Re: named failed to resolve forwarding queries(with global forwarders specified with "forward only") when "server section statement" has forwarder IP

[Nagesh Thati]

Thanks a lot for your quick response. Your answer is helpful.


Virus-free.
www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Wed, Nov 24, 2021 at 4:22 PM Tony Finch  wrote:

> Nagesh Thati  wrote:
> >
> > Can anyone tell me why I am getting tsig errors and SERVFAIL errors for
> > non managed zones? Why named using the "server statement" TSIG key in
> > forwarding queries instead of using this TSIG only for ixfr/axfr?
>
> TSIG is a bit confusing to set up because there are a bunch of options
> and the use-cases and pros and cons can be unclear.
>
> The `server` clause has a grab-bag of options that you can specify about
> other nameservers that your server might communicate with for whatever
> reason. If you configure a TSIG key in a `server` clause, it is used for
> all traffic with that server. (There will normally be a corresponding
> config on the other server for traffic in the opposite direction.) It's
> convenient to use for traffic between authoritative servers, because it
> gives you one place to secure refresh queries, notifies, and zone
> transfers. But in a more complicated configuration like yours it can have
> an unwanted effect on other traffic.
>
> Another approach is to configure TSIG for each kind of traffic separately.
> More explicit, but more verbose. The way I like to do this is to have
> `acl` clauses with helpful names, which can then be used in allow-notify
> and allow-transfer options to require TSIG for incoming requests; and
> corresponding top-level `primaries` clauses for use in per-zone
> `primaries` and/or `also-notify` clauses for outgoing requests. I can put
> all this access control stuff into a shared config file used on all my
> servers, and the authoritative TSIG stuff will not affect recursive
> queries.
>
> (For example, at Cambridge we have a mutual secondarying arrangement with
> Imperial College with TSIG and IPv6 and DNSSEC and all that good stuff;
> our recursive servers don't know anything special about the Imperial
> zones, and we don't need or want recursive queries between us to use TSIG.
> Our recursive servers still have the same shared access control config,
> but the Imperial parts are not used there, because none of the zone
> clauses refer to the Imperial acl/primaries names.)
>
> This kind of explicit TSIG configuration doesn't work in all cases: for
> instance, you can't specify TSIG keys in the `forwarders` clause, so you
> have to use a `server` clause to configure TSIG for forwarding.
>
> I haven't answered your specific questions because I'm not sure I
> understand the details of your setup properly, but I hope this more
> general answer is helpful.
>
> Tony.
> --
> f.anthony.n.finchhttps://dotat.at/
> harness technological change to human advantage
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named failed to resolve forwarding queries(with global forwarders specified with "forward only") when "server section statement" has forwarder IP

[Tony Finch]

Nagesh Thati  wrote:
>
> Can anyone tell me why I am getting tsig errors and SERVFAIL errors for
> non managed zones? Why named using the "server statement" TSIG key in
> forwarding queries instead of using this TSIG only for ixfr/axfr?

TSIG is a bit confusing to set up because there are a bunch of options
and the use-cases and pros and cons can be unclear.

The `server` clause has a grab-bag of options that you can specify about
other nameservers that your server might communicate with for whatever
reason. If you configure a TSIG key in a `server` clause, it is used for
all traffic with that server. (There will normally be a corresponding
config on the other server for traffic in the opposite direction.) It's
convenient to use for traffic between authoritative servers, because it
gives you one place to secure refresh queries, notifies, and zone
transfers. But in a more complicated configuration like yours it can have
an unwanted effect on other traffic.

Another approach is to configure TSIG for each kind of traffic separately.
More explicit, but more verbose. The way I like to do this is to have
`acl` clauses with helpful names, which can then be used in allow-notify
and allow-transfer options to require TSIG for incoming requests; and
corresponding top-level `primaries` clauses for use in per-zone
`primaries` and/or `also-notify` clauses for outgoing requests. I can put
all this access control stuff into a shared config file used on all my
servers, and the authoritative TSIG stuff will not affect recursive
queries.

(For example, at Cambridge we have a mutual secondarying arrangement with
Imperial College with TSIG and IPv6 and DNSSEC and all that good stuff;
our recursive servers don't know anything special about the Imperial
zones, and we don't need or want recursive queries between us to use TSIG.
Our recursive servers still have the same shared access control config,
but the Imperial parts are not used there, because none of the zone
clauses refer to the Imperial acl/primaries names.)

This kind of explicit TSIG configuration doesn't work in all cases: for
instance, you can't specify TSIG keys in the `forwarders` clause, so you
have to use a `server` clause to configure TSIG for forwarding.

I haven't answered your specific questions because I'm not sure I
understand the details of your setup properly, but I hope this more
general answer is helpful.

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
harness technological change to human advantage

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named failed to resolve forwarding queries(with global forwarders specified with "forward only") when "server section statement" has forwarder IP

[Nagesh Thati]

Hi,

I have a BIND master server(10.1.10.110) and slave server(Recursive,
10.1.10.120) and also a global forwarding to another server for non managed
domains.
Forwarding server(10.1.10.25) also a slave for example1.com and example2.com,
which will get zone transfers from BIND slave server.

Below is my named.conf configuration, in the config, for secure zone
transfers I am using "server statement" with a TSIG communication key. With
this configuration when named is loaded in the BIND slave server,
I can only resolve exmple1.com and example2.com on BIND slave server
(10.1.10.120), for other non managed domains I see *SERVFAIL errors*.

Can anyone tell me why I am getting* tsig errors and SERVFAIL errors* for
non managed zones? Why named using the "server statement" TSIG key in
forwarding queries instead of using this TSIG only for ixfr/axfr?




