subject:"RE\: Selective forwarding from an internal only name server"

Re: Selective forwarding from an internal only name server

2016-08-19 Thread S Carr

On 19 August 2016 at 09:02, anup albal  wrote:
> Below are the options on the external name server.

That's not the full configs, and from both DNS servers. I get you
don't want to expose some of the information but you're asking for
help, we can't do that if you keep things back and obfuscate details.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-19 Thread anup albal

Hi


Below are the options on the external name server.

options {
directory "/var/named";
pid-file  "/var/named/tmp/named.pid";
forwarders { list.external.isp.forwarders; 127.0.0.1; };

query-sourceaddress externalLooking.ip.of.ns ;
notify-source   externalLooking.ip.of.ns;
transfer-source externalLooking.ip.of.ns;

allow-query { any; };
allow-recursion { full.range.org.ips ; 127.0.0.1; localhost; };
allow-transfer { full.range.org.ips;
 external.isp.ip.1;
 external.isp.ip.2;
};
notify yes;
listen-on {
   127.0.0.1;
   externalLooking.ip.of.ns;
   internalLooking.ip.of.ns;  //ns1
};

version "unknown";

};

Below is output from dig run on dns1 (internal)

 dig sharepoint.com

; <<>> DiG 9.6-ESV-R11-P2 <<>> sharepoint.com
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.6-ESV-R11-P2 <<>> microsoft.com
;; global options: +cmd
;; connection timed out; no servers could be reached


And from dig from a client being served by dns1
dig sharepoint.com

; <<>> DiG 9.6-ESV-R11-P6 <<>> sharepoint.com
;; global options: +cmd
;; connection timed out; no servers could be reached

dig microsoft.com

; <<>> DiG 9.6-ESV-R11-P6 <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30044
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;microsoft.com. IN  A

;; Query time: 915 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Fri Aug 19 17:47:46 AEST 2016
;; MSG SIZE  rcvd: 31

and when done again
dig microsoft.com

; <<>> DiG 9.6-ESV-R11-P6 <<>> microsoft.com
;; global options: +cmd
;; connection timed out; no servers could be reached



At this stage I am at a complete loss as to why this is not working.

There is a firewall between the internal and external name servers. Other than 
ensuring that port53 is open between the two name servers for TCP and UDP 
traffic, is there anything else i need to check?

Thanks
Anup

________
From: anup albal <anupal...@hotmail.com>
Sent: Friday, 19 August 2016 4:25 PM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi


To clarify a bit.

The server that runs ns1 has named listening on two addresses.


One is an external facing address providing resolution to the queries coming 
from the internet.

Lets call this ns.org.domain.name.au

The other one internal facing and which is what ns1 is pointing to.

There are certain zones that ns.org.domain.name.au is hosting authoritatively 
to the internet


example we have ns.org.domain.name.au as authoritative for 
application.org.domain.name.au on the internet.


I have confirmed that ns1 has recursion enabled for all ip ranges within the 
organization.

I have also now added the below options to the named.conf on dns1 as well .


 recursion yes;
 allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };
 allow-recursion-on { any; };


After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from 
dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig 
+trace microsoft.com"


On the internal clients talking to dns1, I get an NXDOMAIN response.


--Anup



From: anup albal <anupal...@hotmail.com>
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Kevin


Does that mean I setup another forwarding zone called microsoft.com or 
sharepoint.microsoft.com or both?


And then do i need to add NS record entries similar to sharepoint.com in the 
fake root file?


Regards
Anup



From: anup albal <anupal...@hotmail.com>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Chris


Below is without "+trace" option. Also there is a firewall between internal 
(dns1) and external (ns1) name servers and

we have opened up TCP/UDP port 53 from dns1 to ns1.


; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;sharepoint.com.IN  A

;; AUTHORITY SECTION:
sharepoint.com. 86400   IN  NS  ns1.org.domain.name.au

;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400   IN  A   ip.of.ns1

;; Query time: 26 msec
;; SERVER: ip

Re: Selective forwarding from an internal only name server

2016-08-19 Thread S Carr

On 19 August 2016 at 07:25, anup albal  wrote:
> After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from
> dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or
> "dig +trace microsoft.com"

Can you post your full configs and the full dig outputs? Don't use
+trace it won't work as you think it does, you're using internal roots
and forwarding which messes +trace.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-19 Thread anup albal

Hi


To clarify a bit.

