Folks, I have a domain "exmaple.com" and two subdomains, tied to two subnets behind an ADSL line. Let's say dmz.exmaple.com and internal.exmaple.com. Let's say the DMZ is 10.0.1.0/24 and for a laugh, let's imagine it's routable via the Interwebs. Let's say the internal zone is 10 .0.2.0/24 and it not Internet routable.
Let's say that .com has NS recording point example.com to 10.0.1.10 and
10.0.1.11. Those are bind servers hosting zones for example.com and
dmz.exmaple.com.
There are two BIND servers in the internal zone, 10.0.1.10 and
10.0.1.11, which have a root hint zone, a master/slave zone for
internal.exmaple.com and a forward zone for example.com, forwarding to
10.0.1.10 and 10.0.1.11.
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "example.net" {
type forward;
forwarders {
10.0.1.10;
10.0.1.11;
};
};
zone "internal.exmaple.com" {
type master;
file "/etc/bind/db.internal.exmaple.com";
};
This works fine, except that it turns out that when looking up names in
dmz.exmaple.com or exmaple.com from 10.0.2.0/24 via 10.0.2.10 or
10.0.2.11, it's not forwarding to 10.0.1.10/11 but insteading going via
the root and working down. Generally this isn't an issue, except m
aybe being a trifle inefficient but it does cause the annyoing
side-effect that if the ADSL line goes down and the root and .com DNS
servers cannot be reached, then exmaple.com and dmz.example.com become
unreachable from 10.0.2.0/24.
I've read some posts that suggest adding forward-only to force the zone
to only forward and not use root hints. I also understand that the
default behaviour is the same as forward-first, which will contact the
forwarers first and then contact the root servers if the forward
fails. That doesn't appear to be what is happening and I'm trying to
understand why.
I think I've also seen it suggested that zone exmaple.com should be a
master zone with two NS servers defined, 10.0.1.10 and 10.0.1.11. That
seems to suggest type forward serves no purpous?
In summary: I'm trying to get 10.0.2.10 and 10.0.2.11 to serve
internal.exmaple.com from their own database (which they are),
example.com records from 10.0.1.10 and 10.0.1.11 (which they are not)
and everything else from the interwebs (which they are).
Most significantly though, I'm not just trying to resolve the issue but
actually fix my understanding of BIND and learn where I am going wrong
here.
Kind regards,
Mike.
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
