BIND & forwarding zone / proxy - HOW??? - DNS

This is a discussion on BIND & forwarding zone / proxy - HOW??? - DNS ; Hi, I've the following problem: I have a machine on IP x.x.x.x with bind 9.3 which is authoritative master for a number of domains. There is a private network behind x.x.x.x using 10.1.1.0/24 Now I want to delegate a globally ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: BIND & forwarding zone / proxy - HOW???

  1. BIND & forwarding zone / proxy - HOW???

    Hi,

    I've the following problem:

    I have a machine on IP x.x.x.x with bind 9.3 which is authoritative
    master for a number of domains. There is a private network behind
    x.x.x.x using 10.1.1.0/24

    Now I want to delegate a globally visible subdomain "sub.domain.com" to
    another machine on the private network, e.g. 10.1.1.1 - more
    specifically I want that all queries for sub.domain.com are being
    answered by bind on 10.1.1.1 (and I would even like to use a port
    different than 53 there, e.g. 5353)

    It is clear that I can not do in the global DNS for domain.com a
    delegation like:

    "sub IN NS 10.1.1.1"

    thus I tried the following:

    global delegation in domain.com:

    "sub IN NS x.x.x.x"

    added in the config of BIND on x.x.x.x:

    zone "sub.domain.com" in {
    type forward;
    forward only;
    forwarders { 10.1.1.1 port 5353 ; };
    };

    But: THIS DOES NOT WORK :-(

    More precisely:

    - if I type (from any outside IP on the internet, or from local IP or
    x.x.x.x):

    "host test.sub.domain.com x.x.x.x"

    it works as intended - the bind on x.x.x.x gets the query and generates
    a query to 10.1.1.1 on port 5353!

    - but if I type (from any outside IP on the internet) that is use the
    available local DNS server to resolve it:

    "host test.sub.domain.com"

    I see that the query (from IP's local DNS resolver) arrives at x.x.x.x
    (tcpdump) but bind on x.x.x.x IMMEDIATELY responds with ServFail
    WITHOUT even generating a query to 10.1.1.1 !!!!!

    I really don't understand why is this? I tried even to open all ACLs
    etc - did not help! Seems really that it works only if bind on x.x.x.x
    is asked directly by a client but does not work if the client asks
    through its local DNS server?

    Can anyone explain that - and how to do it right?

    :-(



  2. Re: BIND & forwarding zone / proxy - HOW???

    In article ,
    "kurczaq" wrote:

    > Hi,
    >
    > I've the following problem:
    >
    > I have a machine on IP x.x.x.x with bind 9.3 which is authoritative
    > master for a number of domains. There is a private network behind
    > x.x.x.x using 10.1.1.0/24
    >
    > Now I want to delegate a globally visible subdomain "sub.domain.com" to
    > another machine on the private network, e.g. 10.1.1.1 - more
    > specifically I want that all queries for sub.domain.com are being
    > answered by bind on 10.1.1.1 (and I would even like to use a port
    > different than 53 there, e.g. 5353)
    >
    > It is clear that I can not do in the global DNS for domain.com a
    > delegation like:
    >
    > "sub IN NS 10.1.1.1"
    >
    > thus I tried the following:
    >
    > global delegation in domain.com:
    >
    > "sub IN NS x.x.x.x"
    >
    > added in the config of BIND on x.x.x.x:
    >
    > zone "sub.domain.com" in {
    > type forward;
    > forward only;
    > forwarders { 10.1.1.1 port 5353 ; };
    > };
    >
    > But: THIS DOES NOT WORK :-(

    .....
    > I see that the query (from IP's local DNS resolver) arrives at x.x.x.x
    > (tcpdump) but bind on x.x.x.x IMMEDIATELY responds with ServFail
    > WITHOUT even generating a query to 10.1.1.1 !!!!!


    Did you notice that the query didn't have the "Recursion Desired" flag
    set? Caching servers perform iterative queries, not recursive queries
    (except when they're following their own "forwarders" directives, which
    is not relevant to your case).

    You can't do what you want with forwarding, configure your server as a
    slave of the internal zone.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***



+ Reply to Thread