This is very similar to what I wanted to do some time ago, but concluded
this is not possible with bind.
But, I've modified bind in order to be able to do that anyway.
The trick was to use a "static-stub" zone with a small modification in
bind code.
In my bind-9.16.6, I modified file query.c to look like that:
lib/ns/query.c
/*
* Non recursive query to a static-stub zone is prohibited; its
* zone content is not public data, but a part of local
configuration
* and should not be disclosed.
*/
/*if (dns_zone_gettype(zone) == dns_zone_staticstub &&
!RECURSIONOK(client)) {
return (DNS_R_REFUSED);
}*/
if (dns_zone_gettype(zone) == dns_zone_staticstub)
client->query.attributes |= NS_QUERYATTR_RECURSIONOK;
One "if" was commented to remove the check on recursion.
One "if" was added to "force" recursion.
With this modification, I turned bind to some kind of proxy for a sub-zone.
I don't really know if there are some nasty side effects, but in my case
this is not a real problem because I don't normally use static-stub
zones excepted for one very specific usage.
Maybe some bind expert would like to comment on this.
Frédéric Lochon.
Le 09/02/2021 à 22:44, Sebastian Neumann a écrit :
Hey there,
I am having an issue forwarding DNS queries and was hoping, that one
of you might be able to help me:
I have the following setup:
DNS-Server reachable from the internet, is authoritative for zone foo.com
DNS-Server reachable only locally, should be authoritative for zone
test.lab.foo.com
What I try to achieve:
When a DNS query from the outside world reaches the first DNS server
for a record belonging to the zone test.lab.foo.com, I want it to make
a recursive request to the second DNS server and then forward the records.
I explicitly don't want to do zone transfers or make the second DNS
server reachable from the internet.
my configuration looks like this: (I only copied the [what I think]
important parts to here, as all the Config would be a few hundret
lines (because of split view and many zones)
On the first DNS-Server
options {
allow-recursion {
localnets;
localhost;
internal;
my-datacenter;
mc-office;
};
};
zone "test.lab.foo.com" {
forward only;
forwarders {
<private IP of second DNS server>;
};
type forward;
};
zone "foo.com" {
file "/etc/bind/zones/foo.com.zone";
type master;
};
My issue:
When I am in a local network, that is whitelisted in the
allow-recursion block, then it works as expected. When I try the DNS
lookup from the internet, then i get a NOERROR with an empty response
back.
During debugging, I adjusted the allow-recursion list and added any to
it. Then it was working. But I don't want my DNS server to allow any
kind of recursion. I actually only want "outside" lookups for this one
specific zones to be recursive.
How can I set something like allow-recursion for just one zone?
Thanks a lot already
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