The server that runs ns1 has named listening on two addresses.


One is an external facing address providing resolution to the queries coming 
from the internet.

Lets call this ns.org.domain.name.au

The other one internal facing and which is what ns1 is pointing to.

There are certain zones that ns.org.domain.name.au is hosting authoritatively 
to the internet


example we have ns.org.domain.name.au as authoritative for 
application.org.domain.name.au on the internet.


I have confirmed that ns1 has recursion enabled for all ip ranges within the 
organization.

I have also now added the below options to the named.conf on dns1 as well .


 recursion yes;
 allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };
 allow-recursion-on { any; };


After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from 
dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig 
+trace microsoft.com"


On the internal clients talking to dns1, I get an NXDOMAIN response.


--Anup



From: anup albal <anupal...@hotmail.com>
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Kevin


Does that mean I setup another forwarding zone called microsoft.com or 
sharepoint.microsoft.com or both?


And then do i need to add NS record entries similar to sharepoint.com in the 
fake root file?


Regards
Anup



From: anup albal <anupal...@hotmail.com>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Chris


Below is without "+trace" option. Also there is a firewall between internal 
(dns1) and external (ns1) name servers and

we have opened up TCP/UDP port 53 from dns1 to ns1.


; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;sharepoint.com.IN  A

;; AUTHORITY SECTION:
sharepoint.com. 86400   IN  NS  ns1.org.domain.name.au

;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400   IN  A   ip.of.ns1

;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE  rcvd: 84



Regards
Anup



From: Chris Buxton <cli...@buxtonfamily.us>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Try it without "+trace".

Regards,
Chris

On Aug 17, 2016, at 2:59 AM, anup albal 
<anupal...@hotmail.com<mailto:anupal...@hotmail.com>> wrote:


Hi

First up apologies if this is not the right list to email and for a long email. 
I am hoping you can give me a clue as to what I am doing wrong here? Or may be 
this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file 
for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for 
DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g 
sharepoint.com<http://sharepoint.com/>) resolved on clients being served by 
dns1.

On dns1 I have setup a forward only zone called 
'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com<http://sharepoint.com/>.  NS 
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.

when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can 
resolve sharepoint.com<http://sharepoint.com/>
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
directory "/var/dns";
forwarders { ip.of.ns1; };
listen-on  { ip.of.dns1; 127.0.0.1; };
query-source address ip.of.dns1;
notify-source ip.of.dns1;
transfer-source ip.of.dns1;
allow-transfer { xxx.xxx/16; };
transfer-format one-answer;// BIND9 (deal with Windows Server 2003)

};

<.>
zone "." in {
type master;
file "fake/root";
};

zone "." in {
type hint;
file "/var/dns/fake/named.root";
};
zone "sharepoint.com<http://sharepoint.com/>." in {
type forward;
forward only;
forwarders {ip.of.ns1;};
};

The file fake/root has entries like below (ip and domai

RE: Selective forwarding from an internal only name server

2016-08-18 Thread Darcy Kevin (FCA)

Well, the cost/benefits/risks of separating authoritative and recursive on 
different *servers* (as opposed to different NICs, views, or whatever) is 
actually a hotly-debated topic among experts. I know some non-DNS-expert 
opinions, from the InfoSec side of the house, consider hardware-level 
separation "ideal", but frankly, I don't think they understand the concepts of 
NIC- or view-level separation, and need to be edumacated. Personally, I prefer 
a larger number of multi-role boxes, with view separation. The larger number of 
boxes means more availability and resilience against, say, Denial of Service 
attacks, which can target recursive service *or* authoritative service *or* 
both.

By the way, the original poster never said that he was hosting any zones 
authoritatively to the Internet on NS1, so why would you assume that he is? He 
said only that it served "external clients", but those could be *recursive* 
clients, for all we know.

That having been said, I concur with your technical recommendations.

- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of S Carr
Sent: Thursday, August 18, 2016 4:31 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server

On 18 August 2016 at 01:04, anup albal <anupal...@hotmail.com> wrote:
> Does that mean I setup another forwarding zone called microsoft.com or 
> sharepoint.microsoft.com or both?

Ideally you should setup a completely separate caching/forwarding server and 
not be using the external DNS box (NS1) for this purpose.

