Hi Mike.
What version of BIND are you running?
Firstly, please clarify your question and example configuration.
You talk about "example.com" and subdomains of "exmaple.com", but your
config shows "example.net". It's not easy to understand exactly what you're
trying to achieve a) when your problem statement is confused and b) when
you give made up names rather than the real names you actually want to use.
Secondly, "forward first" (the default) will forward if it can (i.e. try
that first). If it works, all good, no recursion. If it tries to forward
and fails, then it will recurse. I would recommend you add "forward only"
for consistent behaviour. Then it either works, or it doesn't and you can
fix that.
Lastly, root hints haven't been necessary for a very long time as they are
now built in (unless you are running a VERY old version).
I hope that helps.
Greg
On Sun, 8 Dec 2024 at 23:31, Mike via bind-users <bind-users@lists.isc.org>
wrote:
> Folks,
>
> I have a domain "exmaple.com" and two subdomains, tied to two subnets
> behind an ADSL line. Let's say dmz.exmaple.com and
> internal.exmaple.com. Let's say the DMZ is 10.0.1.0/24 and for a laugh,
> let's imagine it's routable via the Interwebs. Let's say the internal
> zone is 10
> .0.2.0/24 and it not Internet routable.
>
> Let's say that .com has NS recording point example.com to 10.0.1.10 and
> 10.0.1.11. Those are bind servers hosting zones for example.com and
> dmz.exmaple.com.
>
> There are two BIND servers in the internal zone, 10.0.1.10 and
> 10.0.1.11, which have a root hint zone, a master/slave zone for
> internal.exmaple.com and a forward zone for example.com, forwarding to
> 10.0.1.10 and 10.0.1.11.
>
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> zone "example.net" {
> type forward;
> forwarders {
> 10.0.1.10;
> 10.0.1.11;
> };
> };
>
> zone "internal.exmaple.com" {
> type master;
> file "/etc/bind/db.internal.exmaple.com";
> };
>
> This works fine, except that it turns out that when looking up names in
> dmz.exmaple.com or exmaple.com from 10.0.2.0/24 via 10.0.2.10 or
> 10.0.2.11, it's not forwarding to 10.0.1.10/11 but insteading going via
> the root and working down. Generally this isn't an issue, except m
> aybe being a trifle inefficient but it does cause the annyoing
> side-effect that if the ADSL line goes down and the root and .com DNS
> servers cannot be reached, then exmaple.com and dmz.example.com become
> unreachable from 10.0.2.0/24.
>
> I've read some posts that suggest adding forward-only to force the zone
> to only forward and not use root hints. I also understand that the
> default behaviour is the same as forward-first, which will contact the
> forwarers first and then contact the root servers if the forward
> fails. That doesn't appear to be what is happening and I'm trying to
> understand why.
>
> I think I've also seen it suggested that zone exmaple.com should be a
> master zone with two NS servers defined, 10.0.1.10 and 10.0.1.11. That
> seems to suggest type forward serves no purpous?
>
> In summary: I'm trying to get 10.0.2.10 and 10.0.2.11 to serve
> internal.exmaple.com from their own database (which they are),
> example.com records from 10.0.1.10 and 10.0.1.11 (which they are not)
> and everything else from the interwebs (which they are).
>
> Most significantly though, I'm not just trying to resolve the issue but
> actually fix my understanding of BIND and learn where I am going wrong
> here.
>
> Kind regards,
> Mike.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
