Re: Selective forwarding from an internal only name server

Chris Buxton Wed, 17 Aug 2016 11:29:41 -0700

Try it without "+trace".

Regards,
Chris


> On Aug 17, 2016, at 2:59 AM, anup albal <anupal...@hotmail.com> wrote:
> 
> Hi
> 
> First up apologies if this is not the right list to email and for a long 
> email. I am hoping you can give me a clue as to what I am doing wrong here? 
> Or may be this is not supposed to work at all.
> 
> We have an internal only DNS server (dns1) with fake root zone. i.e a fake 
> file for the zone "."  This serves all internal clients.
> We are running 9.6-ESV-R11-P2 for this.
> 
> And we also have an external only DNS (ns1) which can talk to the internet 
> for DNS queries and serves external clients.
> 
> Now we have a requirement to have certain domains (e.g sharepoint.com 
> <http://sharepoint.com/>) resolved on clients being served by dns1. 
> 
> On dns1 I have setup a forward only zone called 'sharepoint.com 
> <http://sharepoint.com/>' with ns1 set as the forwarder.
> And on the fake root zone file, I have added an entry for sharepoint like 
> below
> sharepoint.com <http://sharepoint.com/>.          NS     
> ns1.org.domain.name.au <http://ns1.org.domain.name.au/>.
> 
> when i run a dig +trace sharepoint.com <http://sharepoint.com/> from dns1 I 
> can resolve sharepoint.com <http://sharepoint.com/> 
> But when i run it from an internal client it gets a Non-authoritative: No 
> answer 
> 
> Below are my snippets of my named.conf on dns1 (internal)
> 
> options {
>         directory "/var/dns";
>         forwarders { ip.of.ns1; };
>         listen-on  { ip.of.dns1; 127.0.0.1; };
>         query-source address ip.of.dns1;
>         notify-source ip.of.dns1;
>         transfer-source ip.of.dns1;
>         allow-transfer { xxx.xxx/16; }; 
>         transfer-format one-answer;    // BIND9 (deal with Windows Server 
> 2003)
> 
> };
> 
> <.....>
> zone "." in {
>         type master;
>         file "fake/root";
> };
> 
> zone "." in {
>         type hint;
>         file "/var/dns/fake/named.root";
> };
> zone "sharepoint.com <http://sharepoint.com/>." in {
>         type forward;
>         forward only;
>         forwarders {ip.of.ns1;};
> };
> 
> The file fake/root has entries like below (ip and domain names changed for 
> security)
> 
> $TTL 86400
> ; NOTE:  TTL based on from Bind8 SOA record
> ;
> ; This file contains *fake* DNS Resource Records for the root domain (.)
> ;
> 
> .       IN      SOA     dns1.org.domain.name.au 
> <http://dns1.org.domain.name.au/>.        xxx.dns1.org.domain.name.au 
> <http://org.domain.name.au/>.  (
>                                      2016081608      ; serial
>                                      10800   ; refresh
>                                      3600    ; retry
>                                      3600000 ; expire
>                                      86400 ) ; minimum
> 
> .                       NS      dns1.org.domain.name.au 
> <http://dns1.org.domain.name.au/>.
> ;.                      NS      dns2.org.domain.name.au 
> <http://dns2.org.domain.name.au/>.
> 
> com.au <http://com.au/>.                 NS      dns1.org.domain.name.au 
> <http://dns1.org.domain.name.au/>.
> sharepoint.com <http://sharepoint.com/>.         NS      
> ns1.org.domain.name.au <http://ns1.org.domain.name.au/>.
> difforg.diffdomain.au <http://difforg.diffdomain.au/>.             NS      
> dns1.org.domain.name.au <http://dns1.org.domain.name.au/>.
> 
> 0.0.127.in-addr.arpa.   NS      dns1.org.domain.name.au 
> <http://dns1.org.domain.name.au/>.
> 
> xxx.xxx.in-addr.arpa.   NS      dns1.org.domain.name.au 
> <http://dns1.org.domain.name.au/>.
> 
> localhost.              A       127.0.0.1
> 
> ; Glue
> dns1.org.domain.name.au <http://dns1.org.domain.name.au/>. A      ip.of.dns1
> ns1.org.domain.name.au <http://ns1.org.domain.name.au/>.  A      ip.of.ns1
> ;dns2.org.domain.name.au <http://dns2.org.domain.name.au/>. A      
> xxx.xxx.xxx.xxx
> 
> The root hints file (named.root) has below 
> 
> .       3600    IN NS   dns1.org.domain.name.au 
> <http://dns1.org.domain.name.au/>
> dns1    3600        A   ip.of.dns1
> 
> 
> nslookup on a client returns this
> nslookup sharepoint.com <http://sharepoint.com/>
> Server:         ip.of.dns1
> Address:        ip.of.dns1#53
> 
> Non-authoritative answer:
> *** Can't find sharepoint.com <http://sharepoint.com/>: No answer
> 
> And running dig on a client returns this
>  dig +trace sharepoint.com <http://sharepoint.com/>
> 
> ; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com <http://sharepoint.com/>
> ;; global options:  printcmd
> .                       86400   IN      NS      dns1.org.domain.name.au 
> <http://dns1.org.domain.name.au/>.
> ;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms
> 
> sharepoint.com <http://sharepoint.com/>.         86400   IN      NS      
> ns1.org.domain.name.au <http://ns1.org.domain.name.au/>.
> ;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au 
> <http://dns1.org.domain.name.au/>) in 0 ms
> 
> ;; connection timed out; no servers could be reached
> 
> 
> Regards
> Anup
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this 
> list
> 
> bind-users mailing list
> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users 
> <https://lists.isc.org/mailman/listinfo/bind-users>

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

Reply via email to