*BIND AUTH Master IP: 10.1.10.110BIND AUTH Slave IP: 10.1.10.120Forwarder
IP: 10.1.10.25*

*named.conf:*

#-
# ACLs
#-


*acl "transfer-core-dns" { 10.1.10.25};*

#-
# Key Definition
#-
key "RNDC-KEY" {
algorithm HMAC-SHA512;
secret
"ykLMNmAECOp4fcBMqIddG17Ubo4sTvm1zb5YSh7HvEjP8F2f+XU9uavOx4hoVBKANDY0tJIRlNOI8U8LaJunDg==";
};
#-
# Controls Definition
#-
acl "RNDC-USERS" {
127.0.0.1;
localhost;
};
controls {
inet 127.0.0.1 port 953 allow { RNDC-USERS; } keys { "RNDC-KEY";};
};

#-
# Logging Definition
#-
logging {
channel named {
file "/var/named/log/named.log" versions 10 size 100M;
severity  dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
named;
};
};

#-
# Global Options
#-
options {
directory "/";
allow-query {any;};
allow-transfer {none;};
blackhole {none;};
dnssec-enable yes;
dnssec-validation no;
listen-on-v6 {none;};
check-srv-cname ignore;
check-mx-cname ignore;
check-mx ignore;
check-names master ignore;
check-names response ignore;
dump-file "/var/named/log/named_dump.db";
lame-ttl 600;
max-ncache-ttl 10800;
minimal-responses yes;
pid-file "/var/run/named/named.pid";
recursion yes;
session-keyfile "/var/run/named/session.key";
statistics-file "/var/named/log/named.stats";
tcp-clients 1000;
zone-statistics yes;
empty-zones-enable no;
rrset-order {
order cyclic;
};
transfers-in 50;
transfers-out 30;
transfers-per-ns 30;
no-case-compress {any; };
allow-recursion {any;};
recursive-clients 1;

* forward only; forwarders {10.1.10.25;};*
flush-zones-on-shutdown yes;
};

#-
# Statistics Section
#-
statistics-channels {
inet 127.0.0.1 port 8080 allow { 127.0.0.1; };
};



#-
# Server Definition
#-
key "COMMUNICATION-KEY" {
algorithm HMAC-SHA512;
secret
"1HVF90bx+6ywx5Ovr1SOCcL2inTDc0gYRoG6BK/TU+g8tAr3j0ptJsZ6OjfNxEYcMGDRt5m5z/it1gPe7+jJqA==";
};




*server 10.1.10.25 { keys  "COMMUNICATION-KEY"; provide-ixfr yes;
request-ixfr yes;};*

#-
# Zone Section
#-
zone "." IN { type hint; file "/var/named/zones/masters/db.cache"; };
zone "example1.com" IN {
type slave;
file "/var/named/zones/slaves/db.example1.com";
* allow-transfer {transfer-core-dns;};*
allow-notify {10.1.10.110;};
notify yes;
masters {
10.1.10.110;
};
check-names ignore;
zone-statistics yes;
forwarders {};
};
zone "example2.com" IN {
type slave;
file "/var/named/zones/slaves/db.example2.com";
allow-transfer {transfer-core-dns;};
allow-notify {10.1.10.110;};
notify yes;
masters {
10.1.10.110;
};
check-names ignore;
zone-statistics yes;
forwarders {};
};

*named.log:*
client: error: query (google.com/NS): query_find: *unexpected error after
resuming: tsig indicates error*
query-errors: info: (google.com): *query failed (SERVFAIL) *for
google.com/IN/NS at query.c:8678
client: error: query (google.com/MX): query_find: unexpected error after
resuming: tsig indicates error
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/MX at query.c:8678
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/A at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/A at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/NS at query.c:7118
query-errors: info: (google.com): query failed (SERVFAIL) for
google.com/IN/MX at query.c:7118
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Response Policy Zone on forward-only nameserver

[Mark Elsen]

Ref : bind-9.9.7-P2

Can I use the RPZ mechanism on a forward only nameserver too ,without
abonding the forward only setup ?

M.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only recursive server doesn't forward

[Alex]

Hi,

>> zone "96/28.104.104.66.in-addr.arpa" {
>>type slave;
>>file "slaves/db.104.104.66";
>>masters { 64.1.1.3; };
>>allow-query { any; };
>>allow-transfer { trusted; };
>> };
>
>
>> I set up the reverse zone a long time ago, and I don't think the "zone
>> 96/28.104.104.66.in-addr.arpa" is completely correct, but it appears
>> to work. I'm not sure if that's related to the problem, but would
>> appreciate advice there.
>
> The domain 96/28.104.104.66.in-addr.arpa is completely correct, however the
> DNS clients must know they have to search for this domain.
>
> Thus, you must ask your ISP to delegate part of
> 104.104.66.in-addr.arpa to your subdomain:

Yes, this I knew. I think what caused me to suspect it as somehow not
being completely correct is the result from a host command:

# host 66.104.104.100
100.104.104.66.in-addr.arpa is an alias for 100.96/28.104.104.66.in-addr.arpa.
100.96/28.104.104.66.in-addr.arpa domain name pointer email.example.com.

It just doesn't look right.

Thanks,
Alex
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only recursive server doesn't forward

[Alex]

Hi,

>> >> I have a bind-9.10.3 server on fedora22 that is authoritative for a
>> >> few domains and their corresponding IP ranges. I'd like to set up
>> >> another domain server (rbldnsd) on a host in one of those domains as a
>> >> forward-only server.
>> >>
>> >> The problem appears to be that the queries from the local box to the
>> >> subdomain being managed by the rbldnsd server are being answered by
>> >> the local bind instead of being sent to the remote machine running
>> >> rbldnsd.
>> >
>> > Add a delegation for scann.example.com in example.com.  Forward
>> > zones control *where* the queries are sent, not if queries are sent.
>>
>> I'm sorry, I don't understand. This system is already a slave for the
>> forward zone example.com. I just realized I forgot to include that in
>> my previous post:
>>
>> zone "example.com" {
>> type slave;
>> file "slaves/db.example.com";
>> masters { 64.1.1.3; };
>> allow-query { any; };
>> allow-transfer { trusted; };
>> };
>
> Add NS records for scann.example.com to example.com.  This is how
> nameservers are supposed to find out which machines serve which
> zones.
>
> scann.example.com.  3600 NS .

