Re: Forwarding zone, setup

[Greg Choules via bind-users]

Sending from the correct email alias this time!

On Thu, 3 Mar 2022 at 09:53, Greg Choules 
wrote:

> Hi Greg.
> Basically, you can't forward out of authority. If server A is
> authoritative for "example.com" it is authoritative for that and
> everything below that, ad infinitum, unless you tell it otherwise.
> There is an implicit hierarchy as to how queries are dealt with. It arises
> because BIND can be both recursive AND authoritative simultaneously, so
> there has to be some way to choose how to go about responding to incoming
> queries. Using dynamic routeing as an analogy, it's a bit like BGP needing
> to choose which is the best prefix by running through its decision
> algorithm.
> In BIND, authority trumps all; there is nothing higher. Next comes
> forwarding.
>
> BIND isn't the only DNS server software that does this, by the way.
> Microsoft's AD DNS role does too because it can be both recursive and
> authoritative simultaneously.
>
> As already mentioned, the trick (if this is really what you need to do in
> the first place) is to 'give away' the slice of your namespace that you
> want to forward. i.e. to convince the server it is not authoritative for it
> anymore. Hence you need to delegate (say) "notmine.example.com" by adding
> some (or even one) NS records for it in "example.com". The slight
> headspin is, it doesn't matter what those NS records are because they will
> never be used. It is the act of delegation that is the important thing, not
> where it is delegated to.
>
> What I used to do was add (e.g.) "notmine   NS   x." and then create the
> forward zone (or in MS speak, Conditional Forwarder). As long as, having
> created the delegation, the only choice the server now has is to forward
> that name, life is good. Therefore you MUST also have "forward only". The
> server must not be allowed to try and recurse, or it would then need to
> resolve "x.", which will fail.
>
> However, having said all this, if you know what are the names and
> addresses of the MS DNS server hosting "ab.somedomain.local" (i'll keep it
> zipped on the use of .local - Microsoft!), why not just delegate to them
> directly? Then you don't need a forward zone at all. I have found from
> bitter experience that forwarding, although (usually) easy to get working
> can lead you into a warren of problems down the line. So I tended to avoid
> it wherever possible.
>
> I hope that helps.
> Greg
>
> On Tue, 1 Mar 2022 at 18:53, Gregory Sloop  wrote:
>
>> >Are you loading the parent domain and trying to zone forward a child
>> domain on the same DNS server? I.e. loading somedomain.local and trying to
>> forward ab.somedomain.local
>>
>>
>>
>> Yup, exactly.
>>
>>
>>
>> That solution was suggested by Jeff Sumner yesterday, but it seemed a
>> little nuts to me (BIND behaving that way) - though your explanation makes
>> that behavior seem less crazy.
>>
>> If I get a chance, I'll perhaps try that, just to see if it fixes it -
>> though someone at ISC might save me the work, confirming the behavior.
>> (please do!)
>>
>>
>>
>> And, if that's the case, then static-sub is the far superior option -
>> since it's much more simple and straight-forward.
>>
>>
>>
>> Consider it solved.
>>
>> If ISC can confirm that behavior for forwarding a child domain when the
>> server is also auth for the parent zone, that would be very nice!
>>
>>
>>
>> Thanks to everyone, again, for the help!
>>
>>
>>
>>
>>
>>
>> Are you loading the parent domain and trying to zone forward a child
>> domain on the same DNS server? I.e. loading somedomain.local and trying to
>> forward ab.somedomain.local
>>
>> If so an NS delegation is required in every instance I have done in my
>> environment. The NS doesn't need to be "right" but it needs to exist. I
>> don't know the internal BIND logic for that but I have always taken it as
>> "I load the parent and I know the child doesn't exist because there isn't a
>> delegation to make it exist so why would I forward something that doesn't
>> exist".
>>
>>
>> On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop  wrote:
>>
>>> Static-sub fixes the issue.
>>>
>>>
>>>
>>> Any idea why static-sub works when forwarder doesn't?
>>>
>>>
>>>
>>> (Again, the server is using recursion. Dig queries return the RA flag,
>>> so I know it's actually offering recursion in reality.)
>>>
>>>
>>>
>>> I can live with static-sub just fine, since it works - but I'd really
>>> love to understand why forwarder didn't - just so I can avoid getting
>>> bitten by it in some other situation.
>>>
>>>
>>>
>>> Thanks Andrej!
>>>
>>> -Greg
>>>
>>>
>>>
>>>
>>> Is static-stub something you are looking for?
>>>
>>>
>>> Reference documentation:
>>>
>>> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
>>>
>>>
>>> And in human terms:
>>> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
>>>
>>>
>>> Ondrej
>>> --
>>> Ondřej Surý (He/Him)
>>> ond...@isc.org
>>>
>>>
>>> My working hours and your working hours may be 

Re: Forwarding zone, setup

[Gregory Sloop]

>Are you loading the parent domain and trying to zone forward a child domain on 
>the same DNS server? I.e. loading somedomain.local and trying to forward 
>ab.somedomain.local
 
Yup, exactly.
 
That solution was suggested by Jeff Sumner yesterday, but it seemed a little 
nuts to me (BIND behaving that way) - though your explanation makes that 
behavior seem less crazy.
If I get a chance, I'll perhaps try that, just to see if it fixes it - though 
someone at ISC might save me the work, confirming the behavior. (please do!)
 
And, if that's the case, then static-sub is the far superior option - since 
it's much more simple and straight-forward.
 
Consider it solved. 
If ISC can confirm that behavior for forwarding a child domain when the server 
is also auth for the parent zone, that would be very nice!
 
Thanks to everyone, again, for the help!
 
    

> Are you loading the parent domain and trying to zone forward a child domain 
> on the same DNS server? I.e. loading somedomain.local and trying to forward 
> ab.somedomain.local

> If so an NS delegation is required in every instance I have done in my 
> environment. The NS doesn't need to be "right" but it needs to exist. I don't 
> know the internal BIND logic for that but I have always taken it as "I load 
> the parent and I know the child doesn't exist because there isn't a 
> delegation to make it exist so why would I forward something that doesn't 
> exist".


> On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop  wrote:

>> Static-sub fixes the issue.
>>  
>> Any idea why static-sub works when forwarder doesn't?
>>  
>> (Again, the server is using recursion. Dig queries return the RA flag, so I 
>> know it's actually offering recursion in reality.)
>>  
>> I can live with static-sub just fine, since it works - but I'd really love 
>> to understand why forwarder didn't - just so I can avoid getting bitten by 
>> it in some other situation.
>>  
>> Thanks Andrej!
>> -Greg
>>   

>>> Is static-stub something you are looking for?

>>> Reference documentation:
>>> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types

>>> And in human terms:
>>> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/

>>> Ondrej
>>> --
>>> Ondřej Surý (He/Him)
>>> ond...@isc.org

>>> My working hours and your working hours may be different. Please do not 
>>> feel obligated to reply outside your normal working hours.

 On 28. 2. 2022, at 21:47, Gregory Sloop  wrote:

 So, I want to forward all queries for 
 *.ab.somedomain.local to some other internal DNS servers.
 (Records in *.ab.somedomain.local actually are our active domain servers)
  
 (Yes, I know .local is reserved now, but we've been using it a long time 
 and changing would be rather painful. Unless there's some horrible 
 consequences, I think we'll just continue for now. We won't ever use mDNS.)
  
 zone "ab.somedomain.local" {
 type forward;
 forward only;
 forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
 };

 But this doesn't appear to do what I want.
  
 If I add the above to my regular BIND servers configuration, it doesn't 
 return results like it's forwarding them. (I get NXDOMAIN for 
 abc.ab.somedomain.local.)
  
 If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I 
 get a proper result. (force dig to use the AD name servers directly, 
 instead of relying on the forward.)
  
 (And yes the resolv.conf file has the ip addresses of the main internal 
 BIND servers in it, and those only.)
 I've looked and while I think I'm doing it right, I'm not entirely sure.
 I figured before I beat my head against the wall for too long, I'd ask the 
 real experts! :)
  

-- 
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x121
EMail: gr...@sloop.net
http://www.sloop.net
- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Ben Croswell]

Are you loading the parent domain and trying to zone forward a child domain
on the same DNS server? I.e. loading somedomain.local and trying to forward
ab.somedomain.local

If so an NS delegation is required in every instance I have done in my
environment. The NS doesn't need to be "right" but it needs to exist. I
don't know the internal BIND logic for that but I have always taken it as
"I load the parent and I know the child doesn't exist because there isn't a
delegation to make it exist so why would I forward something that doesn't
exist".


On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop  wrote:

> Static-sub fixes the issue.
>
>
>
> Any idea why static-sub works when forwarder doesn't?
>
>
>
> (Again, the server is using recursion. Dig queries return the RA flag, so
> I know it's actually offering recursion in reality.)
>
>
>
> I can live with static-sub just fine, since it works - but I'd really love
> to understand why forwarder didn't - just so I can avoid getting bitten by
> it in some other situation.
>
>
>
> Thanks Andrej!
>
> -Greg
>
>
>
>
> Is static-stub something you are looking for?
>
>
> Reference documentation:
>
> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
>
>
> And in human terms:
> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
>
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
>
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
>
> On 28. 2. 2022, at 21:47, Gregory Sloop  wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
> (Yes, I know .local is reserved now, but we've been using it a long time
> and changing would be rather painful. Unless there's some horrible
> consequences, I think we'll just continue for now. We won't ever use mDNS.)
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXDOMAIN for
> abc.ab.somedomain.local.)
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
> get a proper result. (force dig to use the AD name servers directly,
> instead of relying on the forward.)
>
> (And yes the resolv.conf file has the ip addresses of the main internal
> BIND servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Gregory Sloop]

Static-sub fixes the issue.
 
