different result between normal query and zone transfer

Thu, 06 Jul 2017 04:30:54 -0700 


Dear All,

In my environment we have internal DNS servers and 6 external server all 
running BIND. 
4 of these 6 are located in our network. These are slaves for our domain and 
fetching the data from one internal server.
And the remaining 2 are maintained by our ISP and doing a zone transfer from 
our external server.
For some reason we want to have that one DNS name get resolved different 
depending if the query goes to the internal server or to the external. 
So I configured in the external DNS server a subzone which overrides the 
information coming from the internal server. 
This works really fine for our internal and external server. I get the answer I 
expect. 
But not so if the servers of our ISP are queried. There I get the data which 
was originally defined in our internal DNS server. 
The same issue if I do a zone transfer with "dig axfr" from our external 
server. 

For me this looks like a bug. Why is the answer for a normal query different 
than the answer from a zone transfer ? 
Or do I miss a special flag for this setup ? 
I am using BIND 9.11.1 <id:e3dc2e7> but I had the same issue with older 
versions too. 

BTW: I tried the same with RPZ but there I have the identical issues. 


Kind regards 
Hans 

-- 

This is the part of "named.conf" 

zone "test44.iiasa.ac.at" in {
  type master ;
  file "db.test44.iiasa.ac.at" ;
} ;

This is the db-file of our external DNS server. 

#  cat "db.test44.iiasa.ac.at"

$TTL 3600
$ORIGIN test44.iiasa.ac.at.

@       IN SOA ns2.iiasa.ac.at.  dnsmaster.localhost. (
                                2222000000       ; serial
                                21600      ; refresh (6 hours)
                                3600       ; retry (1 hour)
                                1209600    ; expire (2 weeks)
                                86400      ; minimum (1 day)
                                )
@       IN             NS      ns2.iiasa.ac.at.
test44.iiasa.ac.at. 600 IN A 147.125.5.5
test44.iiasa.ac.at. 600 IN AAAA 2001:628:21f0:5::5:5

Here a normal query from anywhere 

# dig +short test44.iiasa.ac.at @ns2.iiasa.ac.at
147.125.5.5

And here a zone transfer from an IP where a zone transfer is allowed 

# dig axfr iiasa.ac.at @ns2.iiasa.ac.at | grep test44
test44.iiasa.ac.at.     86400   IN      AAAA    2001:628:21f0:4::4:4
test44.iiasa.ac.at.     86400   IN      A       147.125.4.4




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to