Re: Bind9 local DNS not forwarding query to public DNS

Tue, 12 Mar 2024 09:14:04 -0700 

On 12/03/2024 12:48, Muhammad Yousuf Khan wrote:

   Dear All,
Need your experience advice, We have a BIND9 DNS server that operates both privately and publicly for the domain example xyz.com <http://xyz.com/>. I use the private DNS for certain secure nodes on our local network. I want all VPN users to be able to resolve these secure nodes using our local DNS, which is functioning correctly. 


So I force assign all VPN user local DNS so that they can access the 
secure records and local DNS can forward their query to public DNS in 
case the record is not found in the zone file.



  locally everything is working just fine, the issue arises when a VPN 
user queries an A record that is on public. For example, if 
"secure.xyz.com <http://secure.xyz.com/>" has a local entry in the zone 
file, it works as expected. However, when the entry is not present, I 
expect BIND to conditionally forward the query to a remote DNS server 
and resolve it for the VPN client. Unfortunately, this is not happening. 
BIND only searches for entries that are available in the local zone file 
and then times out. Here are my configuration files.


here is my bind config


  options {
              directory "/var/cache/bind";
              recursion yes;                   // Enable DNS recursion
              allow-recursion { localhost; };



You're only allowing recursion from localhost. I guess you need to allow 
the internal VPN addresses here. Maybe that's the (commented) acl below, 
so try something like


    allow-recursion { "trusted"; };

(Maybe the acl needs to be defined before it's used, I'm not sure.)


              //acl trusted {192.168.1.0/24; };



But remember to add localhost to the acl, so that local processes can 
also use the recursive server.



              querylog yes;
              allow-transfer { none; };       // Disable zone transfers by 
default
              allow-query { any; };           // Allow queries from any IP 
address
              forwarders {
                   8.8.8.8;
              };
              dnssec-validation auto;
              listen-on-v6 { any; };
      };

       zone "xyz.com" {
           type master;
           file "/etc/bind/db.xyz.com";
           forwarders {
               8.8.8.8;
               8.8.4.4;                    // Additional forwarder (optional)
           };
       };



Thanks,

Yousuf




--
pension:
        A federally insured chain letter.

Eduardo M KALINOWSKI
edua...@kalinowski.com.br























					Reply via email to