Hi Chris
Below is without "+trace" option. Also there is a firewall between internal (dns1) and external (ns1) name servers and we have opened up TCP/UDP port 53 from dns1 to ns1. ; <<>> DiG 9.3.4-P1 <<>> sharepoint.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;sharepoint.com. IN A ;; AUTHORITY SECTION: sharepoint.com. 86400 IN NS ns1.org.domain.name.au ;; ADDITIONAL SECTION: ns1.org.domain.name.au. 86400 IN A ip.of.ns1 ;; Query time: 26 msec ;; SERVER: ip.of.dns1#53(ip.of.dns1) ;; WHEN: Thu Aug 18 09:38:09 2016 ;; MSG SIZE rcvd: 84 Regards Anup ________________________________ From: Chris Buxton <cli...@buxtonfamily.us> Sent: Thursday, 18 August 2016 2:26 AM To: anup albal Cc: BIND Users Subject: Re: Selective forwarding from an internal only name server Try it without "+trace". Regards, Chris On Aug 17, 2016, at 2:59 AM, anup albal <anupal...@hotmail.com<mailto:anupal...@hotmail.com>> wrote: Hi First up apologies if this is not the right list to email and for a long email. I am hoping you can give me a clue as to what I am doing wrong here? Or may be this is not supposed to work at all. We have an internal only DNS server (dns1) with fake root zone. i.e a fake file for the zone "." This serves all internal clients. We are running 9.6-ESV-R11-P2 for this. And we also have an external only DNS (ns1) which can talk to the internet for DNS queries and serves external clients. Now we have a requirement to have certain domains (e.g sharepoint.com<http://sharepoint.com/>) resolved on clients being served by dns1. On dns1 I have setup a forward only zone called 'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder. And on the fake root zone file, I have added an entry for sharepoint like below sharepoint.com<http://sharepoint.com/>. NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>. when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can resolve sharepoint.com<http://sharepoint.com/> But when i run it from an internal client it gets a Non-authoritative: No answer Below are my snippets of my named.conf on dns1 (internal) options { directory "/var/dns"; forwarders { ip.of.ns1; }; listen-on { ip.of.dns1; 127.0.0.1; }; query-source address ip.of.dns1; notify-source ip.of.dns1; transfer-source ip.of.dns1; allow-transfer { xxx.xxx/16; }; transfer-format one-answer; // BIND9 (deal with Windows Server 2003) }; <.....> zone "." in { type master; file "fake/root"; }; zone "." in { type hint; file "/var/dns/fake/named.root"; }; zone "sharepoint.com<http://sharepoint.com/>." in { type forward; forward only; forwarders {ip.of.ns1;}; }; The file fake/root has entries like below (ip and domain names changed for security) $TTL 86400 ; NOTE: TTL based on from Bind8 SOA record ; ; This file contains *fake* DNS Resource Records for the root domain (.) ; . IN SOA dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. xxx.dns1.org.domain.name.au<http://org.domain.name.au/>. ( 2016081608 ; serial 10800 ; refresh 3600 ; retry 3600000 ; expire 86400 ) ; minimum . NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. ;. NS dns2.org.domain.name.au<http://dns2.org.domain.name.au/>. com.au<http://com.au/>. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. sharepoint.com<http://sharepoint.com/>. NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>. difforg.diffdomain.au<http://difforg.diffdomain.au/>. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. 0.0.127.in-addr.arpa. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. xxx.xxx.in-addr.arpa. NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. localhost. A 127.0.0.1 ; Glue dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. A ip.of.dns1 ns1.org.domain.name.au<http://ns1.org.domain.name.au/>. A ip.of.ns1 ;dns2.org.domain.name.au<http://dns2.org.domain.name.au/>. A xxx.xxx.xxx.xxx The root hints file (named.root) has below . 3600 IN NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/> dns1 3600 A ip.of.dns1 nslookup on a client returns this nslookup sharepoint.com<http://sharepoint.com/> Server: ip.of.dns1 Address: ip.of.dns1#53 Non-authoritative answer: *** Can't find sharepoint.com<http://sharepoint.com/>: No answer And running dig on a client returns this dig +trace sharepoint.com<http://sharepoint.com/> ; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com<http://sharepoint.com/> ;; global options: printcmd . 86400 IN NS dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. ;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms sharepoint.com<http://sharepoint.com/>. 86400 IN NS ns1.org.domain.name.au<http://ns1.org.domain.name.au/>. ;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au<http://dns1.org.domain.name.au/>) in 0 ms ;; connection timed out; no servers could be reached Regards Anup _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users