Any idea why static-sub works when forwarder doesn't?
 
(Again, the server is using recursion. Dig queries return the RA flag, so I 
know it's actually offering recursion in reality.)
 
I can live with static-sub just fine, since it works - but I'd really love to 
understand why forwarder didn't - just so I can avoid getting bitten by it in 
some other situation.
 
Thanks Andrej!
-Greg
  

> Is static-stub something you are looking for?

> Reference documentation:
> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types

> And in human terms:
> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/

> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org

> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.

>> On 28. 2. 2022, at 21:47, Gregory Sloop  wrote:

>> So, I want to forward all queries for 
>> *.ab.somedomain.local to some other internal DNS servers.
>> (Records in *.ab.somedomain.local actually are our active domain servers)
>>  
>> (Yes, I know .local is reserved now, but we've been using it a long time and 
>> changing would be rather painful. Unless there's some horrible consequences, 
>> I think we'll just continue for now. We won't ever use mDNS.)
>>  
>> zone "ab.somedomain.local" {
>> type forward;
>> forward only;
>> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
>> };

>> But this doesn't appear to do what I want.
>>  
>> If I add the above to my regular BIND servers configuration, it doesn't 
>> return results like it's forwarding them. (I get NXDOMAIN for 
>> abc.ab.somedomain.local.)
>>  
>> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get 
>> a proper result. (force dig to use the AD name servers directly, instead of 
>> relying on the forward.)
>>  
>> (And yes the resolv.conf file has the ip addresses of the main internal BIND 
>> servers in it, and those only.)
>> I've looked and while I think I'm doing it right, I'm not entirely sure.
>> I figured before I beat my head against the wall for too long, I'd ask the 
>> real experts! :)
>>  
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Gregory Sloop]

This got held up in moderation. Let me repost it, from my regular mail client...
 
 
> You didn’t share much of your configuration except the one forwarded zone, 
> not a lot to go on.
 
Fair enough. (I guess I thought you could just infer all the needed 
information!  Oops!)

Let me try Ondrej's static-sub and see if that makes a difference.

As for more detail.
Yeah, it's a recursive resolver, used internally only.
It's also authoritative for the somedomain.local zone.
I simply want(ed) to pass queries for *.ad.somedomain.local to another 
server(s), so thought the forwarder setup was the right way to do that.

Sorry for being so lame in not providing enough detail - I think I just figured 
I must be doing something terribly wrong and the forwarder setup must be wrong 
in some obvious detail I wasn't seeing. 
That doesn't appear to be the case, so we'll look again, try static-sub and 
then re-group if it doesn't work.

Thanks all!
 
> But one thing to check, you do have recursion enabled on the server?
> On Mon, Feb 28, 2022 at 6:34 PM Gregory Sloop  wrote:

>> Wow. I hate to be the guy who looks the gift horse in the mouth - but that 
>> just seems "wrong." :) 
>> (Not the answer, but that that would be the way BIND wants it done.)
>>  
>> So, now I've got two sets of NS and glue records? 
>> Please tell me that's not the way BIND insists you do this!
>>  
>> I guess I should try it, but dang.
>> Does anyone know for sure?
>>  
>>   

>>> Add Delegating NS records:

>>> ab.somedomain.local 3600 NS server1.ab.somedomain.local
>>> .
>>> .
>>> .


>>> And glue records

>>> server1.ab.somedomain.local 3600 A 10.0.0.1
>>> .
>>> .


>>> And see if it works. It’s got something to do with the way the record is 
>>> matched (or not) before the forward statement is hit.

>>> J
 On Feb 28, 2022, at 3:47 PM, Gregory Sloop  wrote:

 So, I want to forward all queries for 
 *.ab.somedomain.local to some other internal DNS servers.
 (Records in *.ab.somedomain.local actually are our active domain servers)
  
 (Yes, I know .local is reserved now, but we've been using it a long time 
 and changing would be rather painful. Unless there's some horrible 
 consequences, I think we'll just continue for now. We won't ever use mDNS.)
  
 zone "ab.somedomain.local" {
 type forward;
 forward only;
 forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
 };

 But this doesn't appear to do what I want.
  
 If I add the above to my regular BIND servers configuration, it doesn't 
 return results like it's forwarding them. (I get NXOMAIN for 
 abc.ab.somedomain.local.)
  
 If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I 
 get a proper result. (force dig to use the AD name servers directly, 
 instead of relying on the forward.)
  
 (And yes the resolv.conf file has the ip addresses of the main internal 
 BIND servers in it, and those only.)
 I've looked and while I think I'm doing it right, I'm not entirely sure.
 I figured before I beat my head against the wall for too long, I'd ask the 
 real experts! :)
  -- 
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
>> this list

>> ISC funds the development of this software with paid support subscriptions. 
>> Contact us at https://www.isc.org/contact/ for more information.


>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x121
EMail: gr...@sloop.net
http://www.sloop.net
- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Ondřej Surý]

Is static-stub something you are looking for?

Reference documentation:
https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types

And in human terms:
https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 28. 2. 2022, at 21:47, Gregory Sloop  wrote:
> 
> So, I want to forward all queries for 
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>  
> (Yes, I know .local is reserved now, but we've been using it a long time and 
> changing would be rather painful. Unless there's some horrible consequences, 
> I think we'll just continue for now. We won't ever use mDNS.)
>  
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
> 
> But this doesn't appear to do what I want.
>  
> If I add the above to my regular BIND servers configuration, it doesn't 
> return results like it's forwarding them. (I get NXDOMAIN for 
> abc.ab.somedomain.local.)
>  
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get a 
> proper result. (force dig to use the AD name servers directly, instead of 
> relying on the forward.)
>  
> (And yes the resolv.conf file has the ip addresses of the main internal BIND 
> servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the 
> real experts! :)
>  
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Grant Taylor via bind-users]

On 3/1/22 5:35 AM, Matus UHLAR - fantomas wrote:

you are right, forwarding queries requires recursion.


Thank you for the confirmation Matus.  :-)



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Matus UHLAR - fantomas]

On 2/28/22 1:47 PM, Gregory Sloop wrote:
I figured before I beat my head against the wall for too long, I'd 
ask the real experts! :)


On 28.02.22 22:27, Grant Taylor via bind-users wrote:

I'm definitely not an expert.  I don't even pretend to be one on T.V.

But I do wonder what, if any, sort of restrictions you are placing on 
recursion on your system.


It's my (mis)understanding that recursion has some effect on 
forwarding queries.  My limited understanding is recursion is another 
way of saying if the server should chase the answer for you or not.  
If it doesn't have it in it's own data (authoritative and / or cache), 
then it's recursion setting comes into play.


If I'm mistaken, please correct me.


you are right, forwarding queries requires recursion. 



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Grant Taylor via bind-users]

On 2/28/22 1:47 PM, Gregory Sloop wrote:
I figured before I beat my head against the wall for too long, I'd ask 
the real experts! :)


I'm definitely not an expert.  I don't even pretend to be one on T.V.

But I do wonder what, if any, sort of restrictions you are placing on 
recursion on your system.


It's my (mis)understanding that recursion has some effect on forwarding 
queries.  My limited understanding is recursion is another way of saying 
if the server should chase the answer for you or not.  If it doesn't 
have it in it's own data (authoritative and / or cache), then it's 
recursion setting comes into play.


If I'm mistaken, please correct me.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Crist Clark]

You didn’t share much of your configuration except the one forwarded zone,
not a lot to go on.

But one thing to check, you do have recursion enabled on the server?

On Mon, Feb 28, 2022 at 6:34 PM Gregory Sloop  wrote:

> Wow. I hate to be the guy who looks the gift horse in the mouth - but that
> just seems "wrong." :)
>
> (Not the answer, but that that would be the way BIND wants it done.)
>
>
>
> So, now I've got two sets of NS and glue records?
>
> Please tell me that's not the way BIND insists you do this!
>
>
>
> I guess I should try it, but dang.
>
> Does anyone know for sure?
>
>
>
>
>
>
> Add Delegating NS records:
>
> ab.somedomain.local 3600 NS server1.ab.somedomain.local
> .
> .
> .
>
>
> And glue records
>
> server1.ab.somedomain.local 3600 A 10.0.0.1
> .
> .
>
>
> And see if it works. It’s got something to do with the way the record is
> matched (or not) before the forward statement is hit.
>
> J
>
> On Feb 28, 2022, at 3:47 PM, Gregory Sloop  wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
>
> (Yes, I know .local is reserved now, but we've been using it a long time
> and changing would be rather painful. Unless there's some horrible
> consequences, I think we'll just continue for now. We won't ever use mDNS.)
>
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXOMAIN for
> abc.ab.somedomain.local.)
>
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
> get a proper result. (force dig to use the AD name servers directly,
> instead of relying on the forward.)
>
>
> (And yes the resolv.conf file has the ip addresses of the main internal
> BIND servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Gregory Sloop]

Wow. I hate to be the guy who looks the gift horse in the mouth - but that just 
seems "wrong." :) 
(Not the answer, but that that would be the way BIND wants it done.)
 