Thank you. I have no idea how I forgot about that part. It now appears
to be working.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only recursive server doesn't forward

[Reindl Harald]

Am 20.10.2016 um 03:27 schrieb Alex:

I have a bind-9.10.3 server on fedora22 that is authoritative for a
few domains and their corresponding IP ranges. I'd like to set up
another domain server (rbldnsd) on a host in one of those domains as a
forward-only server


why on another host?
it just adds latency for no gain

"rbldnsd -b 127.0.0.1/1053" and it runs on the same host while the 
sub-zone config below is for unbound i guess it's not too hard fin dthe 
same for named


stub-zone:
 name: "scann.example.com."
 stub-addr: 127.0.0.1@1053


[root@mail-gw:~]$ netstat -l | grep 53
tcp0  0 127.0.0.1:530.0.0.0:* 
LISTEN  998/unbound
udp0  0 127.0.0.1:1053  0.0.0.0:* 
   989/rbldnsd
udp0  0 127.0.0.1:530.0.0.0:* 
   998/unbound

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only recursive server doesn't forward

[Matus UHLAR - fantomas]

On 19.10.16 21:27, Alex wrote:

I have a bind-9.10.3 server on fedora22 that is authoritative for a
few domains and their corresponding IP ranges. I'd like to set up
another domain server (rbldnsd) on a host in one of those domains as a
forward-only server.



The problem appears to be that the queries from the local box to the
subdomain being managed by the rbldnsd server are being answered by
the local bind instead of being sent to the remote machine running
rbldnsd.



In other words, I believe the issue is that the host is already
authoritative for the reverse zone, so there would be no reason for it
to forward these queries to another system.


Mark already took care of first part of your post.


zone "96/28.104.104.66.in-addr.arpa" {
   type slave;
   file "slaves/db.104.104.66";
   masters { 64.1.1.3; };
   allow-query { any; };
   allow-transfer { trusted; };
};




I set up the reverse zone a long time ago, and I don't think the "zone
96/28.104.104.66.in-addr.arpa" is completely correct, but it appears
to work. I'm not sure if that's related to the problem, but would
appreciate advice there.


The domain 96/28.104.104.66.in-addr.arpa is completely correct, however the
DNS clients must know they have to search for this domain.

Thus, you must ask your ISP to delegate part of 


104.104.66.in-addr.arpa to your subdomain:

96/28   IN  NS  your.server.name.
96  IN  CNAME   96/28
97  IN  CNAME   97/28
...
111 IN  CNAME   111/28


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends? 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only recursive server doesn't forward

[Mark Andrews]

In message 

Re: forward only recursive server doesn't forward

[Alex]

Hi Mark,

On Wed, Oct 19, 2016 at 9:48 PM, Mark Andrews <ma...@isc.org> wrote:
>
> In message 
> <CAB1R3sjkUOzWeEbyhSF-s+J=Wfu2La2kQ513uRQu9YFi=jc...@mail.gmail.com>, Alex 
> writes:
>> Hi,
>>
>> I have a bind-9.10.3 server on fedora22 that is authoritative for a
>> few domains and their corresponding IP ranges. I'd like to set up
>> another domain server (rbldnsd) on a host in one of those domains as a
>> forward-only server.
>>
>> The problem appears to be that the queries from the local box to the
>> subdomain being managed by the rbldnsd server are being answered by
>> the local bind instead of being sent to the remote machine running
>> rbldnsd.
>
> Add a delegation for scann.example.com in example.com.  Forward
> zones control *where* the queries are sent, not if queries are sent.

I'm sorry, I don't understand. This system is already a slave for the
forward zone example.com. I just realized I forgot to include that in
my previous post:

zone "example.com" {
type slave;
file "slaves/db.example.com";
masters { 64.1.1.3; };
allow-query { any; };
allow-transfer { trusted; };
};

Thanks,
Alex
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only recursive server doesn't forward

[Mark Andrews]

In message 
<CAB1R3sjkUOzWeEbyhSF-s+J=Wfu2La2kQ513uRQu9YFi=jc...@mail.gmail.com>, Alex 
writes:
> Hi,
> 
> I have a bind-9.10.3 server on fedora22 that is authoritative for a
> few domains and their corresponding IP ranges. I'd like to set up
> another domain server (rbldnsd) on a host in one of those domains as a
> forward-only server.
> 
> The problem appears to be that the queries from the local box to the
> subdomain being managed by the rbldnsd server are being answered by
> the local bind instead of being sent to the remote machine running
> rbldnsd.

Add a delegation for scann.example.com in example.com.  Forward
zones control *where* the queries are sent, not if queries are sent.

> In other words, I believe the issue is that the host is already
> authoritative for the reverse zone, so there would be no reason for it
> to forward these queries to another system.
> 
> Here are the relevant sections of my named.conf:
> 
> // spam IP entries
> zone "scann.example.com" {
> type forward;
> forwarders { 66.104.104.66; };
> };
> 
> // zone info for 66.104.104.96/28
> zone "96/28.104.104.66.in-addr.arpa" {
> type slave;
> file "slaves/db.104.104.66";
> masters { 64.1.1.3; };
> allow-query { any; };
> allow-transfer { trusted; };
> };
> 
> Queries for abc.com.scann.example.com fail with NXDOMAIN. Log entries
> are similar to this:
> 
> 19-Oct-2016 21:22:39.846 queries: client 127.0.0.1#41809
> (abc.com.scann.example.com): query: abc.com.scann.example.com IN A +
> (127.0.0.1)
> 
> I set up the reverse zone a long time ago, and I don't think the "zone
> 96/28.104.104.66.in-addr.arpa" is completely correct, but it appears
> to work. I'm not sure if that's related to the problem, but would
> appreciate advice there.
> 
> Thanks,
> Alex
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forward only recursive server doesn't forward

[Alex]

Hi,

I have a bind-9.10.3 server on fedora22 that is authoritative for a
few domains and their corresponding IP ranges. I'd like to set up
another domain server (rbldnsd) on a host in one of those domains as a
forward-only server.

