type forward with no recursive flag "rd -" --> Does it work?

Mark Andrews marka at isc.org
Wed Oct 29 19:51:04 UTC 2014 

Firstly people over think DNS.  99.99% of times there is no need
to have a internal zone at all.  Hiding internal hostnames and
addresses has almost no security benefit at all.

acl internal { .... };

view internal {
    match-clients { internal; };
    zone mycompany.se  {  ... };
    zone windns.mycompany.se  { type slave; masters { windows server };  ...};
};

view external {
    match-clients { any; };
    zone mycompany.se  { .... };
    zone windns.mycompany.se  { type master; file "windns.mycompany.se.db"; };
};

Where windns.mycompany.se.db is consists of SOA and NS records which match
those of mycompany.se.  It is a empty zone.

@	SOA ...
@	NS ...
@	NS ...

Or you can even do it without a views

acl internal { .... };
zone mycompany.se  { .... };
zone windns.mycompany.se  {
    type slave;
    masters { windows server };
    file "windns.mycompany.se.bk"'
    allow-query { internal; };
    allow-transfer { internal; };
}; 

In message <C84E9BC18F8D074983FE0DCB8525DB2B331578F6 at COLUMBA02.user.uu.se>, =?i
so-8859-1?Q?Fredrik_Lys=E9n?= writes:
>
> Thanks Mark for rapid response,
> To have a working solution for both clients and resolvers with "type
> forward" statement, you also have to delegate and declare NS on the same
> tree level?
>
> Problem:
> I take advantage of slit-dns having view "internal" and "external". Our
> zone "windns.mycompany.se" are strictly an internal matter, and only
> appear in view "internal". Zone  mycompany.se are in the view "external",
> I don't like populating NS records to my internal zone
> "windns.mycompany.se"!
>
> I don know if there is an internal client or internal resolver asking my
> DNS questions, I can only see if the RD bit are set or not and if the
> query are from "my trusted network" (view "internal").
>
> Regards
> Fredrik
>
> On 10/27/2014 09:21 PM, Mark Andrews wrote:
>
>
> Just delegate windns.mycompany.se.  Add something like this to
> mycompany.se.
>
>         windns.mycompany.se NS nameserver
>         windns.mycompany.se NS nameserver
>
> As as to the answer to your question, no.   Forward zones redirect
> recursive from the nameserver queries.
>
> Mark
>
> In message
> <C84E9BC18F8D074983FE0DCB8525DB2B331522BC at COLUMBA02.user.uu.se><mailto:C84
> E9BC18F8D074983FE0DCB8525DB2B331522BC at COLUMBA02.user.uu.se>, =?i
> so-8859-1?Q?Fredrik_Lys=E9n?= writes:
>
>
> Hi,
> When having one zone "windns.mycompany.se" hosted and handled by an
> other nameserver (Windows AD) declared as:
> zone "windns.mycompany.se" {
>         type forward;
>         forward only;
>         forwarders {10.0.0.1; 10.0.0.2;};
> };
>
> Rest of the zones exist on our primary BIND dns caching nameserver.
>
> Client looking for "windns.mycompany.se" will have an answer because the
> recursive flag rd (+) are stated and query will be resolved via
> forwarders.
> When a resolver looking for same information, resolver will send
> recursive rd (-), and the resolver will never get information regarding
> zone  "windns.mycompany.se".
>
> Question:
> Shouldn't "Asking the forwarders" be prioritized before the "recursive
> rd (-)" flag are taken into consideration? Otherwise I can't see how a
> resolver ever will find information in the forward zone
> "windns.mycompany.se".
>
> Cheers
> Fredrik Lys=E9n =
>
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org<mailto:bind-workers at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-workers
>
>
>
>
>
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-workers mailing list