So, now I've got two sets of NS and glue records? 
Please tell me that's not the way BIND insists you do this!
 
I guess I should try it, but dang.
Does anyone know for sure?
 
  

> Add Delegating NS records:

> ab.somedomain.local 3600 NS server1.ab.somedomain.local
> .
> .
> .


> And glue records

> server1.ab.somedomain.local 3600 A 10.0.0.1
> .
> .


> And see if it works. It’s got something to do with the way the record is 
> matched (or not) before the forward statement is hit.

> J
>> On Feb 28, 2022, at 3:47 PM, Gregory Sloop  wrote:

>> So, I want to forward all queries for 
>> *.ab.somedomain.local to some other internal DNS servers.
>> (Records in *.ab.somedomain.local actually are our active domain servers)
>>  
>> (Yes, I know .local is reserved now, but we've been using it a long time and 
>> changing would be rather painful. Unless there's some horrible consequences, 
>> I think we'll just continue for now. We won't ever use mDNS.)
>>  
>> zone "ab.somedomain.local" {
>> type forward;
>> forward only;
>> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
>> };

>> But this doesn't appear to do what I want.
>>  
>> If I add the above to my regular BIND servers configuration, it doesn't 
>> return results like it's forwarding them. (I get NXOMAIN for 
>> abc.ab.somedomain.local.)
>>  
>> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get 
>> a proper result. (force dig to use the AD name servers directly, instead of 
>> relying on the forward.)
>>  
>> (And yes the resolv.conf file has the ip addresses of the main internal BIND 
>> servers in it, and those only.)
>> I've looked and while I think I'm doing it right, I'm not entirely sure.
>> I figured before I beat my head against the wall for too long, I'd ask the 
>> real experts! :)
>>  -- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Jeff Sumner]

Add Delegating NS records:

ab.somedomain.local 3600 NS server1.ab.somedomain.local
.
.
.


And glue records

server1.ab.somedomain.local 3600 A 10.0.0.1
.
.


And see if it works. It’s got something to do with the way the record is 
matched (or not) before the forward statement is hit.

J

> On Feb 28, 2022, at 3:47 PM, Gregory Sloop  wrote:
> 
> So, I want to forward all queries for 
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>  
> (Yes, I know .local is reserved now, but we've been using it a long time and 
> changing would be rather painful. Unless there's some horrible consequences, 
> I think we'll just continue for now. We won't ever use mDNS.)
>  
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
> 
> But this doesn't appear to do what I want.
>  
> If I add the above to my regular BIND servers configuration, it doesn't 
> return results like it's forwarding them. (I get NXOMAIN for 
> abc.ab.somedomain.local.)
>  
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get a 
> proper result. (force dig to use the AD name servers directly, instead of 
> relying on the forward.)
>  
> (And yes the resolv.conf file has the ip addresses of the main internal BIND 
> servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the 
> real experts! :)
>  
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users 
>  to unsubscribe from this 
> list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/  for 
> more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users 
> 
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone setup from a BIND slave (without recursion?)

[Crist Clark]

So why doesn’t it work to make your limited server authoritative for the
root and only forward the zones you want? Anything that isn’t in a
forwarded zone does not exist (except the root itself).

On Sat, Apr 17, 2021 at 11:07 PM Marki  wrote:

>
> On 4/14/2021 12:44 AM, Sebby, Brian A. via bind-users wrote:
>
>
> My situation is due to a security requirement.  We have DNS servers at our
> site running BIND that allow recursion, but I’ve been requested to set up
> some additional DNS servers for another project that is expected to *
> *only** access the data that we’re authoritative for.  And of course ….
> there’s a chance that it might need to look up one or two external zones.
> Essentially, what I really need is a recursive whitelist that doesn’t tell
> BIND what clients are allowed to do recursive lookups, but to limit BIND to
> only allow recursive lookups on a very small list of allowed domains.
>
>
>
> I was trying to set up a forwarding zone to forward queries to our DNS
> servers that do allow recursion, but as I discovered (and as was discussed
> earlier in the thread), if recursion is not allowed, then forwarding is
> also not allowed.  I had tried setting the “allow-recursion” field to
> “localhost” and setting up a forward zone to forward to 127.0.0.1, but that
> didn’t work either.
>
> Hello,
>
> So they do _not_ only look up internal/authoritative zones, but external
> ones as well. (It's always the exceptions that kill you.)
>
> I think we have previously established that there is not a good way to do
> whitelisting using Bind, see the thread "Authority and forwarding, but not
> recursion/iteration".
>
> If you can live with non-allowed zones returning SERVFAIL (instead of
> NXDOMAIN for example), then using a recursive service with a bogus global
> forwarder and static stubs pointing to the authoritative/non-recursive
> service might do the trick.
>
> You might also be able to leverage RPZ if there are no complex conditions
> associated to your rules (everyone will have the same white/blacklists).
> You configure passthrough for the allowed zones and deny the rest.
>
> Alternatively, there is dnsdist which, while being a load-balancer, could
> be considered the swiss army knife of DNS filtering.
>
> Finally, some firewalls like Fortigates provide a "DNS filter" that lets
> you define custom white and blacklists. Palo Altos currently are not able
> to whitelist AFAIK.
>
> Best regards,
>
> Marki
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone setup from a BIND slave (without recursion?)

[Marki]

On 4/14/2021 12:44 AM, Sebby, Brian A. via bind-users wrote:


My situation is due to a security requirement.  We have DNS servers at 
our site running BIND that allow recursion, but I’ve been requested to 
set up some additional DNS servers for another project that is 
expected to **only** access the data that we’re authoritative for.  
And of course …. there’s a chance that it might need to look up one or 
two external zones.  Essentially, what I really need is a recursive 
whitelist that doesn’t tell BIND what clients are allowed to do 
recursive lookups, but to limit BIND to only allow recursive lookups 
on a very small list of allowed domains.


I was trying to set up a forwarding zone to forward queries to our DNS 
servers that do allow recursion, but as I discovered (and as was 
discussed earlier in the thread), if recursion is not allowed, then 
forwarding is also not allowed. I had tried setting the 
“allow-recursion” field to “localhost” and setting up a forward zone 
to forward to 127.0.0.1, but that didn’t work either.




Hello,

So they do _not_ only look up internal/authoritative zones, but external 
ones as well. (It's always the exceptions that kill you.)


I think we have previously established that there is not a good way to 
do whitelisting using Bind, see the thread "Authority and forwarding, 
but not recursion/iteration".


If you can live with non-allowed zones returning SERVFAIL (instead of 
NXDOMAIN for example), then using a recursive service with a bogus 
global forwarder and static stubs pointing to the 
authoritative/non-recursive service might do the trick.


You might also be able to leverage RPZ if there are no complex 
conditions associated to your rules (everyone will have the same 
white/blacklists). You configure passthrough for the allowed zones and 
deny the rest.


Alternatively, there is dnsdist which, while being a load-balancer, 
could be considered the swiss army knife of DNS filtering.


Finally, some firewalls like Fortigates provide a "DNS filter" that lets 
you define custom white and blacklists. Palo Altos currently are not 
able to whitelist AFAIK.


Best regards,

Marki

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone setup from a BIND slave (without recursion?)

[Sebby, Brian A. via bind-users]

I have been banging my head against the wall regarding this very topic and then 
found this thread from last week.  I’m also looking for a solution to this 
problem, and wondered if anyone may have some suggestions (including potential 
alternatives).

My situation is due to a security requirement.  We have DNS servers at our site 
running BIND that allow recursion, but I’ve been requested to set up some 
additional DNS servers for another project that is expected to *only* access 
the data that we’re authoritative for.  And of course …. there’s a chance that 
it might need to look up one or two external zones.  Essentially, what I really 
need is a recursive whitelist that doesn’t tell BIND what clients are allowed 
to do recursive lookups, but to limit BIND to only allow recursive lookups on a 
very small list of allowed domains.

I was trying to set up a forwarding zone to forward queries to our DNS servers 
that do allow recursion, but as I discovered (and as was discussed earlier in 
the thread), if recursion is not allowed, then forwarding is also not allowed.  
I had tried setting the “allow-recursion” field to “localhost” and setting up a 
forward zone to forward to 127.0.0.1, but that didn’t work either.

Is there any potential workaround for this, or do I just need to tell the 
person who requested this that they can only get all or nothing for recursive 
queries?  We’re still running BIND 9.11, but I was wondering if there may be 
new features in BIND 9.16 or 17 that I’m not aware of.


Thanks,

Brian

--
Brian Sebby (he/him/his)  |  Lead Systems Engineer
Email: se...@anl.gov<mailto:se...@anl.gov>  |  Information Technology 
Infrastructure
Phone: +1 630.252.9935|  Business Information Services
Cell:  +1 630.921.4305|  Argonne National Laboratory

From: bind-users  on behalf of RK K 

Date: Wednesday, April 7, 2021 at 7:40 PM
To: "bind-users@lists.isc.org" 
Subject: Re: forwarding zone setup from a BIND slave (without recursion?)

Hello Marki, Matus,

Thank you for the insights on this topic.