The problem appears to be that the queries from the local box to the
subdomain being managed by the rbldnsd server are being answered by
the local bind instead of being sent to the remote machine running
rbldnsd.

In other words, I believe the issue is that the host is already
authoritative for the reverse zone, so there would be no reason for it
to forward these queries to another system.

Here are the relevant sections of my named.conf:

// spam IP entries
zone "scann.example.com" {
type forward;
forwarders { 66.104.104.66; };
};

// zone info for 66.104.104.96/28
zone "96/28.104.104.66.in-addr.arpa" {
type slave;
file "slaves/db.104.104.66";
masters { 64.1.1.3; };
allow-query { any; };
allow-transfer { trusted; };
};

Queries for abc.com.scann.example.com fail with NXDOMAIN. Log entries
are similar to this:

19-Oct-2016 21:22:39.846 queries: client 127.0.0.1#41809
(abc.com.scann.example.com): query: abc.com.scann.example.com IN A +
(127.0.0.1)

I set up the reverse zone a long time ago, and I don't think the "zone
96/28.104.104.66.in-addr.arpa" is completely correct, but it appears
to work. I'm not sure if that's related to the problem, but would
appreciate advice there.

Thanks,
Alex
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only single zone

[Oto BREZINA]

On 2016-03-07 18:05, Tony Finch wrote:

Oto BREZINA <o...@e-posta.sk> wrote:

I need to create one subzone of public zone which is served by another server.
This can not be transfered. Server is located on LAN.

Tricky. I don't think it is possible to do what you want with BIND.
You probably can do it with dnsdist - see http://dnsdist.org/
(I have not tried to use dnsdist myself.)

Explanation of why it doesn't work below...

Thank you for answer and explanation, even not the answer i was hoping
for, but somehow expected - based on web research. At least I'm not
going to invest time in dead end. I'll check if I can get separate IP
for my calc zone and NAT it.



my setting right now is like:

view "local" {
 allow-query { internals; };
 match-clients { internals; };
 recursion yes;

 include "local zones";
 include "public zones";
 include "slave zones";
};

view "public" {
 allow-query { any; };
 match-clients { any; };
 recursion no;

 include "public zones"; // contains example.com with clue to same
server
 include "slave zones";
};

I need to add

zone "calc.example.com" {
 type forward;
 forward only;
 forwarders { local_machine; };
 };

adding it to local wont let external client to get access, but works from
internals
adding it to public, does not help, it returns only clues; forward only wont
word as recursion is no, adding another view public2 seems have no affect.

The reason this doesn't work is that forwarding in BIND is only for
recursive queries.

So when you add this "type forward" zone to your public view, it doesn't
work for two reasons: firstly, you have disabled recursion on the view,
which is normally exactly the right thing, but it also disables
forwarding; and secondly, most queries that your server will receive on
its public view will be from resolvers with the "recursion desired" bit
off, RD=0, which also disables forwarding.

And because recursion is disabled, clients that query for calc.example.com
will get a referral rather than the answer you expected.

Tony.




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only single zone

[Oto BREZINA]

On 2016-03-07 22:17, Darcy Kevin (FCA) wrote:

Don't turn your DNS and/or network infrastructures into pretzels trying to get this "forwarding" or 
"(reverse) proxying" to work. Ultimately, I expect you'll end up maintaining the records of 
interest in both an internal and an external version of the subzone. Then the only question becomes to what 
extent you can automate the "sync".

I'm not sure you answered my question. This was just snap shot on way to
solution for my problem. I got DNS server serving as MAster and Slave
for some zones and forward for internal network. I need to foward single
zone from outside to LAN as transapenly as possible, taking in account
my research an other answer it seems, tere is no way, even i would move
cache function into separate machine. The idea was to create single zone
view, but matching rules wont allow this.

I'll get back to simple configuration reverting "pretzel" model and
investigate possibility to get separate IP for calc.example.com so it
will be NATed in.

Anyway thanks for your answer.




- Kevin

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Oto BREZINA
Sent: Friday, March 04, 2016 6:09 PM
To: bind-users@lists.isc.org
Subject: forward only single zone

I got successfuly set schizophrenic bind based DNS. It is version 9.9.5 running 
on Ubuntu .

I got local zones :
  serving internal side.
  public zones master and slaves (server in same way for internal and 
externals clients)

I need to create one subzone of public zone which is served by another server. 
This can not be transfered. Server is located on LAN.
Is there way to set this? I tried to set views, but with no luck.

my setting right now is like:

view "local" {
  allow-query { internals; };
  match-clients { internals; };
  recursion yes;

  include "local zones";
  include "public zones";
  include "slave zones";
};

view "public" {
  allow-query { any; };
  match-clients { any; };
  recursion no;

  include "public zones"; // contains example.com with clue to same 
server
  include "slave zones";
};

I need to add

zone "calc.example.com" {
  type forward;
  forward only;
  forwarders { local_machine; };
  };

adding it to local wont let external client to get access, but works from 
internals adding it to public, does not help, it returns only clues; forward 
only wont word as recursion is no, adding another view public2 seems have no 
affect.

I'm aware it is not recomented setup, but even I would run separate local and 
public server, I have still no idea how have not open DNS but forward single 
zone.

Please advise.

Oto
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


__ Information from ESET Mail Security, version of virus signature 
database 13141P (20160307) __

The message was checked by ESET Mail Security.
http://www.eset.com






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: forward only single zone

[Darcy Kevin (FCA)]

Don't turn your DNS and/or network infrastructures into pretzels trying to get 
this "forwarding" or "(reverse) proxying" to work. Ultimately, I expect you'll 
end up maintaining the records of interest in both an internal and an external 
version of the subzone. Then the only question becomes to what extent you can 
automate the "sync".


- Kevin

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Oto BREZINA
Sent: Friday, March 04, 2016 6:09 PM
To: bind-users@lists.isc.org
Subject: forward only single zone

I got successfuly set schizophrenic bind based DNS. It is version 9.9.5 running 
on Ubuntu .