On the box you are forwarding the queries to (NS1) you need to enable recursion 
and specify an ACL for recursion to limit it to only allowing recursion from 
the internal DNS1 box.

On the internal DNS box (DNS1) also make sure recursion is enabled and an ACL 
in place allowing your client subnets, and configure forward zones for 
sharepoint.com and microsoft.com zones (and any other zones needed by the 
sharepoint service) to point at the NS1 box.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Selective forwarding from an internal only name server

2016-08-18 Thread Darcy Kevin (FCA)

As I read it, you have to buy the "flattening" as an extra service from 
CloudFlare. Their default is to give CNAME at the apex, intentionally violating 
RFCs.

What a concept: charging extra for RFC-compliance.


- Kevin


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry 
Margolin
Sent: Wednesday, August 17, 2016 9:08 PM
To: comp-protocols-dns-b...@isc.org
Subject: Re: Selective forwarding from an internal only name server

In article <mailman.301.1471466524.15653.bind-us...@lists.isc.org>,
 "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com> wrote:

> Barry,
>   Cloudflare has been doing this for a while, so that their customers 
> won't be "limited by the DNS specifications (RFCs)" . 
> Having done that, they were compelled to offer another service -- so-called 
> "CNAME flattening"
> -- to fix the brokenness that's caused by their base offering.
> 
> See
> https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flatt
> ening-RF C-compliant-support-for-CNAME-at-the-root
> 
> I think Akamai also offers something similar.

But these don't work by sending an actual CNAME record. The server that 
implements flattening looks ip the IP of the target, and returns it as an A 
record for the domain.

That's why Cloudflare's method is "RFC-compliant", but what MS is doing with 
sharepoint.com is not.

> 
>   - Kevin
> 
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf 
> Of Barry Margolin
> Sent: Wednesday, August 17, 2016 4:34 PM
> To: comp-protocols-dns-b...@isc.org
> Subject: Re: Selective forwarding from an internal only name server
> 
> In article <mailman.299.1471461214.15653.bind-us...@lists.isc.org>,
>  "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com> wrote:
> 
> > Well, sharepoint.com is a CNAME to sharepoint.microsoft.com, so you 
> > might need to make arrangements for that to be resolvable as well.
> 
> That doesn't seem valid to begin with. The .COM zone has delegation NS 
> records for sharepoint.com. Having a CNAME record for the same name is wrong.
> 
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-18 Thread S Carr

On 18 August 2016 at 01:04, anup albal  wrote:
> Does that mean I setup another forwarding zone called microsoft.com or
> sharepoint.microsoft.com or both?

Ideally you should setup a completely separate caching/forwarding
server and not be using the external DNS box (NS1) for this purpose.

On the box you are forwarding the queries to (NS1) you need to enable
recursion and specify an ACL for recursion to limit it to only
allowing recursion from the internal DNS1 box.

On the internal DNS box (DNS1) also make sure recursion is enabled and
an ACL in place allowing your client subnets, and configure forward
zones for sharepoint.com and microsoft.com zones (and any other zones
needed by the sharepoint service) to point at the NS1 box.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-18 Thread S Carr

On 18 August 2016 at 02:07, Barry Margolin  wrote:
> That's why Cloudflare's method is "RFC-compliant", but what MS is doing
> with sharepoint.com is not.

Microsoft's DNS implementation allows CNAMEs at the zone apex, correct
it's not RFC compliant, but this is Microsoft...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-17 Thread Barry Margolin

In article <mailman.301.1471466524.15653.bind-us...@lists.isc.org>,
 "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com> wrote:

> Barry,
>   Cloudflare has been doing this for a while, so that their customers 
> won't be 
> "limited by the DNS specifications (RFCs)" . Having done that, 
> they were compelled to offer another service -- so-called "CNAME flattening" 
> -- to fix the brokenness that's caused by their base offering.
> 
> See 
> https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flattening-RF
> C-compliant-support-for-CNAME-at-the-root
> 
> I think Akamai also offers something similar.

But these don't work by sending an actual CNAME record. The server that 
implements flattening looks ip the IP of the target, and returns it as 
an A record for the domain.

That's why Cloudflare's method is "RFC-compliant", but what MS is doing 
with sharepoint.com is not.