Answering Marki's question about why the secondary-authoritative (slaves) are 
used for lookups is some-what history and there was no need to be recursive 
(until now) as all the  queries are authoritatively answered or refused. May be 
security is another reason.

Much appreciated your ideas

Thank you
Kind Regards
RK

On Wed, Apr 7, 2021 at 8:01 AM 
mailto:bind-users-requ...@lists.isc.org>> 
wrote:
Send bind-users mailing list submissions to
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to

bind-users-requ...@lists.isc.org<mailto:bind-users-requ...@lists.isc.org>

You can reach the person managing the list at
bind-users-ow...@lists.isc.org<mailto:bind-users-ow...@lists.isc.org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

   1. forwarding zone setup from a BIND slave (without recursion?)
  (RK K)
   2. Re: forwarding zone setup from a BIND slave (without
      recursion?) (Matus UHLAR - fantomas)
   3. Re: forwarding zone setup from a BIND slave (without
  recursion?) (Marki)


--

Message: 1
Date: Tue, 6 Apr 2021 22:47:23 -0400
From: RK K mailto:rvk...@gmail.com>>
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: forwarding zone setup from a BIND slave (without recursion?)
Message-ID:

mailto:caotbjrubejlxc6-uff5kgkd_ignoytg_ku2pkdxbhpovyzs...@mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"

All,

We have a set of BIND primary servers (MASTERs) and a set of secondary
servers (slaves to the MASTERs).
The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *)
in the global options.
All the applications/systems do use secondary DNS servers for name
resolution.

Now there is a need to configure a forwarding zone in the "secondary DNS
servers" to an external DNS server.

In this scenario, in-order for the secondary server to forward the DNS
query to an external DNS server, is it required to enable the recursion in
the global options on the secondary servers?
Based on reference material, I did not see such a requirement. But my
observation is the query is not getting forwarded ( tried to check using
the packet trace)
When recursion is enabled, the query is getting forwarded.

The BIND version I am using is 9.11.2.x.

Appreciate your ideas and help.

Thank you
Kind Regards,
Ravi Kota
-- next part --
An HTML attachment was scrubbed...
URL: 
<https://lists.isc.org/pipermail/bind-users/attachments/20210406/15bb6cad/attachment-0001.ht

Re: forwarding zone setup from a BIND slave (without recursion?)

[Tony Finch]

Mark Andrews  wrote:
> > On 8 Apr 2021, at 00:37, Tony Finch  wrote:
> >
> > Forward zones require the upstream server to be recursive too.
>
> More correctly, the upstream server has to serve the entire namespace being
> forwarded if it does not off recursion to the client for forwarding to
> work.

I thought forwarding expected the target server to resolve CNAMEs? If so,
any out-of-zone CNAMEs in the target namespace would cause problems.

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Cape Wrath to Rattray Head including Orkney: Southwesterly 6 to gale
8, occasionally 5 at first in east, then veering westerly or
northwesterly 7 to severe gale 9 later. Moderate or rough, becoming
very rough or high in north. Rain at times, squally snow showers
later. Moderate or good, occasionally very poor later.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone setup from a BIND slave (without recursion?)

[RK K]

Chuck, Tony,

Thank you all for sharing the ideas.. very much appreciated.

Thank you
Kind Regards,
Ravi Kota

On Wed, Apr 7, 2021 at 7:25 PM  wrote:

> Send bind-users mailing list submissions to
> bind-users@lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
> bind-users-requ...@lists.isc.org
>
> You can reach the person managing the list at
> bind-users-ow...@lists.isc.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
>
>
> Today's Topics:
>
>1. Re: forwarding zone setup from a BIND slave (without
>   recursion?) (Chuck Aurora)
>2. Re: forwarding zone setup from a BIND slave (without
>   recursion?) (Tony Finch)
>3. Re: rndc stops listening (John Thurston)
>4. Re: rndc stops listening (Ond?ej Sur?)
>5. Re: forwarding zone setup from a BIND slave (without
>   recursion?) (Mark Andrews)
>
>
> --
>
> Message: 1
> Date: Wed, 07 Apr 2021 07:53:01 -0500
> From: Chuck Aurora 
> To: bind-users@lists.isc.org
> Subject: Re: forwarding zone setup from a BIND slave (without
> recursion?)
> Message-ID: 
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On 2021-04-07 03:59, Marki wrote:
> > To elaborate a little bit on that... Indeed that is how it works,
> > unfortunately. When you start using forwarders or stubs, recursion
> > needs to be enabled because you're no longer looking for your own
> > authoritative data only.
>
> A stub or static-stub zone would not require recursion.  In that case
> named is asking for authoritative data from upstream.  But type
> forward zones indeed cannot work if recursion is disabled.
>
> > What I've learned from this list is that you should split
> > authoritative and recursive service.
>
> I would suggest that as a general best practice, but not an absolute
> one.  There's nothing wrong with having internal-only authoritative
> zones on your recursive resolver.  The potential problem comes when
> you're a globally-published NS for your zones; having recursion
> enabled can make you vulnerable to more possible attacks.
>
> I'd say it depends more who/what you are.  Small-timers are not at so
> much risk for this than large sites and ISPs.  But there too, the
> paranoid would go for two instances of named, authoritative and
> recursive, on a small hosted server even where it's only offering
> recursion to itself.
>
> > May I ask what is the reasoning behind your current setup (pointing
> > your users to the non-recursive service)? What would you like to
> > achieve? What would you like to prevent?
>
> Agreed, that is strange.  It does not seem that an authoritative-only
> named can be very useful for end users.
>
>
> --
>
> Message: 2
> Date: Wed, 7 Apr 2021 15:37:33 +0100
> From: Tony Finch 
> To: Chuck Aurora 
> Cc: bind-users@lists.isc.org
> Subject: Re: forwarding zone setup from a BIND slave (without
> recursion?)
> Message-ID: 
> Content-Type: text/plain; charset=US-ASCII
>
> Chuck Aurora  wrote:
> >
> > A stub or static-stub zone would not require recursion.  In that case
> > named is asking for authoritative data from upstream.  But type
> > forward zones indeed cannot work if recursion is disabled.
>
> Be careful in this kind of situation to be very clear about which client
> or server is doing what: in this case, it isn't clear what doesn't require
> recursion for stub or static stub.
>
> All three types of zone configuration (stub, static stub, and forward)
> are only useful on a server that is providing recursive service.
>
> Forward zones require the upstream server to be recursive too.
>
> Stub and static-stub expect the upstream server to be authoritative;
> the stub server list is a hint that gets replaced by the authoritative
> server list from the zone (a bit like the root hints) whereas static-stub
> only uses the configured upstream servers.
>
> > > What I've learned from this list is that you should split
> > > authoritative and recursive service.
> >
> > I would suggest that as a general best practice, but not an absolute
> > one.  There's nothing wrong with having internal-only authoritative
> > zones on your recursive resolver.  The potential problem comes when
> > you're a globally-published NS for your zones; having recursion
> > enabled can make you vulnera

Re: forwarding zone setup from a BIND slave (without recursion?)

[RK K]

Hello Marki, Matus,

Thank you for the insights on this topic.

Answering Marki's question about why the secondary-authoritative (slaves)
are used for lookups is some-what history and there was no need to be
recursive (until now) as all the  queries are authoritatively answered or
refused. May be security is another reason.

Much appreciated your ideas

Thank you
Kind Regards
RK

On Wed, Apr 7, 2021 at 8:01 AM  wrote:

> Send bind-users mailing list submissions to
> bind-users@lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
> bind-users-requ...@lists.isc.org
>
> You can reach the person managing the list at
> bind-users-ow...@lists.isc.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
>
>
> Today's Topics:
>
>1. forwarding zone setup from a BIND slave (without recursion?)
>   (RK K)
>2. Re: forwarding zone setup from a BIND slave (without
>   recursion?) (Matus UHLAR - fantomas)
>3. Re: forwarding zone setup from a BIND slave (without
>   recursion?) (Marki)
>
>
> --
>
> Message: 1
> Date: Tue, 6 Apr 2021 22:47:23 -0400
> From: RK K 
> To: bind-users@lists.isc.org
> Subject: forwarding zone setup from a BIND slave (without recursion?)
> Message-ID:
> <
> caotbjrubejlxc6-uff5kgkd_ignoytg_ku2pkdxbhpovyzs...@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> All,
>
> We have a set of BIND primary servers (MASTERs) and a set of secondary
> servers (slaves to the MASTERs).
> The secondary BIND DNS servers disabled recursion ( with "*recursion no;"
> *)
> in the global options.
> All the applications/systems do use secondary DNS servers for name
> resolution.
>
> Now there is a need to configure a forwarding zone in the "secondary DNS
> servers" to an external DNS server.
>
> In this scenario, in-order for the secondary server to forward the DNS
> query to an external DNS server, is it required to enable the recursion in
> the global options on the secondary servers?
> Based on reference material, I did not see such a requirement. But my
> observation is the query is not getting forwarded ( tried to check using
> the packet trace)
> When recursion is enabled, the query is getting forwarded.
>
> The BIND version I am using is 9.11.2.x.
>
> Appreciate your ideas and help.
>
> Thank you
> Kind Regards,
> Ravi Kota
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> https://lists.isc.org/pipermail/bind-users/attachments/20210406/15bb6cad/attachment-0001.htm
> >
>
> --
>
> Message: 2
> Date: Wed, 7 Apr 2021 10:35:12 +0200
> From: Matus UHLAR - fantomas 
> To: bind-users@lists.isc.org
> Subject: Re: forwarding zone setup from a BIND slave (without
> recursion?)
> Message-ID: <20210407083512.ga19...@fantomas.sk>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
> On 06.04.21 22:47, RK K wrote:
> >We have a set of BIND primary servers (MASTERs) and a set of secondary
> >servers (slaves to the MASTERs).
> >The secondary BIND DNS servers disabled recursion ( with "*recursion no;"
> *)
> >in the global options.
> >All the applications/systems do use secondary DNS servers for name
> >resolution.
> >
> >Now there is a need to configure a forwarding zone in the "secondary DNS
> >servers" to an external DNS server.
> >
> >In this scenario, in-order for the secondary server to forward the DNS
> >query to an external DNS server, is it required to enable the recursion in
> >the global options on the secondary servers?
>
> yes.
>
> >Based on reference material, I did not see such a requirement. But my
> >observation is the query is not getting forwarded ( tried to check using
> >the packet trace)
> >When recursion is enabled, the query is getting forwarded.
> >
> >The BIND version I am using is 9.11.2.x.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> It's now safe to throw off your computer.
>
>
> --
>
> Message: 3
> Date: Wed, 7 Apr 2021 10:59:30 +0200
> From: Marki 
> To: bind-users@lists.isc.org
> Subj