I got local zones :
 serving internal side.
 public zones master and slaves (server in same way for internal and 
externals clients)

I need to create one subzone of public zone which is served by another server. 
This can not be transfered. Server is located on LAN.
Is there way to set this? I tried to set views, but with no luck.

my setting right now is like:

view "local" {
 allow-query { internals; };
 match-clients { internals; };
 recursion yes;

 include "local zones";
 include "public zones";
 include "slave zones";
};

view "public" {
 allow-query { any; };
 match-clients { any; };
 recursion no;

 include "public zones"; // contains example.com with clue to same 
server
 include "slave zones";
};

I need to add

zone "calc.example.com" {
 type forward;
 forward only;
 forwarders { local_machine; };
 };

adding it to local wont let external client to get access, but works from 
internals adding it to public, does not help, it returns only clues; forward 
only wont word as recursion is no, adding another view public2 seems have no 
affect.

I'm aware it is not recomented setup, but even I would run separate local and 
public server, I have still no idea how have not open DNS but forward single 
zone.

Please advise.

Oto
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only single zone

[Tony Finch]

Oto BREZINA <o...@e-posta.sk> wrote:
>
> I need to create one subzone of public zone which is served by another server.
> This can not be transfered. Server is located on LAN.

Tricky. I don't think it is possible to do what you want with BIND.
You probably can do it with dnsdist - see http://dnsdist.org/
(I have not tried to use dnsdist myself.)

Explanation of why it doesn't work below...

> my setting right now is like:
>
> view "local" {
> allow-query { internals; };
> match-clients { internals; };
> recursion yes;
>
> include "local zones";
> include "public zones";
> include "slave zones";
> };
>
> view "public" {
> allow-query { any; };
> match-clients { any; };
> recursion no;
>
> include "public zones"; // contains example.com with clue to same
> server
>     include "slave zones";
> };
>
> I need to add
>
> zone "calc.example.com" {
> type forward;
> forward only;
> forwarders { local_machine; };
> };
>
> adding it to local wont let external client to get access, but works from
> internals
> adding it to public, does not help, it returns only clues; forward only wont
> word as recursion is no, adding another view public2 seems have no affect.

The reason this doesn't work is that forwarding in BIND is only for
recursive queries.

So when you add this "type forward" zone to your public view, it doesn't
work for two reasons: firstly, you have disabled recursion on the view,
which is normally exactly the right thing, but it also disables
forwarding; and secondly, most queries that your server will receive on
its public view will be from resolvers with the "recursion desired" bit
off, RD=0, which also disables forwarding.

And because recursion is disabled, clients that query for calc.example.com
will get a referral rather than the answer you expected.

Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
Lundy, Fastnet, Irish Sea: Northerly or northwesterly, backing southwesterly
for a time, 4 or 5, increasing 6 at times. Slight or moderate, occasionally
rough in Fastnet. Rain or showers. Moderate or good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forward only single zone

[Oto BREZINA]

I got successfuly set schizophrenic bind based DNS. It is version 9.9.5 
running on Ubuntu .


I got local zones :
serving internal side.
public zones master and slaves (server in same way for internal and 
externals clients)


I need to create one subzone of public zone which is served by another 
server. This can not be transfered. Server is located on LAN.

Is there way to set this? I tried to set views, but with no luck.

my setting right now is like:

view "local" {
allow-query { internals; };
match-clients { internals; };
recursion yes;

include "local zones";
include "public zones";
include "slave zones";
};

view "public" {
allow-query { any; };
match-clients { any; };
recursion no;

include "public zones"; // contains example.com with clue to 
same server

include "slave zones";
};

I need to add

zone "calc.example.com" {
type forward;
forward only;
forwarders { local_machine; };
};

adding it to local wont let external client to get access, but works 
from internals
adding it to public, does not help, it returns only clues; forward only 
wont word as recursion is no, adding another view public2 seems have no 
affect.


I'm aware it is not recomented setup, but even I would run separate 
local and public server, I have still no idea how have not open DNS but 
forward single zone.


Please advise.

Oto
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Matus UHLAR - fantomas]

On 26.07.2011 00:48, Kevin Darcy wrote:
Correct. That's the distinction which is typically made between a 
DNS *forwarder* (which caches) and a DNS *proxy* (which doesn't). 
As far as I know, BIND cannot be configured to be a DNS proxy.


On 26.07.11 11:11, Vbvbrj wrote:

But I don't want BIND as a proxy. )


If you want BIND not to cache, you want a proxy. However BIND can't do 
this now.



Answers from its cache, that may be out of date.


This is tunable via the TTL values on the relevant RRsets. Consult 
the manual of your authoritative DNS server software, for details.

TTL or expires must be lowered at microsoft DNS?


yes. TTL for records, expires only if oyou fetch zones. Note that 
microsoft's DNS servers are very bad at maintaining zones (especially 
those dynamically updated by clients)


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Vbvbrj]

On 25.07.2011 10:15, Matus UHLAR - fantomas wrote:
This is how BIND is supposed to work. If you _need_ such setup, why 
don't you setup your AD servers as recursive point clients directly 
to them?
you can teoretically configure maximum cache time in BIND but that 
would be useless server.


I can configure AD servers to Microsoft DNS. But how about 
workstations? The all are configured to use BIND DNS. If I change 
them to Microsoft DNS, then there is no use of BIND DNS.


There's already no use for BIND if you really want what you described. 
So better deinstall BIND and configure stations to use microsoft's DNS.


Not that I prefer or advise using microsoft's DNS, is sucks pretty 
much. But as you described it, there's no point in using BIND for you.
I have this point. I want to use BIND, because the server on wich 
resides BIND is also a gateway to internet and every client is 
configured to use it. And this server I prepare to switch to *unix 
system, and I am moving every necessary service from windows integrated 
to opensource multisystem support.