> 
>   - Kevin
> 
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry 
> Margolin
> Sent: Wednesday, August 17, 2016 4:34 PM
> To: comp-protocols-dns-b...@isc.org
> Subject: Re: Selective forwarding from an internal only name server
> 
> In article <mailman.299.1471461214.15653.bind-us...@lists.isc.org>,
>  "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com> wrote:
> 
> > Well, sharepoint.com is a CNAME to sharepoint.microsoft.com, so you 
> > might need to make arrangements for that to be resolvable as well.
> 
> That doesn't seem valid to begin with. The .COM zone has delegation NS 
> records for sharepoint.com. Having a CNAME record for the same name is wrong.
> 
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-17 Thread anup albal

Hi Kevin


Does that mean I setup another forwarding zone called microsoft.com or 
sharepoint.microsoft.com or both?


And then do i need to add NS record entries similar to sharepoint.com in the 
fake root file?


Regards
Anup



From: anup albal <anupal...@hotmail.com>
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server


Hi Chris


Below is without "+trace" option. Also there is a firewall between internal 
(dns1) and external (ns1) name servers and

we have opened up TCP/UDP port 53 from dns1 to ns1.


; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;sharepoint.com.IN  A

;; AUTHORITY SECTION:
sharepoint.com. 86400   IN  NS  ns1.org.domain.name.au

;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400   IN  A   ip.of.ns1

;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE  rcvd: 84



Regards
Anup



From: Chris Buxton <cli...@buxtonfamily.us>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Try it without "+trace".

Regards,
Chris

On Aug 17, 2016, at 2:59 AM, anup albal 
<anupal...@hotmail.com<mailto:anupal...@hotmail.com>> wrote:


Hi

First up apologies if this is not the right list to email and for a long email. 
I am hoping you can give me a clue as to what I am doing wrong here? Or may be 
this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file 
for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for 
DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g 
sharepoint.com<http://sharepoint.com/>) resolved on clients being served by 
dns1.

On dns1 I have setup a forward only zone called 
'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com<http://sharepoint.com/>.  NS 
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.

when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can 
resolve sharepoint.com<http://sharepoint.com/>
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
directory "/var/dns";
forwarders { ip.of.ns1; };
listen-on  { ip.of.dns1; 127.0.0.1; };
query-source address ip.of.dns1;
notify-source ip.of.dns1;
transfer-source ip.of.dns1;
allow-transfer { xxx.xxx/16; };
transfer-format one-answer;// BIND9 (deal with Windows Server 2003)

};

<.>
zone "." in {
type master;
file "fake/root";
};

zone "." in {
type hint;
file "/var/dns/fake/named.root";
};
zone "sharepoint.com<http://sharepoint.com/>." in {
type forward;
forward only;
forwarders {ip.of.ns1;};
};

The file fake/root has entries like below (ip and domain names changed for 
security)

$TTL 86400
; NOTE:  TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;

.   IN  SOA 
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
xxx.dns1.org.domain.name.au<http://org.domain.name.au/>.  (
 2016081608  ; serial
 10800   ; refresh
 3600; retry
 360 ; expire
 86400 ) ; minimum

.   NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;.  NS  
dns2.org.domain.name.au<http://dns2.org.domain.name.au/>.

com.au<http://com.au/>. NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
sharepoint.com<http://sharepoint.com/>. NS  
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
difforg.diffdomain.au<http://difforg.diffdomain.au/>. NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

0.0.127.in-addr.arpa.   NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

xxx.xx

Re: Selective forwarding from an internal only name server

2016-08-17 Thread anup albal

Hi Chris


Below is without "+trace" option. Also there is a firewall between internal 
(dns1) and external (ns1) name servers and

we have opened up TCP/UDP port 53 from dns1 to ns1.


; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;sharepoint.com.IN  A

;; AUTHORITY SECTION:
sharepoint.com. 86400   IN  NS  ns1.org.domain.name.au

;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400   IN  A   ip.of.ns1

;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE  rcvd: 84



Regards
Anup



From: Chris Buxton <cli...@buxtonfamily.us>
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server

Try it without "+trace".

Regards,
Chris

On Aug 17, 2016, at 2:59 AM, anup albal 
<anupal...@hotmail.com<mailto:anupal...@hotmail.com>> wrote:


Hi

First up apologies if this is not the right list to email and for a long email. 
I am hoping you can give me a clue as to what I am doing wrong here? Or may be 
this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file 
for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for 
DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g 
sharepoint.com<http://sharepoint.com/>) resolved on clients being served by 
dns1.