Re: forwarding zone setup from a BIND slave (without recursion?)

[Mark Andrews]

> On 8 Apr 2021, at 00:37, Tony Finch  wrote:
> 
> Chuck Aurora  wrote:
>> 
>> A stub or static-stub zone would not require recursion.  In that case
>> named is asking for authoritative data from upstream.  But type
>> forward zones indeed cannot work if recursion is disabled.
> 
> Be careful in this kind of situation to be very clear about which client
> or server is doing what: in this case, it isn't clear what doesn't require
> recursion for stub or static stub.
> 
> All three types of zone configuration (stub, static stub, and forward)
> are only useful on a server that is providing recursive service.
> 
> Forward zones require the upstream server to be recursive too.

More correctly, the upstream server has to serve the entire namespace being
forwarded if it does not off recursion to the client for forwarding to
work.

> Stub and static-stub expect the upstream server to be authoritative;
> the stub server list is a hint that gets replaced by the authoritative
> server list from the zone (a bit like the root hints) whereas static-stub
> only uses the configured upstream servers.
> 
>>> What I've learned from this list is that you should split
>>> authoritative and recursive service.
>> 
>> I would suggest that as a general best practice, but not an absolute
>> one.  There's nothing wrong with having internal-only authoritative
>> zones on your recursive resolver.  The potential problem comes when
>> you're a globally-published NS for your zones; having recursion
>> enabled can make you vulnerable to more possible attacks.
> 
> Right: the rule is that authoritative servers listed as targets of NS
> records should be authoritative-only; it's OK if recursive servers have
> authoritative copies of zones: it can make them more resilient to outages,
> though it does slightly weird things to DNSSEC validation.
> 
> Tony.
> -- 
> f.anthony.n.finchhttps://dotat.at/
> Whitby to Gibraltar Point: Northwest 4 to 6 becoming variable 2 to 4,
> then southwest 4 to 6 later. Very rough at first in north, otherwise
> moderate or rough. Snow showers, then rain for a time later. Good,
> occasionally very poor at first.
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone setup from a BIND slave (without recursion?)

[Tony Finch]

Chuck Aurora  wrote:
>
> A stub or static-stub zone would not require recursion.  In that case
> named is asking for authoritative data from upstream.  But type
> forward zones indeed cannot work if recursion is disabled.

Be careful in this kind of situation to be very clear about which client
or server is doing what: in this case, it isn't clear what doesn't require
recursion for stub or static stub.

All three types of zone configuration (stub, static stub, and forward)
are only useful on a server that is providing recursive service.

Forward zones require the upstream server to be recursive too.

Stub and static-stub expect the upstream server to be authoritative;
the stub server list is a hint that gets replaced by the authoritative
server list from the zone (a bit like the root hints) whereas static-stub
only uses the configured upstream servers.

> > What I've learned from this list is that you should split
> > authoritative and recursive service.
>
> I would suggest that as a general best practice, but not an absolute
> one.  There's nothing wrong with having internal-only authoritative
> zones on your recursive resolver.  The potential problem comes when
> you're a globally-published NS for your zones; having recursion
> enabled can make you vulnerable to more possible attacks.

Right: the rule is that authoritative servers listed as targets of NS
records should be authoritative-only; it's OK if recursive servers have
authoritative copies of zones: it can make them more resilient to outages,
though it does slightly weird things to DNSSEC validation.

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Whitby to Gibraltar Point: Northwest 4 to 6 becoming variable 2 to 4,
then southwest 4 to 6 later. Very rough at first in north, otherwise
moderate or rough. Snow showers, then rain for a time later. Good,
occasionally very poor at first.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone setup from a BIND slave (without recursion?)

[Chuck Aurora]

On 2021-04-07 03:59, Marki wrote:

To elaborate a little bit on that... Indeed that is how it works,
unfortunately. When you start using forwarders or stubs, recursion
needs to be enabled because you're no longer looking for your own
authoritative data only.


A stub or static-stub zone would not require recursion.  In that case
named is asking for authoritative data from upstream.  But type
forward zones indeed cannot work if recursion is disabled.


What I've learned from this list is that you should split
authoritative and recursive service.


I would suggest that as a general best practice, but not an absolute
one.  There's nothing wrong with having internal-only authoritative
zones on your recursive resolver.  The potential problem comes when
you're a globally-published NS for your zones; having recursion
enabled can make you vulnerable to more possible attacks.

I'd say it depends more who/what you are.  Small-timers are not at so
much risk for this than large sites and ISPs.  But there too, the
paranoid would go for two instances of named, authoritative and
recursive, on a small hosted server even where it's only offering
recursion to itself.


May I ask what is the reasoning behind your current setup (pointing
your users to the non-recursive service)? What would you like to
achieve? What would you like to prevent?


Agreed, that is strange.  It does not seem that an authoritative-only
named can be very useful for end users.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone setup from a BIND slave (without recursion?)

[Marki]

Hello,

On 4/7/2021 10:35 AM, Matus UHLAR - fantomas wrote:

On 06.04.21 22:47, RK K wrote:

In this scenario, in-order for the secondary server to forward the DNS
query to an external DNS server, is it required to enable the 
recursion in

the global options on the secondary servers?


yes. 


To elaborate a little bit on that... Indeed that is how it works, 
unfortunately. When you start using forwarders or stubs, recursion needs 
to be enabled because you're no longer looking for your own 
authoritative data only.


What I've learned from this list is that you should split authoritative 
and recursive service.


In other words, you need two types of servers:

1) A non-recursive one in the backend containing your authoritative 
zones only. This can be a hidden master setup, somewhat like what you 
are using now.


2) The one your users access has recursion enabled, and contains stubs 
to the authoritative service. Obviously, it can also contain stubs (or 
forwarders) to anywhere else. At the same time it is performing full 
recursive service unless you take authority for the root zone.


May I ask what is the reasoning behind your current setup (pointing your 
users to the non-recursive service)? What would you like to achieve? 
What would you like to prevent?


Bye,

Marki

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone setup from a BIND slave (without recursion?)

[Matus UHLAR - fantomas]

On 06.04.21 22:47, RK K wrote:

We have a set of BIND primary servers (MASTERs) and a set of secondary
servers (slaves to the MASTERs).
The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *)
in the global options.
All the applications/systems do use secondary DNS servers for name
resolution.

Now there is a need to configure a forwarding zone in the "secondary DNS
servers" to an external DNS server.

In this scenario, in-order for the secondary server to forward the DNS
query to an external DNS server, is it required to enable the recursion in
the global options on the secondary servers?


yes.


Based on reference material, I did not see such a requirement. But my
observation is the query is not getting forwarded ( tried to check using
the packet trace)
When recursion is enabled, the query is getting forwarded.

The BIND version I am using is 9.11.2.x.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

[Darcy Kevin (FCA)]

You can certainly configure the subdomains that way, but the same resolver 
which followed the subdomain.example.com delegation in the first place, to your 
BIND instance, will presumably follow the delegation of 
sub.subdomain.example.com (as it is published via NS records in the parent 
zone) to find the nameservers for that subzone, query them, and expect 
authoritative responses. Your forwarding config won't be used, by such a 
resolver, since it'll be sending you non-recursive (RD=0) queries, which are 
incompatible with forwarding.

Ultimately, the bottom line is that if the "leaf-node" data is not available in 
an authoritative form, then you can't use delegation alone to facilitate its 
resolution. You'd need to set up some sort of forwarding, possibly multi-hop 
forwarding, which is notorious for being fragile, inefficient and lacking in 
scalability.

