This is a discussion on Re: Internal vs. External DNS/Domain Separation Question - DNS ; Justin Piszcz wrote: > Hello, > > I have two domains: > 1) internal (call it .int) > 2) external (my domain) > > I use bind9 for internal forward/reverse dns and for the external, forward > dns only. > ...
Justin Piszcz wrote:
> I have two domains:
> 1) internal (call it .int)
> 2) external (my domain)
> I use bind9 for internal forward/reverse dns and for the external, forward
> dns only.
> When my mail server does dns lookups it looks up not only the domain in
> question, in this example, RBL checks, but it also appends my
> internal domain (tries to lookup the address within the scope of my
> 14-Sep-2008 05:31:18.745 client 192.168.0.1#52380: query: 220.127.116.11.vote.drbl.balakovo.ru IN A +
> 14-Sep-2008 05:31:18.746 client 192.168.0.1#42269: query: 18.104.22.168.vote.drbl.be.net.ru IN A +
> 14-Sep-2008 05:31:18.747 client 192.168.0.1#40672: query: 22.214.171.124.openlists.orbs.org.int IN A +
> 14-Sep-2008 05:31:18.748 client 192.168.0.1#46048: query: 126.96.36.199.dnsbl.sorbs.net.int IN A +
> So there are 2 lookups for every dns lookup (one for domainA and one for
> domainA.int).. I have tried utilizing views but that did not seem to fix
> the problem. I have tried commenting out the "search int" in all clients &
> servers for /etc/resolv.conf, that did not solve the issue.
> Is this normal operation with bind or is there a way to separate this out
> properly with views, such that:
> 1. External DNS lookups only query the actual IP in question and they do
> not query my local internal domain name?
> 2. Also, I should be able to keep "search int" in /etc/resolv.conf and not
> have it try to perform external DNS lookups and append the .int?
named is not appending your domain to these queries, the app itself is
Is your MTA by any chance "sendmail"? sendmail uses its own resolver
routines, so your /etc/resolv.conf settings may have no effect on its
resolution behavior. Check out sendmail's "ResolverOptions" option;
setting "-DNSRCH" for that option should probably fix your problem (at
least, it turns off domain-searching for regular delivery lookups, I'm
not 100% it'll have any effect on RBL lookups).
If you're running some other MTA, hopefully it has a similar option.