On dns1 I have setup a forward only zone called 
'sharepoint.com<http://sharepoint.com/>' with ns1 set as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com<http://sharepoint.com/>.  NS 
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.

when i run a dig +trace sharepoint.com<http://sharepoint.com/> from dns1 I can 
resolve sharepoint.com<http://sharepoint.com/>
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
directory "/var/dns";
forwarders { ip.of.ns1; };
listen-on  { ip.of.dns1; 127.0.0.1; };
query-source address ip.of.dns1;
notify-source ip.of.dns1;
transfer-source ip.of.dns1;
allow-transfer { xxx.xxx/16; };
transfer-format one-answer;// BIND9 (deal with Windows Server 2003)

};

<.>
zone "." in {
type master;
file "fake/root";
};

zone "." in {
type hint;
file "/var/dns/fake/named.root";
};
zone "sharepoint.com<http://sharepoint.com/>." in {
type forward;
forward only;
forwarders {ip.of.ns1;};
};

The file fake/root has entries like below (ip and domain names changed for 
security)

$TTL 86400
; NOTE:  TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;

.   IN  SOA 
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
xxx.dns1.org.domain.name.au<http://org.domain.name.au/>.  (
 2016081608  ; serial
 10800   ; refresh
 3600; retry
 360 ; expire
 86400 ) ; minimum

.   NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
;.  NS  
dns2.org.domain.name.au<http://dns2.org.domain.name.au/>.

com.au<http://com.au/>. NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.
sharepoint.com<http://sharepoint.com/>. NS  
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.
difforg.diffdomain.au<http://difforg.diffdomain.au/>. NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

0.0.127.in-addr.arpa.   NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

xxx.xxx.in-addr.arpa.   NS  
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>.

localhost.  A   127.0.0.1

; Glue
dns1.org.domain.name.au<http://dns1.org.domain.name.au/>. A  ip.of.dns1
ns1.org.domain.name.au<http://ns1.org.domain.name.au/>.  A  ip.of.ns1
;dns2.org.domain.name.au<http://dns2.org.domain.name.au/>. A  
xxx.xxx.xxx.xxx

The root hints file (named.root) has below

.   3600

RE: Selective forwarding from an internal only name server

2016-08-17 Thread Darcy Kevin (FCA)

Barry,
Cloudflare has been doing this for a while, so that their customers 
won't be "limited by the DNS specifications (RFCs)" . Having done 
that, they were compelled to offer another service -- so-called "CNAME 
flattening" -- to fix the brokenness that's caused by their base offering.

See 
https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flattening-RFC-compliant-support-for-CNAME-at-the-root

I think Akamai also offers something similar.

- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry 
Margolin
Sent: Wednesday, August 17, 2016 4:34 PM
To: comp-protocols-dns-b...@isc.org
Subject: Re: Selective forwarding from an internal only name server

In article <mailman.299.1471461214.15653.bind-us...@lists.isc.org>,
 "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com> wrote:

> Well, sharepoint.com is a CNAME to sharepoint.microsoft.com, so you 
> might need to make arrangements for that to be resolvable as well.

That doesn't seem valid to begin with. The .COM zone has delegation NS records 
for sharepoint.com. Having a CNAME record for the same name is wrong.

--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-17 Thread Barry Margolin

In article ,
 "Darcy Kevin (FCA)"  wrote:

> Well, sharepoint.com is a CNAME to sharepoint.microsoft.com, so you might 
> need to make arrangements for that to be resolvable as well.

That doesn't seem valid to begin with. The .COM zone has delegation NS 
records for sharepoint.com. Having a CNAME record for the same name is 
wrong.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Selective forwarding from an internal only name server

2016-08-17 Thread Darcy Kevin (FCA)

Well, sharepoint.com is a CNAME to sharepoint.microsoft.com, so you might need 
to make arrangements for that to be resolvable as well.



- Kevin

P.S. I don't think it matters - and I'm too lazy to check right now - but it's 
remotely possible that the trailing period in your forwarding-zone definition 
("sharepoint.com.") might be problematic. Easy enough to confirm/deny.

