type forward with no recursive flag "rd -" --> Does it work?
Mark Andrews
marka at isc.org
Wed Oct 29 19:51:04 UTC 2014
Firstly people over think DNS. 99.99% of times there is no need
to have a internal zone at all. Hiding internal hostnames and
addresses has almost no security benefit at all.
acl internal { .... };
view internal {
match-clients { internal; };
zone mycompany.se { ... };
zone windns.mycompany.se { type slave; masters { windows server }; ...};
};
view external {
match-clients { any; };
zone mycompany.se { .... };
zone windns.mycompany.se { type master; file "windns.mycompany.se.db"; };
};
Where windns.mycompany.se.db is consists of SOA and NS records which match
those of mycompany.se. It is a empty zone.
@ SOA ...
@ NS ...
@ NS ...
Or you can even do it without a views
acl internal { .... };
zone mycompany.se { .... };
zone windns.mycompany.se {
type slave;
masters { windows server };
file "windns.mycompany.se.bk"'
allow-query { internal; };
allow-transfer { internal; };
};
In message <C84E9BC18F8D074983FE0DCB8525DB2B331578F6 at COLUMBA02.user.uu.se>, =?i
so-8859-1?Q?Fredrik_Lys=E9n?= writes:
>
> Thanks Mark for rapid response,
> To have a working solution for both clients and resolvers with "type
> forward" statement, you also have to delegate and declare NS on the same
> tree level?
>
> Problem:
> I take advantage of slit-dns having view "internal" and "external". Our
> zone "windns.mycompany.se" are strictly an internal matter, and only
> appear in view "internal". Zone mycompany.se are in the view "external",
> I don't like populating NS records to my internal zone
> "windns.mycompany.se"!
>
> I don know if there is an internal client or internal resolver asking my
> DNS questions, I can only see if the RD bit are set or not and if the
> query are from "my trusted network" (view "internal").
>
> Regards
> Fredrik
>
> On 10/27/2014 09:21 PM, Mark Andrews wrote:
>
>
> Just delegate windns.mycompany.se. Add something like this to
> mycompany.se.
>
> windns.mycompany.se NS nameserver
> windns.mycompany.se NS nameserver
>
> As as to the answer to your question, no. Forward zones redirect
> recursive from the nameserver queries.
>
> Mark
>
> In message
> <C84E9BC18F8D074983FE0DCB8525DB2B331522BC at COLUMBA02.user.uu.se><mailto:C84
> E9BC18F8D074983FE0DCB8525DB2B331522BC at COLUMBA02.user.uu.se>, =?i
> so-8859-1?Q?Fredrik_Lys=E9n?= writes:
>
>
> Hi,
> When having one zone "windns.mycompany.se" hosted and handled by an
> other nameserver (Windows AD) declared as:
> zone "windns.mycompany.se" {
> type forward;
> forward only;
> forwarders {10.0.0.1; 10.0.0.2;};
> };
>
> Rest of the zones exist on our primary BIND dns caching nameserver.
>
> Client looking for "windns.mycompany.se" will have an answer because the
> recursive flag rd (+) are stated and query will be resolved via
> forwarders.
> When a resolver looking for same information, resolver will send
> recursive rd (-), and the resolver will never get information regarding
> zone "windns.mycompany.se".
>
> Question:
> Shouldn't "Asking the forwarders" be prioritized before the "recursive
> rd (-)" flag are taken into consideration? Otherwise I can't see how a
> resolver ever will find information in the forward zone
> "windns.mycompany.se".
>
> Cheers
> Fredrik Lys=E9n =
>
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org<mailto:bind-workers at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-workers
>
>
>
>
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-workers
mailing list