You mentioned in another post that the DNS data in question is for a cloud 
environment. My experience so far (primarily with AWS) is that these cloud 
providers don't understand how robust DNS enterprise architectures work. If 
they did, they would have offered authoritative, replicate-able DNS zone data 
as a basic service, straight out of the gate. Supposedly this "feature" is "on 
the roadmap" for AWS, but it seems to be a distant goal, with no particular 
priority. In the meantime, they are requiring their enterprise customers to 
sacrifice some of the reliability and performance we've built up in our DNS 
infrastructures over years (and, in some cases, decades), instead stringing 
together forwarding hierarchies and other nonsense like that.

(Editorial note: I originally got carried away at this point, explaining my 
model of how DNS is, conceptually, constructed -- authoritative core, inner 
iterative-resolution layer, outer recursive-resolution layer -- along with a 
diatribe about how poor/junior enterprise DNS architects try, with sub-optimal 
results, to build on recursive resolution as a foundation, because that's the 
only layer they really understand. But I don't want to put anyone to sleep, or 
fill up their mailboxes with walls of text, so I'll forego that for now, saving 
the text for some other day). 

May I ask: why would you put anything non-AD-related, of actual importance, in 
a *subdomain* of an Active Directory zone ? Maybe it's just a matter of 
perspective, but I see Active Directory as just one service we run in our 
enterprise, among many. So, while it gets its own namespace, it doesn't get to 
control the *main* namespace -- certainly, we would never put anything 
non-AD-related *underneath* an AD zone. Granted, I don't know your 
organization's structure, internal politics, history, etc. But it just seems 
rather odd to me that you're delegating stuff from an AD zone. I view such 
namespaces as "leaves", not "branches".


- Kevin


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
seanliam73
Sent: Wednesday, October 11, 2017 3:45 AM
To: bind-users@lists.isc.org
Subject: RE: Forwarding from delegated zone not working

Thanks Kevin

That is what I suspected. If I make the delegated server the master/slave for 
the sub-domain that has been delegated, could I then set up forward zones for 
further sub-domains? i.e

subdomain.example.com (delegated domain set as master zone) 
sub.subdomain.example.com (forward zone)

Sean



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

[seanliam73]

Thanks Kevin

That is what I suspected. If I make the delegated server the master/slave
for the sub-domain that has been delegated, could I then set up forward
zones for further sub-domains? i.e

subdomain.example.com (delegated domain set as master zone)
sub.subdomain.example.com (forward zone)

Sean



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

[seanliam73]

Unfortunately we don't manage the AD server, that has been outsourced.

The team that manage AD have delegated the subdomain to our bind 9 instance
which in turn has a number of forwarding zones configured. This is to manage
DNS over a number of cloud based environments.



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

[Bob Harold]

On Tue, Oct 10, 2017 at 11:21 AM, seanliam73  wrote:

> Hi
>
> I have a subdomain delegated from AD to a bind9 instance I have running
> that
> so that all requests for that subdomain are sent to the bind 9 instance. I
> would then like to set up zone forwarding so that further subdomains can be
> managed by other bind 9 instances.
>
> I know the forwarding is working because I can query the main bind9
> instance
> at receive the expected results. However if I query from the AD server that
> is doing the delegation I get a SERVFAIL error.
>
> Am I trying to do something that is not possible or am I just missing some
> configuration.
>
> *main instance config*
>
> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;
> recursion yes;
> allow-query { ip addresses; };
>

- You might also need to add:
   allow-recursion { ip addresses; };

-- 
Bob Harold


> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside auto;
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity debug 3;
> };
>
> channel querylog {
> file "data/query.log";
> severity debug 5;
> };
>
> category default { default_debug; };
> category queries { querylog; };
> };
>
> zone "example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
> zone "development.example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

[Ben Croswell]

I guess i made the assumption that zone was properly forwarded at the MS
end.

 However as you mentioned if it was only delegated then it would SERVFAIL
at the BIND server when receiving an iterative query from MS if BIND isn't
authoritative.

On Oct 10, 2017 11:44 AM, "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com>
wrote:

But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.



The assumption I made in my post was that the delegation was pointed to the
forwarding BIND instance, which is a non-starter.



-  Kevin





*From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Ben
Croswell
*Sent:* Tuesday, October 10, 2017 11:38 AM
*To:* seanliam73 <sean.orei...@landg.com>
*Cc:* bind-users@lists.isc.org
*Subject:* Re: Forwarding from delegated zone not working



If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.



On Oct 10, 2017 11:22 AM, "seanliam73" <sean.orei...@landg.com> wrote:

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

[Tony Finch]

seanliam73  wrote:
>
> I know the forwarding is working because I can query the main bind9
> instance at receive the expected results. However if I query from the AD
> server that is doing the delegation I get a SERVFAIL error.

I guess one possible cause for this problem might be if the AD server is
making iterative queries (RD=0) rather than recursive queries (RD=1). In
this the BIND forwarding setup will not work because forwarding only
applies to recursive queries.

It's probably more reliable to set up the subdomain and sub-sub-domains
with proper delegations, so that normal iterative resolution works.

A few unrelated notes...

> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;

Don't use this option, it has been useless since 2001.

> recursion yes;
> allow-query { ip addresses; };
> listen-on-v6 { any; };
> dnssec-enable no;

There should not be any reason to turn off DNSSEC support.

> dnssec-validation no;
> dnssec-lookaside auto;

dnssec-lookaside is now obsolete, but even before it was decommissioned
these two lines contradicted each other!

> };

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Lundy, Fastnet, Irish Sea, Southeast Shannon: Southwesterly 5 to 7,
occasionally gale 8 later. Slight or moderate, becoming moderate or rough.
Occasional rain. Moderate or good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

[Darcy Kevin (FCA)]

But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.

The assumption I made in my post was that the delegation was pointed to the 
forwarding BIND instance, which is a non-starter.


-  Kevin


From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ben 
Croswell
Sent: Tuesday, October 10, 2017 11:38 AM
To: seanliam73 <sean.orei...@landg.com>
Cc: bind-users@lists.isc.org
Subject: Re: Forwarding from delegated zone not working

If the AD environment loads company.com<http://company.com> you need to make 
sure it has NS delegations. The nameserver will ignore the zone forwarded if it 
knows the child doesn't exist.

On Oct 10, 2017 11:22 AM, "seanliam73" 
<sean.orei...@landg.com<mailto:sean.orei...@landg.com>> wrote:
Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com<http://example.company.com>" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com<http://development.example.company.com>" 
IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

[Darcy Kevin (FCA)]

It doesn't work to delegate to a forwarder; you have to delegate to something 
that's authoritative for the zone (master or slave). Delegated nameservers are 
expected to have a full copy of the zone, either as the source (master) or 
through replication (slave).

Now, if you have restrictions/limitations that prevent you both from a) 
delegating directly from AD to the authoritative nameservers, and b) 
replicating from the authoritative nameservers to the BIND instance in 
question, then you'd need to look into some sort of "DNS proxy", but that's not 
BIND, and really beyond the scope of this list.


- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
seanliam73
Sent: Tuesday, October 10, 2017 11:22 AM
To: bind-users@lists.isc.org
Subject: Forwarding from delegated zone not working

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that so 
that all requests for that subdomain are sent to the bind 9 instance. I would 
then like to set up zone forwarding so that further subdomains can be managed 
by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance at 
receive the expected results. However if I query from the AD server that is 
doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some 
configuration.

*main instance config* 

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

[Ben Croswell]

If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.

On Oct 10, 2017 11:22 AM, "seanliam73"  wrote:

> Hi
>
> I have a subdomain delegated from AD to a bind9 instance I have running
> that
> so that all requests for that subdomain are sent to the bind 9 instance. I
> would then like to set up zone forwarding so that further subdomains can be
> managed by other bind 9 instances.
>
> I know the forwarding is working because I can query the main bind9
> instance
> at receive the expected results. However if I query from the AD server that
> is doing the delegation I get a SERVFAIL error.
>
> Am I trying to do something that is not possible or am I just missing some
> configuration.
>
> *main instance config*
>
> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;
> recursion yes;
> allow-query { ip addresses; };
> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside auto;
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity debug 3;
> };
>
> channel querylog {
> file "data/query.log";
> severity debug 5;
> };
>
> category default { default_debug; };
> category queries { querylog; };
> };
>
> zone "example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
> zone "development.example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
>
>
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding via different external networks

[Dave Warren]

On Sun, Aug 28, 2016, at 19:22, Paul Kosinski wrote:
> "... whatever else you use to failover from the primary to the
> secondary would automatically ensure BIND resolves too."
> 
> That's the root of the problem: there is no automatic failover, and
> providing one is a lot of work. I was hoping there was a simple BIND
> config option so that BIND itself could fail-over the DNS lookups and
> solve the immediate problem.

What is the point of having reliable DNS if your other connectivity
doesn't failover? And/or, can't you just switch your DNS over when you
do the other failover manually?

I run exactly the same configuration here and have been through the ups
and downs of the various methods. They're all terrible. :)





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding via different external networks

[Paul Kosinski]

"... whatever else you use to failover from the primary to the
secondary would automatically ensure BIND resolves too."

That's the root of the problem: there is no automatic failover, and
providing one is a lot of work. I was hoping there was a simple BIND
config option so that BIND itself could fail-over the DNS lookups and
solve the immediate problem.