I just can't for now move active directory's dns database to BIND.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Mark Andrews]

In message 4e2de4bb.6050...@chrysler.com, Kevin Darcy writes:
 On 7/24/2011 2:15 AM, Vbvbrj wrote:
  options {
  allow-transfer { none; };
  recursion yes;
  forward first;
  forwarders { a.b.c.d; };  // Forward to providers dns.
  };
  zone my_domain.com IN {
  type forward;
  forward only;
  forwarders { a.b.c.d; }; // Forward to Windows DNS.
  };
 
  I would like BIND to respond to local LAN like this: All queries for 
  local domain my_domain.com to be forwarded to local Microsoft DNS to 
  server Acrive Directory. Other queries to sites to forward to external 
  dns servers.
 
  But BIND does not forward everything to microsoft dns. I want that 
  BIND forward every query and return answer, without any caching so 
  that record updating, adding or deleting will be always up-to-date. 
  When I try this configuration, BIND not forwarding every query. 
 Correct. That's the distinction which is typically made between a DNS 
 *forwarder* (which caches) and a DNS *proxy* (which doesn't). As far as 
 I know, BIND cannot be configured to be a DNS proxy.
  Answers from its cache, that may be out of date.
 
 This is tunable via the TTL values on the relevant RRsets. Consult the 
 manual of your authoritative DNS server software, for details.
  Also, records not always are update when adding or removing computers 
  from domain.
 Either a) you're just restating the previous problem (answers might be 
 from cached data) or b) this is a data-consistency or lag problem 
 between various components in Microsoft-land -- BIND cannot fix that.

If one needs a server to be always current then the server needs to
serve the zone.  It should then receive NOTIFY messages about changes
and it can update itself.
 
  - Kevin
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Matus UHLAR - fantomas]

On 24.07.2011 18:40, Matus UHLAR - fantomas wrote:
This is how BIND is supposed to work. If you _need_ such setup, 
why don't you setup your AD servers as recursive point clients 
directly to them?  you can teoretically configure maximum cache 
time in BIND but that would be useless server.



On 25.07.11 09:24, Vbvbrj wrote:
I can configure AD servers to Microsoft DNS. But how about 
workstations?  The all are configured to use BIND DNS.  If I change 
them to Microsoft DNS, then there is no use of BIND DNS.



On Jul 25, 2011, at 3:15 AM, Matus UHLAR - fantomas wrote:

There's already no use for BIND if you really want what you described.


On 25.07.11 12:50, Warren Kumari wrote:
From original post: Other queries to sites to forward to external 
dns servers. -- this would be handled by BIND…


The OP also says that forwarded queries should not be cached.
using BIND in the middle is in such case purely useless.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Vbvbrj]

On 26.07.2011 00:48, Kevin Darcy wrote:
Correct. That's the distinction which is typically made between a DNS 
*forwarder* (which caches) and a DNS *proxy* (which doesn't). As far 
as I know, BIND cannot be configured to be a DNS proxy.

But I don't want BIND as a proxy. )

Answers from its cache, that may be out of date.


This is tunable via the TTL values on the relevant RRsets. Consult the 
manual of your authoritative DNS server software, for details.

TTL or expires must be lowered at microsoft DNS?
Also, records not always are update when adding or removing computers 
from domain.
Either a) you're just restating the previous problem (answers might be 
from cached data) or b) this is a data-consistency or lag problem 
between various components in Microsoft-land -- BIND cannot fix that.

Answers are from cache.

On 26.07.2011 10:22, harish badrinath wrote:

On Mon, Jul 25, 2011 at 7:53 PM, Vbvbrjvbv...@gmail.com  wrote:

I just can't for now move active directory's dns database to BIND.


You could use something much simpler like dnsmasq
(http://thekelleys.org.uk/dnsmasq/doc.html). Setting it up as a DNS
forwarder is a breeze, while you migrate DNS data away from microsoft
DNS to BIND ??
Interesting solution, but this software is not for windows. For now I 
replace software for needed services from Microsoft to opensource on the 
same microsoft server. When I'll move every service (samba, AD, file 
server extended security) I'll move to *unix system.


On 26.07.2011 10:57, Peter Andreev wrote:
May be you should look at the problem from other point and configure 
microsoft's dns server to forward queries to BIND? Of course you will 
need to reconfigure clients to use microsoft's dns only, but in this 
case microsoft's dns will serve queries to your domain and BIND wil 
server qeries to other domains. I think it will be better solution. 
For now I just use Microsoft DNS on the same server. Until I will find a 
way for my BIND problem, or learn to use AD with BIND.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[harish badrinath]

On Mon, Jul 25, 2011 at 7:53 PM, Vbvbrj vbv...@gmail.com wrote:

 I just can't for now move active directory's dns database to BIND.


You could use something much simpler like dnsmasq
(http://thekelleys.org.uk/dnsmasq/doc.html). Setting it up as a DNS
forwarder is a breeze, while you migrate DNS data away from microsoft
DNS to BIND ??
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Peter Andreev]

2011/7/25 Vbvbrj vbv...@gmail.com:
 On 25.07.2011 10:15, Matus UHLAR - fantomas wrote:

 This is how BIND is supposed to work. If you _need_ such setup, why
 don't you setup your AD servers as recursive point clients directly to 
 them?
 you can teoretically configure maximum cache time in BIND but that would
 be useless server.

 I can configure AD servers to Microsoft DNS. But how about workstations?
 The all are configured to use BIND DNS. If I change them to Microsoft DNS,
 then there is no use of BIND DNS.

 There's already no use for BIND if you really want what you described. So
 better deinstall BIND and configure stations to use microsoft's DNS.

 Not that I prefer or advise using microsoft's DNS, is sucks pretty much.
 But as you described it, there's no point in using BIND for you.

 I have this point. I want to use BIND, because the server on wich resides
 BIND is also a gateway to internet and every client is configured to use it.
 And this server I prepare to switch to *unix system, and I am moving every
 necessary service from windows integrated to opensource multisystem support.

