Greg,
Thank you.
Replacing the db.cache file seems to work for replacing the root servers, I saw
traffic shift to an internal router were I had expected/previously seen traffic
through the FW.
Manager noticed that secondary queries to domain servers were still going
through the FW.
The forwarder zones I have in place now will continue to function since they
are more specific than the new fowarders setting, that serves as a forwarder of
last resort (for lack of a better term and borrowing from words I use for
network routing).
Example.
Let say I have forwarder zones for health.ny.gov and ny.gov and its.ny.gov,
those will continue to word when I add a forwarders statement for the servers
that ny.gov servers for all more generic queries.
Many thanks,
Brian
From: Greg Choules <gregchoules+bindus...@googlemail.com>
Sent: Monday, December 9, 2024 6:26 PM
To: Cuttler, Brian R (HEALTH) <brian.cutt...@health.ny.gov>
Cc: bind-users <bind-users@lists.isc.org>
Subject: Re: forwarding non-domain queries
ATTENTION: This email came from an external source. Do not open attachments or
click on links from unknown senders or unexpected emails.
Hi Brian.
If that's what you want to do; answer authoritatively from local zones you own
and forward everything else to Corporate, then you have it correct. "forwarders
{...etc" and "forward only;" go in the "options" block.
Since you are forwarding everything that's not local *and* disabling recursion
if forwarding fails, you don't need the hint zone at all; please delete it.
Actually you don't need it anyway, even if you are doing recursion, as Internet
root hints have been built into BIND for many years. The only reason you would
need a hint zone is to define custom roots for a private network that is
*completely* isolated from the Internet. Your corporate network does not meet
that criterion because your corporate DNS servers will be answering names from
the Internet. Therefore, lose the hint zone.
I hope that helps.
Greg
On Mon, 9 Dec 2024 at 21:34, Cuttler, Brian R (HEALTH) via bind-users
<bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> wrote:
Hello, looking for a sanity check.
Inside our network we are running BIND 9.18.28-0ubuntu0.22.04.1-Ubuntu on
Ubuntu 22.04.5 LTS
Currently our server serves our own zones files - A/CNAME/PTR/TXT/etc records
for our domain.
We have already modified the db.cache file to reference two servers provided by
our corporate IT rather than using the internet root servers.
We have numerous forwarder zones for corporate zones, both forward and reverse
zones.
We are looking to no longer use recursion but rely entirely on the corporate
servers for anything we would normally resolve from external servers.
I think all we need to do is create a forwarders stanza set "forwarder only" ,
similar to(but with the correct IPS)
forwarders {
1.2.3.4; # External DNS
1.2.3.5; # External DNS
};
forward only;
The desire is to continue to use our own zone files, and to continue to use the
already established fowarder zones, but to replace recursion managed by our own
internal servers with queries to ONLY the 2 servers we are already using as
replacement root servers.
Seems so simple that I have to believe I've missed something.
Thanks in advance,
Brian
Brian Cuttler, System and Network Administration
Wadsworth Center, NYS Department of Health
Albany, NY 12201 POB 509
brian.cutt...@health.ny.gov<mailto:brian.cutt...@health.ny.gov>
518 486-1697
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