On Sat, 27 Aug 2016 23:29:08 -0700
Dave Warren  wrote:

> On Sat, Aug 27, 2016, at 11:32, Paul Kosinski wrote:
> > So my question is, is it possible to configure my forwarding BIND to
> > have a primary and *secondary* path for sending out DNS queries? As
> > far as I can tell, the "query-source address" option in named.conf
> > only allows one outbound interface to be (implicitly) specified,
> > and I don't want to leave the outbound interface unspecified as
> > that would defeat monitoring and logging on the specific interface.
> > The "forwarders" option *does* allow multiple DNS servers to be
> > specified, but that doesn't help if the network path is down.
> > 
> > P.S. I suppose I might try something with policy routing, but that
> > was already a nightmare to set up, since I use DSL vs cable based
> > on the source and type (e.g. HTTP, SSH) of the traffic rather than
> > the more common destination.
> 
> Since you're forwarding anyway, why not forward to a pair of public
> servers, 8.8.8.8 and 8.8.4.4, or 4.2.2.1 and 4.2.2.2, and then use
> youe routing table or other technique to route traffic for each
> destination IP?
> 
> However, since you run BIND, why bother with forwarding queries at
> all, I would recommend just resolving without forwarders, in which
> case BIND doesn't need any particular connection and whatever else
> you use to failover from the primary to the secondary would
> automatically ensure BIND resolves too.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding via different external networks

[Paul Kosinski]

"Your better bet is surely to dump the forwarders and to do your own 
recursion."

It doesn't solve the connectivity issue, but it sounds reasonable in
it's own right: I'll have to try it.


On Sat, 27 Aug 2016 14:32:09 -0500
/dev/rob0  wrote:

> On Sat, Aug 27, 2016 at 02:32:42PM -0400, Paul Kosinski wrote:
> > Currently, I forward all outbound DNS via the DSL to the ISP's
> > DNS servers. (I have more confidence in the DSL provider not 
> > interfering with DNS than in Comcast.)
> 
> FWIW, it has been many years since I have dealt with Comcast as a 
> customer, but I can tell you for sure that Comcast employs some very 
> clueful DNS experts.
> 
> > However, there have been a couple of cases recently when the DSL 
> > was not getting beyond their gateway router, which meant that DNS 
> > would fail, causing much HTTP(S) to fail even though the cable 
> > network was working quite nicely.
> > 
> > So my question is, is it possible to configure my forwarding BIND 
> > to have a primary and *secondary* path for sending out DNS queries?
> 
> Your better bet is surely to dump the forwarders and to do your own 
> recursion.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding via different external networks

[Dave Warren]

On Sat, Aug 27, 2016, at 11:32, Paul Kosinski wrote:
> So my question is, is it possible to configure my forwarding BIND to
> have a primary and *secondary* path for sending out DNS queries? As far
> as I can tell, the "query-source address" option in named.conf only
> allows one outbound interface to be (implicitly) specified, and I don't
> want to leave the outbound interface unspecified as that would defeat
> monitoring and logging on the specific interface. The "forwarders"
> option *does* allow multiple DNS servers to be specified, but that
> doesn't help if the network path is down.
> 
> P.S. I suppose I might try something with policy routing, but that was
> already a nightmare to set up, since I use DSL vs cable based on the
> source and type (e.g. HTTP, SSH) of the traffic rather than the more
> common destination.

Since you're forwarding anyway, why not forward to a pair of public
servers, 8.8.8.8 and 8.8.4.4, or 4.2.2.1 and 4.2.2.2, and then use youe
routing table or other technique to route traffic for each destination
IP?

However, since you run BIND, why bother with forwarding queries at all,
I would recommend just resolving without forwarders, in which case BIND
doesn't need any particular connection and whatever else you use to
failover from the primary to the secondary would automatically ensure
BIND resolves too.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding via different external networks

[/dev/rob0]

On Sat, Aug 27, 2016 at 02:32:42PM -0400, Paul Kosinski wrote:
> Currently, I forward all outbound DNS via the DSL to the ISP's
> DNS servers. (I have more confidence in the DSL provider not 
> interfering with DNS than in Comcast.)

FWIW, it has been many years since I have dealt with Comcast as a 
customer, but I can tell you for sure that Comcast employs some very 
clueful DNS experts.

> However, there have been a couple of cases recently when the DSL 
> was not getting beyond their gateway router, which meant that DNS 
> would fail, causing much HTTP(S) to fail even though the cable 
> network was working quite nicely.
> 
> So my question is, is it possible to configure my forwarding BIND 
> to have a primary and *secondary* path for sending out DNS queries?

Your better bet is surely to dump the forwarders and to do your own 
recursion.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: forwarding zone to another DNS server problem

[Darcy Kevin (FCA)]

My attempt to explain stub...

It's like conditional forwarding, without the recursion. You tell named where 
the top of the namespace tree is hosted, and it issues *iterative* (= 
non-recursive) queries for names in that part of the tree. (Unless, of course, 
you have a definition further down in that namespace that overrides the 
behavior).

As someone else pointed out, this raises the requirement that you have *direct* 
connectivity to the published authoritative nameservers for the top level of 
the zone, and any other descendant zones (unless, again, you override those 
parts of the namespace tree with some other definition). In a DMZ environment, 
you may not have open and clear communication to *everything* that you need, 
and therefore stub might not be a good fit in that case. You might be forced, 
as a last resort, to use forwarding, in such a scenario.

Beyond that understanding, there are differences in how named *gets* the 
apex-NS information for a stub zone. The classic stub model is to use a 
similar replication method as slaving, i.e. driven by the REFRESH/RETRY/EXPIRE 
settings in the SOA of the zone. This will generate periodic refresh traffic in 
the form of SOA and/or NS queries. With the newer static-stub model (which, 
full disclosure, I've never actually *used*), apparently you just plug the 
addresses of the auth servers directly into the config, and no refreshing is 
necessary. There are pros and cons, that come to mind, for each of those 
flavors of stub.


- Kevin

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tony Finch
Sent: Tuesday, November 04, 2014 5:10 AM
To: houguanghua
Cc: bind-users@lists.isc.org
Subject: RE: forwarding zone to another DNS server problem

houguanghua houguang...@hotmail.com wrote:

  I 'm not familiar with'stub'.  The description of 'stub' is hard to 
 understand.

Yes it's a bit weird. Think of it like the root hints but for other zones:
i.e. a hint zone configuration in a recursive server tells named that instead 
of using a referral from the parent zone to find the name servers for this 
zone, use these configured name servers. However the name servers at the zone's 
apex can override your configuration.

If you use static-stub instead, your configured name servers override all name 
servers for the zone that your name server might receive.

The difference with forwarding zones occurs if there is a delegation point 
below the zone you have configured. With a fowarding zone, named expects the 
target name server to do recursion, so the target server will deal with 
following the referral and resolving the final answer. With a stub zone, named 
expects to get authoritative answers and referrals to child zones, and it will 
do its own recursion to resolve the final answer.

Tony.
--
f.anthony.n.finch  d...@dotat.at  http://dotat.at/ Viking, North North 
Utsire: Cyclonic, becoming northeasterly 6 to gale 8, occasionally severe gale 
9. Moderate or rough, becoming rough or very rough.
Rain or showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone to another DNS server problem

[Joshua Smith]

Kevin,
Thanks for this post.  Its the most succinct description of stub zones
I've ever read.  I've often tried to wrap my head around when to use a
stub and when to use a conditional forwarder and I *think* your
description has cleared that up for me.


On Wed, Nov 05, 2014 at 03:21:00PM +, Darcy Kevin (FCA) wrote:
 My attempt to explain stub...
 
 It's like conditional forwarding, without the recursion. You tell named where 
 the top of the namespace tree is hosted, and it issues *iterative* (= 
 non-recursive) queries for names in that part of the tree. (Unless, of 
 course, you have a definition further down in that namespace that overrides 
 the behavior).
 
 As someone else pointed out, this raises the requirement that you have 
 *direct* connectivity to the published authoritative nameservers for the top 
 level of the zone, and any other descendant zones (unless, again, you 
 override those parts of the namespace tree with some other definition). In a 
 DMZ environment, you may not have open and clear communication to 
 *everything* that you need, and therefore stub might not be a good fit in 
 that case. You might be forced, as a last resort, to use forwarding, in such 
 a scenario.
 
 Beyond that understanding, there are differences in how named *gets* the 
 apex-NS information for a stub zone. The classic stub model is to use a 
 similar replication method as slaving, i.e. driven by the 
 REFRESH/RETRY/EXPIRE settings in the SOA of the zone. This will generate 
 periodic refresh traffic in the form of SOA and/or NS queries. With the newer 
 static-stub model (which, full disclosure, I've never actually *used*), 
 apparently you just plug the addresses of the auth servers directly into the 
 config, and no refreshing is necessary. There are pros and cons, that come 
 to mind, for each of those flavors of stub.
 
   
 - Kevin
 
 -Original Message-
 From: bind-users-boun...@lists.isc.org 
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tony Finch
 Sent: Tuesday, November 04, 2014 5:10 AM
 To: houguanghua
 Cc: bind-users@lists.isc.org
 Subject: RE: forwarding zone to another DNS server problem
 
 houguanghua houguang...@hotmail.com wrote:
 
   I 'm not familiar with'stub'.  The description of 'stub' is hard to 
  understand.
 
 Yes it's a bit weird. Think of it like the root hints but for other zones:
 i.e. a hint zone configuration in a recursive server tells named that instead 
 of using a referral from the parent zone to find the name servers for this 
 zone, use these configured name servers. However the name servers at the 
 zone's apex can override your configuration.
 