 I just can't for now move active directory's dns database to BIND.
May be you should look at the problem from other point and configure
microsoft's dns server to forward queries to BIND? Of course you will
need to reconfigure clients to use microsoft's dns only, but in this
case microsoft's dns will serve queries to your domain and BIND wil
server qeries to other domains. I think it will be better solution.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Vbvbrj]

On 24.07.2011 18:40, Matus UHLAR - fantomas wrote:

On 24.07.11 09:15, Vbvbrj wrote:

forwarders { a.b.c.d; };  // Forward to providers dns.
};
zone my_domain.com IN {


I would prefer not to using underscores in domain names. While they 
are allowed, they may cause some stuff not to work.

Why do you have underscore here?

It's an example of name. I don't use underscore. )


This is how BIND is supposed to work. If you _need_ such setup, why 
don't you setup your AD servers as recursive point clients directly to 
them?
you can teoretically configure maximum cache time in BIND but that 
would be useless server.
I can configure AD servers to Microsoft DNS. But how about workstations? 
The all are configured to use BIND DNS. If I change them to Microsoft 
DNS, then there is no use of BIND DNS.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Matus UHLAR - fantomas]

On 24.07.11 09:15, Vbvbrj wrote:

zone my_domain.com IN {



On 24.07.2011 18:40, Matus UHLAR - fantomas wrote:
I would prefer not to using underscores in domain names. While they 
are allowed, they may cause some stuff not to work.

Why do you have underscore here?


On 25.07.11 09:24, Vbvbrj wrote:

It's an example of name. I don't use underscore. )


This is how BIND is supposed to work. If you _need_ such setup, why 
don't you setup your AD servers as recursive point clients directly 
to them?
you can teoretically configure maximum cache time in BIND but that 
would be useless server.


I can configure AD servers to Microsoft DNS. But how about 
workstations? The all are configured to use BIND DNS. If I change 
them to Microsoft DNS, then there is no use of BIND DNS.


There's already no use for BIND if you really want what you described. 
So better deinstall BIND and configure stations to use microsoft's DNS.


Not that I prefer or advise using microsoft's DNS, is sucks pretty 
much. But as you described it, there's no point in using BIND for you.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Warren Kumari]

On Jul 25, 2011, at 3:15 AM, Matus UHLAR - fantomas wrote:

 On 24.07.11 09:15, Vbvbrj wrote:
 zone my_domain.com IN {
 
 On 24.07.2011 18:40, Matus UHLAR - fantomas wrote:
 I would prefer not to using underscores in domain names. While they are 
 allowed, they may cause some stuff not to work.
 Why do you have underscore here?
 
 On 25.07.11 09:24, Vbvbrj wrote:
 It's an example of name. I don't use underscore. )
 
 This is how BIND is supposed to work. If you _need_ such setup, why don't 
 you setup your AD servers as recursive point clients directly to them?
 you can teoretically configure maximum cache time in BIND but that would be 
 useless server.
 
 I can configure AD servers to Microsoft DNS. But how about workstations? The 
 all are configured to use BIND DNS. If I change them to Microsoft DNS, then 
 there is no use of BIND DNS.
 
 There's already no use for BIND if you really want what you described.

From original post: Other queries to sites to forward to external dns 
servers. -- this would be handled by BIND…




 So better deinstall BIND and configure stations to use microsoft's DNS.
 
 Not that I prefer or advise using microsoft's DNS, is sucks pretty much. But 
 as you described it, there's no point in using BIND for you.
 -- 
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Fighting for peace is like fucking for virginity...
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Kevin Darcy]

On 7/24/2011 2:15 AM, Vbvbrj wrote:

options {
allow-transfer { none; };
recursion yes;
forward first;
forwarders { a.b.c.d; };  // Forward to providers dns.
};
zone my_domain.com IN {
type forward;
forward only;
forwarders { a.b.c.d; }; // Forward to Windows DNS.
};

I would like BIND to respond to local LAN like this: All queries for 
local domain my_domain.com to be forwarded to local Microsoft DNS to 
server Acrive Directory. Other queries to sites to forward to external 
dns servers.


But BIND does not forward everything to microsoft dns. I want that 
BIND forward every query and return answer, without any caching so 
that record updating, adding or deleting will be always up-to-date. 
When I try this configuration, BIND not forwarding every query. 
Correct. That's the distinction which is typically made between a DNS 
*forwarder* (which caches) and a DNS *proxy* (which doesn't). As far as 
I know, BIND cannot be configured to be a DNS proxy.

Answers from its cache, that may be out of date.


This is tunable via the TTL values on the relevant RRsets. Consult the 
manual of your authoritative DNS server software, for details.
Also, records not always are update when adding or removing computers 
from domain.
Either a) you're just restating the previous problem (answers might be 
from cached data) or b) this is a data-consistency or lag problem 
between various components in Microsoft-land -- BIND cannot fix that.




- Kevin



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward only zones.

[Matus UHLAR - fantomas]

On 24.07.11 09:15, Vbvbrj wrote:

forwarders { a.b.c.d; };  // Forward to providers dns.
};
zone my_domain.com IN {


I would prefer not to using underscores in domain names. While they are 
allowed, they may cause some stuff not to work.

Why do you have underscore here?


   forwarders { a.b.c.d; }; // Forward to Windows DNS.
};


I would like BIND to respond to local LAN like this: All queries for 
local domain my_domain.com to be forwarded to local Microsoft DNS to 
server Acrive Directory. Other queries to sites to forward to 
external dns servers.


But BIND does not forward everything to microsoft dns. I want that 
BIND forward every query and return answer, without any caching so 
that record updating, adding or deleting will be always up-to-date. 
When I try this configuration, BIND not forwarding every query. 
Answers from its cache, that may be out of date. Also, records not 
always are update when adding or removing computers from domain.