[FCA_Pantone_email]
--
Kevin Darcy
NAFTA Information Security Projects

FCA US LLC
1075 W Entrance Dr,
Auburn Hills, MI 48326
USA

Telephone: +1 (248) 838-6601
Mobile: +1 (810) 397-0103
Email: kevin.da...@fcagroup.com

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of anup 
albal
Sent: Wednesday, August 17, 2016 6:00 AM
To: bind-users@lists.isc.org
Subject: Selective forwarding from an internal only name server

Hi

First up apologies if this is not the right list to email and for a long email. 
I am hoping you can give me a clue as to what I am doing wrong here? Or may be 
this is not supposed to work at all.

We have an internal only DNS server (dns1) with fake root zone. i.e a fake file 
for the zone "."  This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.

And we also have an external only DNS (ns1) which can talk to the internet for 
DNS queries and serves external clients.

Now we have a requirement to have certain domains (e.g sharepoint.com) resolved 
on clients being served by dns1.

On dns1 I have setup a forward only zone called 'sharepoint.com' with ns1 set 
as the forwarder.
And on the fake root zone file, I have added an entry for sharepoint like below
sharepoint.com.  NS ns1.org.domain.name.au.

when i run a dig +trace sharepoint.com from dns1 I can resolve sharepoint.com
But when i run it from an internal client it gets a Non-authoritative: No answer

Below are my snippets of my named.conf on dns1 (internal)

options {
directory "/var/dns";
forwarders { ip.of.ns1; };
listen-on  { ip.of.dns1; 127.0.0.1; };
query-source address ip.of.dns1;
notify-source ip.of.dns1;
transfer-source ip.of.dns1;
allow-transfer { xxx.xxx/16; };
transfer-format one-answer;// BIND9 (deal with Windows Server 2003)

};

<.>
zone "." in {
type master;
file "fake/root";
};

zone "." in {
type hint;
file "/var/dns/fake/named.root";
};
zone "sharepoint.com." in {
type forward;
forward only;
forwarders {ip.of.ns1;};
};

The file fake/root has entries like below (ip and domain names changed for 
security)

$TTL 86400
; NOTE:  TTL based on from Bind8 SOA record
;
; This file contains *fake* DNS Resource Records for the root domain (.)
;

.   IN  SOA dns1.org.domain.name.au.
xxx.dns1.org.domain.name.au.  (
 2016081608  ; serial
 10800   ; refresh
 3600; retry
 360 ; expire
 86400 ) ; minimum

.   NS  dns1.org.domain.name.au.
;.  NS  dns2.org.domain.name.au.

com.au. NS  dns1.org.domain.name.au.
sharepoint.com. NS  ns1.org.domain.name.au.
difforg.diffdomain.au. NS  dns1.org.domain.name.au.

0.0.127.in-addr.arpa.   NS  dns1.org.domain.name.au.

xxx.xxx.in-addr.arpa.   NS  dns1.org.domain.name.au.

localhost.  A   127.0.0.1

; Glue
dns1.org.domain.name.au. A  ip.of.dns1
ns1.org.domain.name.au.  A  ip.of.ns1
;dns2.org.domain.name.au. A  xxx.xxx.xxx.xxx

The root hints file (named.root) has below

.   3600IN NS   dns1.org.domain.name.au
dns13600A   ip.of.dns1


nslookup on a client returns this
nslookup sharepoint.com
Server: ip.of.dns1
Address:ip.of.dns1#53

Non-authoritative answer:
*** Can't find sharepoint.com: No answer

And running dig on a client returns this
 dig +trace sharepoint.com

; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com
;; global options:  printcmd
.   86400   IN  NS  dns1.org.domain.name.au.
;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms

sharepoint.com. 86400   IN  NS  ns1.org.domain.name.au.
;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au) in 0 ms

;; connection timed out; no servers could be reached


Regards

Anup
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Selective forwarding from an internal only name server

2016-08-17 Thread Chris Buxton

Try it without "+trace".

