmaple.com" rel="noreferrer" target="_blank">dmz.exmaple.com</a>.<br>
<br>
There are two BIND servers in the internal zone, 10.0.1.10 and<br>
10.0.1.11, which have a root hint zone, a master/slave zone for<br>
<a href="http://internal.exmaple.com" rel="noreferrer" target="_blank">internal.exmaple.com</a> and a forward zone for <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>, forwarding to<br>
10.0.1.10 and 10.0.1.11.<br>
<br>
zone "." {<br>
type hint;<br>
file "/etc/bind/db.root";<br>
};<br>
<br>
zone "<a href="http://example.net" rel="noreferrer" target="_blank">example.net</a>" {<br>
type forward;<br>
forwarders {<br>
10.0.1.10;<br>
10.0.1.11;<br>
};<br>
};<br>
<br>
zone "<a href="http://internal.exmaple.com" rel="noreferrer" target="_blank">internal.exmaple.com</a>" {<br>
type master;<br>
file "/etc/bind/<a href="http://db.internal.exmaple.com" rel="noreferrer" target="_blank">db.internal.exmaple.com</a>";<br>
};<br>
<br>
This works fine, except that it turns out that when looking up names in<br>
<a href="http://dmz.exmaple.com" rel="noreferrer" target="_blank">dmz.exmaple.com</a> or <a href="http://exmaple.com" rel="noreferrer" target="_blank">exmaple.com</a> from <a href="http://10.0.2.0/24" rel="noreferrer" target="_blank">10.0.2.0/24</a> via 10.0.2.10 or<br>
10.0.2.11, it's not forwarding to <a href="http://10.0.1.10/11" rel="noreferrer" target="_blank">10.0.1.10/11</a> but insteading going via<br>
the root and working down. Generally this isn't an issue, except m<br>
aybe being a trifle inefficient but it does cause the annyoing<br>
side-effect that if the ADSL line goes down and the root and .com DNS<br>
servers cannot be reached, then <a href="http://exmaple.com" rel="noreferrer" target="_blank">exmaple.com</a> and <a href="http://dmz.example.com" rel="noreferrer" target="_blank">dmz.example.com</a> become<br>
unreachable from <a href="http://10.0.2.0/24" rel="noreferrer" target="_blank">10.0.2.0/24</a>.<br>
<br>
I've read some posts that suggest adding forward-only to force the zone<br>
to only forward and not use root hints. I also understand that the<br>
default behaviour is the same as forward-first, which will contact the<br>
forwarers first and then contact the root servers if the forward<br>
fails. That doesn't appear to be what is happening and I'm trying to<br>
understand why.<br>
<br>
I think I've also seen it suggested that zone <a href="http://exmaple.com" rel="noreferrer" target="_blank">exmaple.com</a> should be a<br>
master zone with two NS servers defined, 10.0.1.10 and 10.0.1.11. That<br>
seems to suggest type forward serves no purpous?<br>
<br>
In summary: I'm trying to get 10.0.2.10 and 10.0.2.11 to serve<br>
<a href="http://internal.exmaple.com" rel="noreferrer" target="_blank">internal.exmaple.com</a> from their own database (which they are),<br>
<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> records from 10.0.1.10 and 10.0.1.11 (which they are not)<br>
and everything else from the interwebs (which they are).<br>
<br>
Most significantly though, I'm not just trying to resolve the issue but<br>
actually fix my understanding of BIND and learn where I am going wrong<br>
here.<br>
<br>
Kind regards,<br>
Mike.<br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>