This is how BIND is supposed to work. If you _need_ such setup, why 
don't you setup your AD servers as recursive point clients directly to 
them?
you can teoretically configure maximum cache time in BIND but that 
would be useless server.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They say when you play that M$ CD backward you can hear satanic messages.
That's nothing. If you play it forward it will install Windows.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forward only not

[Len Conrad]

FreeBSD 7.2-RELEASE

BIND 9.6.0-P1

resolv.conf: 
nameserver 127.0.0.1


machine is postfix MX relay-only gateway

on a separate machines, zen.dnsbld.domain.net on IPs 10.1.60.1  10.1.60.2,  
rbldnsd is running a local copy of zen.spamhaus

nmap shows 10.1.60.1 and 10.1.60.2 with port 53 UDP open.

dig @10.1.60.1 or .2  d.c.b.a.zen.dnsbld.domain.net  works.

named.conf:

zone zen.dnsbld.domain.net { type forward; forwarders { 10.1.60.1 ; 10.1.60.2 
; }; forward only; };

and no other forwarding statements.

named query logging shows client 127.0.0.1 (postfix/postscreen) sending queries 
to 127.0.0.1

tshark capture shows the BIND machine sending queries to the NSs authoritative 
for domain.net, rather than forwarding to the above forwarders.

The above situation on 3 different MXs.  The weirdest is that when we fired up 
private zen and forwarding on the 3 MXs, they all worked immediately, 
perfectly, for about 24 hours, millions of queries, then within a few minutes, 
they all stopped working with the zen servers, and haven't worked since.  
stop/start postfix and named has not effect.

What is overriding the zone forwarding?

Len

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only not

[Len Conrad]

-- Original Message --
From: Len Conrad lcon...@go2france.com
Reply-To: lcon...@go2france.com
Date:  Wed, 29 Sep 2010 15:58:13 +0200

FreeBSD 7.2-RELEASE

BIND 9.6.0-P1

resolv.conf: 
nameserver 127.0.0.1


machine is postfix MX relay-only gateway

on a separate machines, zen.dnsbld.domain.net on IPs 10.1.60.1  10.1.60.2,  
rbldnsd is running a local copy of zen.spamhaus

nmap shows 10.1.60.1 and 10.1.60.2 with port 53 UDP open.

dig @10.1.60.1 or .2  d.c.b.a.zen.dnsbld.domain.net  works.

named.conf:

zone zen.dnsbld.domain.net { type forward; forwarders { 10.1.60.1 ; 
10.1.60.2 ; }; forward only; };

and no other forwarding statements.

named query logging shows client 127.0.0.1 (postfix/postscreen) sending 
queries to 127.0.0.1

tshark capture shows the BIND machine sending queries to the NSs authoritative 
for domain.net, rather than forwarding to the above forwarders.

The above situation on 3 different MXs.  The weirdest is that when we fired up 
private zen and forwarding on the 3 MXs, they all worked immediately, 
perfectly, for about 24 hours, millions of queries, then within a few minutes, 
they all stopped working with the zen servers, and haven't worked since.  
stop/start postfix and named has not effect.

What is overriding the zone forwarding?



fixed, was typo in the forward zone name. They typo was inconsequential and 
worked for one day, until someone removed the NS delegation records for the zen 
zone from the domain.net auth servers.

Len

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

weird bind cache server behaviour - unexpected root hint delegation on forward only zone

[Paul Sherratt]

I have 4 bind cache servers running with config close to what is listed at
the bottom of this post.

All 4 servers have identical bind configuration, running same bind version
(9.5.1-P1), almost identical system layouts.

The issue is that on two of the four servers, requests for records in the
'dnsbl' zone return root hints if the forwarded request comes back
positive!  If the forwarded request returns NXDOMAIN there are no root hints
returned, expected as it is configured 'forward only'.


Am I missing something obvious or anyone have an idea what might be going
on?  Again, the configs _are_ the same, I don't have any other options like
minimal-responses etc set on the two servers that are working as expected!


Regards,

Paul



*$ dig 2.0.0.127.sbl.dnsbl @dns[12]*

;; -HEADER- opcode: QUERY, status: NOERROR, id: 31470
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2

;; QUESTION SECTION:
;2.0.0.127.sbl.dnsbl.   IN  A

;; ANSWER SECTION:
2.0.0.127.sbl.dnsbl.300 IN  A   127.0.0.2

;; AUTHORITY SECTION:
.   516796  IN  NS  J.ROOT-SERVERS.NET.
.   516796  IN  NS  K.ROOT-SERVERS.NET.
...

;; ADDITIONAL SECTION:
J.ROOT-SERVERS.NET. 603196  IN  A   192.58.128.30
J.ROOT-SERVERS.NET. 603196  IN  2001:503:c27::2:30

;; Query time: 8 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Mon Jun 15 20:05:44 2009
;; MSG SIZE  rcvd: 308



*$ dig 2.0.0.127.sbl.dnsbl @dns[34]*

;  DiG 9.4.2  2.0.0.127.sbl.dnsbl @tch-cache1.dns
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 41117
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;2.0.0.127.sbl.dnsbl.   IN  A

;; ANSWER SECTION:
2.0.0.127.sbl.dnsbl.300 IN  A   127.0.0.2

;; Query time: 8 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Mon Jun 15 20:06:56 2009
;; MSG SIZE  rcvd: 53



--8

acl good-mx-nets { 1.1.2.16/29;  ... };
acl good-nets { 1.1.1.0/19;  ... };

view good-mx-view {
match-clients { good-mail-servers; };
zone dnsbl { type forward; forward only; forwarders { 1.1.1.10; }; };
};

view good {
  match-clients { good-nets; };
  allow-recursion { good-nets; };

  zone . { type hint; file /etc/bind/db.root; };
  zone com { type delegation-only; };
  zone net { type delegation-only; };

  // RFC 1912 zones
  zone localhost { type master; file /etc/bind/db.local; };
  zone 127.in-addr.arpa { type master; file /etc/bind/db.127; };
  zone 0.in-addr.arpa { type master; file /etc/bind/db.0; };
  zone 255.in-addr.arpa { type master; file /etc/bind/db.255; };
};
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users