“forward” does not mean “proxy". Additionally servers out on the internet make
iterative queries. They are non-recursive *AND* follow delegations. Making a
proxy work is more that just relaying the request and the response.
BIND does not support proxying other servers.
> On 10 Feb 2021, at 08:44, Sebastian Neumann <sebastian-n...@gmx.de> wrote:
>
> Hey there,
>
> I am having an issue forwarding DNS queries and was hoping, that one of you
> might be able to help me:
>
> I have the following setup:
>
> DNS-Server reachable from the internet, is authoritative for zone foo.com
> DNS-Server reachable only locally, should be authoritative for zone
> test.lab.foo.com
> What I try to achieve:
>
> When a DNS query from the outside world reaches the first DNS server for a
> record belonging to the zone test.lab.foo.com, I want it to make a recursive
> request to the second DNS server and then forward the records.
>
> I explicitly don't want to do zone transfers or make the second DNS server
> reachable from the internet.
>
> my configuration looks like this: (I only copied the [what I think] important
> parts to here, as all the Config would be a few hundret lines (because of
> split view and many zones)
>
> On the first DNS-Server
>
> options {
> allow-recursion {
> localnets;
> localhost;
> internal;
> my-datacenter;
> mc-office;
> };
> };
>
> zone "test.lab.foo.com" {
> forward only;
> forwarders {
> <private IP of second DNS server>;
> };
> type forward;
> };
>
> zone "foo.com" {
> file "/etc/bind/zones/foo.com.zone";
> type master;
> };
> My issue:
>
> When I am in a local network, that is whitelisted in the allow-recursion
> block, then it works as expected. When I try the DNS lookup from the
> internet, then i get a NOERROR with an empty response back.
>
> During debugging, I adjusted the allow-recursion list and added any to it.
> Then it was working. But I don't want my DNS server to allow any kind of
> recursion. I actually only want "outside" lookups for this one specific zones
> to be recursive.
>
> How can I set something like allow-recursion for just one zone?
>
> Thanks a lot already
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
