The domain, myDomain.org, is registered publicly on the Internet but we also
use it privately. The DNS records we publish to the Internet are entirely
different than our internal DNS and reside on separate servers. I am not
performing 'split horizon'. I don't allow the Internet to query my internal
DNS server. We have one or two records, like "www.myDomain.org" that uses a
public address, the rest of the addresses are private.
I'll start with how my config files are laid out, I have three.
named.conf
named.conf.local
named.conf.options
/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders { 8.8.8.8; };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
version "not currently available";
allow-query { any; };
recursion yes;
};
named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "myDomain.org" {
type forward;
forward only;
forwarders { 1.1.1.1; 2.2.2.2; };
};
Here are the commands I'm running and the corresponding output.
1. restart bind
2. flush cache
3. query localhost using the target's fqdn
4. query localhost for the NS records for the domain
5. query localhost using the target's fqdn a second time
1. restart bind
:/etc/bind# /etc/init.d/bind9 restart
* Stopping domain name service... bind9
[ OK ]
* Starting domain name service... bind9
[ OK ]
2. flush cache
root@lookup1b:/etc/bind# rndc flush
3. query localhost using the target's fqdn
root@lookup1b:/etc/bind# dig host-dc1.myDomain.org
; <<>> DiG 9.7.0-P1 <<>> host-dc1.myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36091
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;host-dc1.myDomain.org. IN A
;; ANSWER SECTION:
host-dc1.myDomain.org. 2558 IN A 1.1.1.1
;; AUTHORITY SECTION:
. 511538 IN NS i.root-servers.net.
. 511538 IN NS e.root-servers.net.
. 511538 IN NS c.root-servers.net.
. 511538 IN NS k.root-servers.net.
. 511538 IN NS m.root-servers.net.
. 511538 IN NS a.root-servers.net.
. 511538 IN NS d.root-servers.net.
. 511538 IN NS f.root-servers.net.
. 511538 IN NS h.root-servers.net.
. 511538 IN NS g.root-servers.net.
. 511538 IN NS l.root-servers.net.
. 511538 IN NS b.root-servers.net.
. 511538 IN NS j.root-servers.net.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 15:21:03 2012
;; MSG SIZE rcvd: 267
4. query localhost for the NS records for the domain
root@lookup1b:/etc/bind# dig -t ns myDomain.org
; <<>> DiG 9.7.0-P1 <<>> -t ns myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32179
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 8
;; QUESTION SECTION:
;myDomain.org. IN NS
;; ANSWER SECTION:
myDomain.org. 3600 IN NS host-dc4.myDomain.org.
myDomain.org. 3600 IN NS host-dc2.myDomain.org.
myDomain.org. 3600 IN NS host-dc2.subA.myDomain.org.
myDomain.org. 3600 IN NS host-dc1.subB.myDomain.org.
myDomain.org. 3600 IN NS host-dc1.myDomain.org.
myDomain.org. 3600 IN NS host-dc1.subA.myDomain.org.
myDomain.org. 3600 IN NS host-dc2.subB.myDomain.org.
myDomain.org. 3600 IN NS host-dc3.subB.myDomain.org.
;; ADDITIONAL SECTION:
host-dc1.myDomain.org. 2554 IN A 1.1.1.1
host-dc2.myDomain.org. 3594 IN A 2.2.2.2
host-dc4.myDomain.org. 3596 IN A 3.3.3.3
host-dc1.subA.myDomain.org. 3502 IN A 4.4.4.4
host-dc2.subA.myDomain.org. 3595 IN A 5.5.5.5
host-dc1.subB.myDomain.org. 3591 IN A 6.6.6.6
host-dc2.subB.myDomain.org. 2706 IN A 7.7.7.7
host-dc3.subB.myDomain.org. 327 IN A 8.8.8.8
;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 15:21:07 2012
;; MSG SIZE rcvd: 349
5. query localhost using the target's fqdn a second time
root@lookup1b:/etc/bind# dig host-dc1.myDomain.org
; <<>> DiG 9.7.0-P1 <<>> host-dc1.myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61403
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 7
;; QUESTION SECTION:
;host-dc1.myDomain.org. IN A
;; ANSWER SECTION:
host-dc1.myDomain.org. 2549 IN A 1.1.1.1
;; AUTHORITY SECTION:
myDomain.org. 3595 IN NS host-dc2.subA.myDomain.org.
myDomain.org. 3595 IN NS host-dc1.myDomain.org.
myDomain.org. 3595 IN NS host-dc3.subB.myDomain.org.
myDomain.org. 3595 IN NS host-dc1.subA.myDomain.org.
myDomain.org. 3595 IN NS host-dc2.myDomain.org.
myDomain.org. 3595 IN NS host-dc1.subB.myDomain.org.
myDomain.org. 3595 IN NS host-dc4.myDomain.org.
myDomain.org. 3595 IN NS host-dc2.subB.myDomain.org.
;; ADDITIONAL SECTION:
host-dc2.myDomain.org. 3589 IN A 2.2.2.2
host-dc4.myDomain.org. 3591 IN A 3.3.3.3
host-dc1.subA.myDomain.org. 3497 IN A 4.4.4.4
host-dc2.subA.myDomain.org. 3590 IN A 5.5.5.5
host-dc1.subB.myDomain.org. 3586 IN A 6.6.6.6
host-dc2.subB.myDomain.org. 2701 IN A 7.7.7.7
host-dc3.subB.myDomain.org. 322 IN A 8.8.8.8
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 15:21:12 2012
;; MSG SIZE rcvd: 349
To answer your questions:
The Windows DNS servers should be authoritative for the Active Directory
domain. host-dc1.myDomain.org and host-dc2.myDomain.org are two of the NS
servers.
The zone "myDomain.org" is Active Directory integrated.
The Windows DNS servers' forwarding configuration is to use opendns and if that
fails resort to the root hints.
The Forward Lookup Zones for "myDomain.org" contains 99% private addresses.
There are one or two external address, for www.myDomain.org, which are hosted
outside the private network.
Also, when I query host-dc1 directly I get the following answer. I notice
there is no additional or authority section but I don't know why.
dig host-dc1.myDomain.org @host-dc1.myDomain.org
; <<>> DiG 9.7.0-P1 <<>> host-dc1.myDomain.org @host-dc1.myDomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10793
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;host-dc1.myDomain.org. IN A
;; ANSWER SECTION:
host-dc1.myDomain.org. 3600 IN A 1.1.1.1
;; Query time: 0 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Feb 21 16:03:35 2012
;; MSG SIZE rcvd: 56
I don't understand why I get the root servers at step 3. Sometimes when I
perform these steps I will get the external DNS servers returned as the name
servers or in the authoritative section.
Thank you,
Mike
-----Original Message-----
From: Spain, Dr. Jeffry A. [mailto:[email protected]]
Sent: Tuesday, February 21, 2012 3:15 PM
To: Marseglia, Michael
Cc: [email protected]
Subject: RE: bind public/private domain question
> I'm looking for advice on an issue. I have a publicly registered domain
> which we also use internally. I have bind configured as a caching DNS
> server. Bind is configured to use four other Windows DNS servers as
> forwarders for the domain. Bind should be using the root servers for
> anything not configured to forward.
I'm having difficulty understanding your configuration. Would you please
provide relevant portions of your bind configuration files and some
configuration details for your Windows DNS servers. In particular with regard
to the Windows DNS servers, are they authoritative for your Active Directory
domain? Are the zones for which they are authoritative Active Directory
integrated? What is their forwarding configuration? Do their Forward Lookup
Zones contain internal or external addresses?
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
