Re: transparently forwarding a zone

Kevin Darcy Fri, 18 Jan 2013 08:12:18 -0800

What do you have against Internet clients querying the storage device?It's obvious that the storage device wants to serve that part of the DNSnamespace. If you don't want the clients to query the device "directly"you could do it through a NAT, or proxy, or whatever. Anything otherthan "direct" client/server interaction, e.g. transparent DNSredirection, is going to be a hack job. I wouldn't want to support it.


                                            - Kevin



On 1/18/2013 10:33 AM, Garsiot, Thomas wrote:

Hi,

I have an issue with domain forwarding.

I'm managing public DNS servers for, say, mydomain.com.
We're currently setting a storage system which relies on DNS for loadbalancing. The system is made of 4 nodes with IP addresses 10.0.0.1,2, 3, 4.
The vendor recommands a stub zone to be created with forwarders set tothe 4 IP addresses (i.e their storage system acts as a mini-DNS server).
However, we need this resolution to occur over the internet, soobviously the stub zone solution does not work because DNS resolverson the internet would retrieve the NS list for the subdomain and tryto query it directly.
We need to be able to resolve on the internet anything of the format :

xxxx.storage.mydomain.com or yyyy.xxxx.storage.mydomain.com
so what I need is my public DNS servers to be owners of thestorage.mydomain.com but still rely on the storage system for morespecific host resolution.
Some kind of a stealth DNS server but with a forward rather than amaster-slave scheme.
We've tried several solutions but none was fully successful.

SOLUTION  1:

============

in mydomain.com zone file :

storage IN NS ns-storage.mydomain.com.

ns-storage IN A 2.2.2.2
where 2.2.2.2 is a public VIP on the internet that load balances DNStraffic to 10.0.0.1 -> 4
SOLUTION 1 results :

====================

partially works :
when querying google's resolving DNS server for test, bothxxxx.storage.mydomain.com or yyyy.xxxx.storage.mydomain.com resolvefine to the 4 private IP addresses.
however, in certain environments, xxxx.storage.mydomain.com works butnot yyyy.xxxx.storage.mydomain.com.
My guess is that google for some reason sent a recursive query foryyyy.xxxx.storage.mydomain.com to the NS of storage.mydomain.com whilethe other environment was sending an iterative query and thus tried toquery the internal addresses of the storage box.
In the situation that fails what I think is happening is :

Resolver -> mydomain.com NS servers : query NS storage.mydomain.com
mydomain.com NS servers -> resolver : storage.mydomain.com's NS isns-storage which translates to 2.2.2.2
Resolver -> 2.2.2.2 : query NS for xxxx.storage.mydomain.com

2.2.2.2 -> resolver : returns 4 NS records corresponding to 10.0.0.1 ->4

Resolver -> 10.0.0.1,2,3 or 4 : fails because private IP is not reachable.

SOLUTION  2:

============

in named.conf :

zone "storage.mydomain.com" {

type forward;

forwarders { 2.2.2.2; };

//forward only;

};

I've tried with and without the "forward only directive" - no change.

Tried it with the internal IP addresses 10.x.x.x and external VIP 2.2.2.2.

SOLUTION 2 results :

====================

fails
a dig for xxxx.storage.mydomain.com gives no answer. Only theauthority section pointing to ns1.mydomain.com & ns2.
SOLUTION 3 :

============

in named.conf :

zone "storage.mydomain.com" {

type forward;

forwarders { 2.2.2.2; };

//forward only;

};

in zone file for mydomain.com

storage IN NS ns1.mydomain.com

storage IN NS ns2.mydomain.com

SOLUTION 3 results :

====================

Direct recursive query to mydomain.com name servers works fine

Requests through another resolver do not work.

dig xxx.storage.mydomain.com +trace gives :

mydomain.com.              172800  IN NS      ns1.mydomain.com.

mydomain.com.              172800  IN NS      ns2.mydomain.com.

;; Received 117 bytes from 192.42.93.30#53(192.42.93.30) in 102 ms
storage.mydomain.com. 300 IN NSns1.mydomain.com
storage.mydomain.com. 300 IN NSns2.mydomain.com
mydomain.com.              300     IN SOA     ns1.mydomain.com. xxxxxxxx

2013011801 3600 900 604800 10800

I sometimes get loops with the following messages :
storage.mydomain.com. 300 IN NSns1.mydomain.com
storage.mydomain.com. 300 IN NSns2.mydomain.com
;; BAD (HORIZONTAL) REFERRAL

;; Received 117 bytes from xx in 6 ms

 Any advice on how to get this done ?

 Thanks in advance !

 Thomas

___________________________________________

Thomas Garsiot

Architecture Réseau/Network Architecture, GISSC, CGI Inc.
((514) 415-3000 #1015293 (SVP ne pas laisser de messages vocaux/please do not use voice mail)
*Ê*(514) 415-3965

*P***Avant d'imprimer, pensez à l'environnement...
Avis de confidentialité : ce message peut contenir des renseignementsconfidentiels appartenant exclusivement au Groupe CGI Inc. ou à sesfiliales. Si vous n'êtes pas le destinataire indiqué ou prévu dans cemessage (ou responsable de livrer ce message à la personne indiquée ouprévue) ou si vous pensez que ce message vous a été adressé parerreur, vous ne pouvez pas utiliser ou reproduire ce message, ni lelivrer à quelqu'un d'autre. Dans ce cas, vous devez le détruire etvous êtes prié d'avertir l'expéditeur en répondant au courriel.
 ___________________________________________



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: transparently forwarding a zone

Reply via email to