Regards,
Chris

> On Aug 17, 2016, at 2:59 AM, anup albal  wrote:
> 
> Hi
> 
> First up apologies if this is not the right list to email and for a long 
> email. I am hoping you can give me a clue as to what I am doing wrong here? 
> Or may be this is not supposed to work at all.
> 
> We have an internal only DNS server (dns1) with fake root zone. i.e a fake 
> file for the zone "."  This serves all internal clients.
> We are running 9.6-ESV-R11-P2 for this.
> 
> And we also have an external only DNS (ns1) which can talk to the internet 
> for DNS queries and serves external clients.
> 
> Now we have a requirement to have certain domains (e.g sharepoint.com 
> ) resolved on clients being served by dns1. 
> 
> On dns1 I have setup a forward only zone called 'sharepoint.com 
> ' with ns1 set as the forwarder.
> And on the fake root zone file, I have added an entry for sharepoint like 
> below
> sharepoint.com .  NS 
> ns1.org.domain.name.au .
> 
> when i run a dig +trace sharepoint.com  from dns1 I 
> can resolve sharepoint.com  
> But when i run it from an internal client it gets a Non-authoritative: No 
> answer 
> 
> Below are my snippets of my named.conf on dns1 (internal)
> 
> options {
> directory "/var/dns";
> forwarders { ip.of.ns1; };
> listen-on  { ip.of.dns1; 127.0.0.1; };
> query-source address ip.of.dns1;
> notify-source ip.of.dns1;
> transfer-source ip.of.dns1;
> allow-transfer { xxx.xxx/16; }; 
> transfer-format one-answer;// BIND9 (deal with Windows Server 
> 2003)
> 
> };
> 
> <.>
> zone "." in {
> type master;
> file "fake/root";
> };
> 
> zone "." in {
> type hint;
> file "/var/dns/fake/named.root";
> };
> zone "sharepoint.com ." in {
> type forward;
> forward only;
> forwarders {ip.of.ns1;};
> };
> 
> The file fake/root has entries like below (ip and domain names changed for 
> security)
> 
> $TTL 86400
> ; NOTE:  TTL based on from Bind8 SOA record
> ;
> ; This file contains *fake* DNS Resource Records for the root domain (.)
> ;
> 
> .   IN  SOA dns1.org.domain.name.au 
> .xxx.dns1.org.domain.name.au 
> .  (
>  2016081608  ; serial
>  10800   ; refresh
>  3600; retry
>  360 ; expire
>  86400 ) ; minimum
> 
> .   NS  dns1.org.domain.name.au 
> .
> ;.  NS  dns2.org.domain.name.au 
> .
> 
> com.au . NS  dns1.org.domain.name.au 
> .
> sharepoint.com . NS  
> ns1.org.domain.name.au .
> difforg.diffdomain.au . NS  
> dns1.org.domain.name.au .
> 
> 0.0.127.in-addr.arpa.   NS  dns1.org.domain.name.au 
> .
> 
> xxx.xxx.in-addr.arpa.   NS  dns1.org.domain.name.au 
> .
> 
> localhost.  A   127.0.0.1
> 
> ; Glue
> dns1.org.domain.name.au . A  ip.of.dns1
> ns1.org.domain.name.au .  A  ip.of.ns1
> ;dns2.org.domain.name.au . A  
> xxx.xxx.xxx.xxx
> 
> The root hints file (named.root) has below 
> 
> .   3600IN NS   dns1.org.domain.name.au 
> 
> dns13600A   ip.of.dns1
> 
> 
> nslookup on a client returns this
> nslookup sharepoint.com 
> Server: ip.of.dns1
> Address:ip.of.dns1#53
> 
> Non-authoritative answer:
> *** Can't find sharepoint.com : No answer
> 
> And running dig on a client returns this
>  dig +trace sharepoint.com 
> 
> ; <<>> DiG 9.3.4-P1 <<>> +trace sharepoint.com 
> ;; global options:  printcmd
> .   86400   IN  NS  dns1.org.domain.name.au 
> .
> ;; Received 69 bytes from ip.of.dns1#53(ip.of.dns1) in 1 ms
> 
> sharepoint.com . 86400   IN  NS  
> ns1.org.domain.name.au .
> ;; Received 84 bytes from ip.of.dns1#53(dns1.org.domain.name.au 
> ) in 0 ms
> 
> ;; connection timed out; no servers could be reached
> 
> 
>

Re: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

RE: Selective forwarding from an internal only name server

RE: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

RE: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

RE: Selective forwarding from an internal only name server

Re: Selective forwarding from an internal only name server

15 matches

Site Navigation

Mail list logo

Footer information