Re: Selective forwarding from an internal only name server

Fri, 19 Aug 2016 01:30:08 -0700 

Hi


To clarify a bit.

The server that runs ns1 has named listening on two addresses.


One is an external facing address providing resolution to the queries coming 
from the internet.

Lets call this ns.org.domain.name.au

The other one internal facing and which is what ns1 is pointing to.

There are certain zones that ns.org.domain.name.au is hosting authoritatively 
to the internet


example we have ns.org.domain.name.au as authoritative for 
application.org.domain.name.au on the internet.


I have confirmed that ns1 has recursion enabled for all ip ranges within the 
organization.

I have also now added the below options to the named.conf on dns1 as well .


 recursion yes;
 allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };
 allow-recursion-on { any; };


After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from 
dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig 
+trace microsoft.com"


On the internal clients talking to dns1, I get an NXDOMAIN response.


--Anup


________________________________
From: anup albal <anupal...@hotmail.com>
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Kevin


Does that mean I setup another forwarding zone called microsoft.com or 
sharepoint.microsoft.com or both?


And then do i need to add NS record entries similar to sharepoint.com in the 
fake root file?


Regards
Anup


________________________________
From: anup albal <anupal...@hotmail.com>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Chris


Below is without "+trace" option. Also there is a firewall between internal 
(dns1) and external (ns1) name servers and

we have opened up TCP/UDP port 53 from dns1 to ns1.


; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;sharepoint.com.                        IN      A

;; AUTHORITY SECTION:
sharepoint.com.         86400   IN      NS      ns1.org.domain.name.au

;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400   IN      A       ip.of.ns1

;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE  rcvd: 84



Regards
Anup


________________________________
From: Chris Buxton <cli...@buxtonfamily.us>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Try it without "+trace".

Regards,
Chris

On Aug 17, 2016, at 2:59 AM, anup albal 
<anupal...@hotmail.com<mailto:anupal...@hotmail.com>> wrote:


Hi

First up apologies if this is not the right list to email and for a long email. 
I am hoping you can give me a clue as to what I am doing wrong here? Or may be 
this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file 
for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for 
DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g 
sharepoint.com<http://sharepoint.com/>) resolved on clients being served by 
dns1.

On dns1 I have setup a forward only zone called 
'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com<http://sharepoint.com/>.          NS     
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.

when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can 
resolve sharepoint.com<http://sharepoint.com/>
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
        directory "/var/dns";
        forwarders { ip.of.ns1; };
        listen-on  { ip.of.dns1; 127.0.0.1; };
        query-source address ip.of.dns1;
        notify-source ip.of.dns1;
        transfer-source ip.of.dns1;
        allow-transfer { xxx.xxx/16; };
        transfer-format one-answer;    // BIND9 (deal with Windows Server 2003)

};

<.....>
zone "." in {
        type master;
        file "fake/root";
};

zone "." in {
        type hint;
        file "/var/dns/fake/named.root";
};
zone "sharepoint.com<http://sharepoint.com/>." in {
        type forward;
        forward only;
        forwarders {ip.of.ns1;};
};

The file fake/root has entries like below (ip and domain names changed for 
security)

$TTL 86400
; NOTE:  TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;

.       IN      SOA     
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.        
xxx.dns1.org.domain.name.au<http://org.domain.name.au/>.  (
                                     2016081608      ; serial
                                     10800   ; refresh
                                     3600    ; retry
                                     3600000 ; expire
                                     86400 ) ; minimum

.                       NS      
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;.                      NS      
dns2.org.domain.name.au<http://dns2.org.domain.name.au/>.

com.au<http://com.au/>.                 NS      
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
sharepoint.com<http://sharepoint.com/>.         NS      
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
difforg.diffdomain.au<http://difforg.diffdomain.au/>.             NS      
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

0.0.127.in-addr.arpa.   NS      
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

xxx.xxx.in-addr.arpa.   NS      
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

localhost.              A       127.0.0.1

; Glue
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. A      ip.of.dns1
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.  A      ip.of.ns1
;dns2.org.domain.name.au<http://dns2.org.domain.name.au/>. A      
xxx.xxx.xxx.xxx

The root hints file (named.root) has below

.       3600    IN NS   dns1.org.domain.name.au<http://dns1.org.domain.name.au/>
dns1    3600        A   ip.of.dns1


nslookup on a client returns this
nslookup sharepoint.com<http://sharepoint.com/>
Server:         ip.of.dns1
Address:        ip.of.dns1#53

Non-authoritative answer:
*** Can't find sharepoint.com<http://sharepoint.com/>: No answer

And running dig on a client returns this
 dig +trace sharepoint.com<http://sharepoint.com/>

; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com<http://sharepoint.com/>
;; global options:  printcmd
.                       86400   IN      NS      
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms

sharepoint.com<http://sharepoint.com/>.         86400   IN      NS      
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
;; Received 84 bytes from 
ip.of.dns1#53(dns1.org.domain.name.au<http://dns1.org.domain.name.au/>) in 0 ms

;; connection timed out; no servers could be reached


Regards
Anup
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to