 If you use static-stub instead, your configured name servers override all 
 name servers for the zone that your name server might receive.
 
 The difference with forwarding zones occurs if there is a delegation point 
 below the zone you have configured. With a fowarding zone, named expects the 
 target name server to do recursion, so the target server will deal with 
 following the referral and resolving the final answer. With a stub zone, 
 named expects to get authoritative answers and referrals to child zones, and 
 it will do its own recursion to resolve the final answer.
 
 Tony.
 --
 f.anthony.n.finch  d...@dotat.at  http://dotat.at/ Viking, North North 
 Utsire: Cyclonic, becoming northeasterly 6 to gale 8, occasionally severe 
 gale 9. Moderate or rough, becoming rough or very rough.
 Rain or showers. Good, occasionally poor.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Joshua Smith
Lead Systems Administrator WVNET
(304)293-5192 x247

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: forwarding zone to another DNS server problem

[houguanghua]

hi tony,
 
I 'm not familiar with'stub'.  The description of 'stub' is hard to understand. 
What do you mean is to configure 'stub' in the registered  authoritative server 
and to configure zone file with A records in other not registered  
authoritative servers. Is it all right?
 
Thanks,
Guanghua
 
 Date: Sun, 2 Nov 2014 21:23:14 +
 From: d...@dotat.at
 To: houguang...@hotmail.com
 CC: bind-users@lists.isc.org
 Subject: Re: forwarding zone to another DNS server problem
 
 houguanghua houguang...@hotmail.com wrote:
 
  Can bind support forwarding zone to another DNS server? In my testing,
  for loacl name servers, it can. But for authority name servers, it
  can't.
 
 Use stub or static-stub to forward to an authoritative server.
 
 Tony.
 -- 
 f.anthony.n.finch  d...@dotat.at  http://dotat.at/
 Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
 5 or 6. Slight or moderate. Showers in northwest. Good.
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: forwarding zone to another DNS server problem

[Tony Finch]

houguanghua houguang...@hotmail.com wrote:

  I 'm not familiar with'stub'.  The description of 'stub' is hard to
 understand.

Yes it's a bit weird. Think of it like the root hints but for other zones:
i.e. a hint zone configuration in a recursive server tells named that
instead of using a referral from the parent zone to find the name servers
for this zone, use these configured name servers. However the name servers
at the zone's apex can override your configuration.

If you use static-stub instead, your configured name servers override all
name servers for the zone that your name server might receive.

The difference with forwarding zones occurs if there is a delegation point
below the zone you have configured. With a fowarding zone, named expects
the target name server to do recursion, so the target server will deal
with following the referral and resolving the final answer. With a stub
zone, named expects to get authoritative answers and referrals to child
zones, and it will do its own recursion to resolve the final answer.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Viking, North North Utsire: Cyclonic, becoming northeasterly 6 to gale 8,
occasionally severe gale 9. Moderate or rough, becoming rough or very rough.
Rain or showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone to another DNS server problem

[Barry Margolin]

In article mailman.1168.1415095867.26362.bind-us...@lists.isc.org,
 Tony Finch d...@dotat.at wrote:

 houguanghua houguang...@hotmail.com wrote:
 
   I 'm not familiar with'stub'.  The description of 'stub' is hard to
  understand.
 
 Yes it's a bit weird. Think of it like the root hints but for other zones:
 i.e. a hint zone configuration in a recursive server tells named that
 instead of using a referral from the parent zone to find the name servers
 for this zone, use these configured name servers. However the name servers
 at the zone's apex can override your configuration.
 
 If you use static-stub instead, your configured name servers override all
 name servers for the zone that your name server might receive.
 
 The difference with forwarding zones occurs if there is a delegation point
 below the zone you have configured. With a fowarding zone, named expects
 the target name server to do recursion, so the target server will deal
 with following the referral and resolving the final answer. With a stub
 zone, named expects to get authoritative answers and referrals to child
 zones, and it will do its own recursion to resolve the final answer.

If he wants to do forwarding rather than normal delegation, the 
likelihood is that the servers for the subdomain are not accessible from 
the public Internet. So stub won't help.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone to another DNS server problem

[Matus UHLAR - fantomas]

houguanghua houguang...@hotmail.com wrote:

Can bind support forwarding zone to another DNS server? In my testing,
for loacl name servers, it can. But for authority name servers, it
can't.


forwarding requires recursion allowed for the zone.

On 02.11.14 21:23, Tony Finch wrote:

Use stub or static-stub to forward to an authoritative server.


the same applies here.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone to another DNS server problem

[Matus UHLAR - fantomas]

On 02.11.14 23:09, Frank Pikelner wrote:

What is the advantage of using a stub or static-stub to using a slave?


you should use them when it's not possible or viable to use slave, e.g.
windows AD domain, RBL domain, domain that can't be transferred etc...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone to another DNS server problem

[Tony Finch]

Matus UHLAR - fantomas uh...@fantomas.sk wrote:

 On 02.11.14 23:09, Frank Pikelner wrote:
  What is the advantage of using a stub or static-stub to using a slave?

 you should use them when it's not possible or viable to use slave, e.g.
 windows AD domain, RBL domain, domain that can't be transferred etc...

Also if you want to do DNSSEC validation.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone to another DNS server problem

[Barry Margolin]

In article mailman.1155.1414921350.26362.bind-us...@lists.isc.org,
 houguanghua houguang...@hotmail.com wrote:

 Dear all,
  
 Can bind support forwarding zone to another DNS server? In my testing, for 
 loacl name servers, it can. But for authority name servers, it can't.  
  
 I have a authorative DNS server  which are authorative for the domain 
 test.com.  I would now want the machine just forward all incoming queries 
 for test.com to the 83.248.21.12 server. The named.conf is as follows:

By definition an authoritative server knows the answers itself, it 
doesn't need to forward.

 The named.conf is as follows:
 options {
   directory /var/cache/bind;  
   version none;
   allow-recursion {none;};
  };
 zone test.com in{
 type forward;
 forwarders {83.248.21.12;};
 };

That's not the configuration of an authoritative server. You're only 
authoritative if it's type master or type slave.

 The name server (83.248.21.12) isn't registered, but is configured as a 
 normal authority name server.
 The named.conf is as follows:
 options {
   directory /var/cache/bind;  
   version none;
   allow-recursion {none;};
  };
 zone test.com in{
 type master;
 file zone/test.com.db;
 };
 This is the test.com.db file content:
 $ORIGIN test.com.
 $TTL 1W
 @   IN  SOA ns1.test.com. postmaster.test.com. (
6; serial number
3600 ; refresh   [1h]
600  ; retry [10m]
86400; expire[1d]
3600 )   ; min TTL   [1h]
 ;
   IN NS  ns1.test.com.
 www   IN  A   172.22.2.150
 
  
 But the problem is that the any dns record can't be resolved when querying it 
 for example www.test.com A record. What's wrong?
  

Are you sending recursive queries to the first server? Forwarding will 
only be done if the client requests recursion. Recursive servers don't 
request recursion when they query the registered servers for a zone.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone to another DNS server problem

[Tony Finch]

houguanghua houguang...@hotmail.com wrote:

 Can bind support forwarding zone to another DNS server? In my testing,
 for loacl name servers, it can. But for authority name servers, it
 can't.

Use stub or static-stub to forward to an authoritative server.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding zone to another DNS server problem

[Frank Pikelner]

houguanghua houguang...@hotmail.com wrote:

 Can bind support forwarding zone to another DNS server? In my testing,
 for loacl name servers, it can. But for authority name servers, it
 can't.

Use stub or static-stub to forward to an authoritative server.

What is the advantage of using a stub or static-stub to using a slave?

Thanks,

Frank
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[Matus UHLAR - fantomas]

Hello,

On 30.04.14 17:32, Jeronimo L. Cabral wrote:

1) Office 1: people work with some machines and fill up a local master zone
company.com with records in DNS1
2) Office 2: people works with some others machines and fill up a local
master zone company.com with another records in DNS2

So both office have a different master zone.


what happens if the same record with different content is added to the zone?
Which one is the correct one and which is not?

This scenario is invalid just from the beginning.

You CAN NOT have two different zone files and expecting them to be both
correct

you already got your recommendations how to fix the issue...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: Let God Debug It!.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[Kevin Darcy]

Being authoritative means that you know everything about the zone.

If you know everything about a zone, why ask anyone else?

Split DNS does not follow the DNS paradigm, so there is no standard 
way to implement it, and despite many people asking over the years, 
there is no NXDOMAIN failover forwarding mechanism in BIND, nor is 
there any clear consensus that there *should* be (insert standard 
diatribe against forwarding in general).


Bite the bullet: do parallel updates to both zones, for records that 
need to be present in both versions.


- Kevin

On 4/30/2014 3:55 PM, Jeronimo L. Cabral wrote:
Dear, I would like to ask for solution related with DNS (bind) 
configuration to allow forward requests to another DNS but related 
with the same domain.


I'm asking about two authoritative name servers serving the same 
domain but with different zone file info on each and have one of them 
forward recursive queries to another one if first one cannot find some 
particular subdomain record that is missing in his version of zone file.


My named.conf.local is as follow, but it doesn't work:

zone company.com http://company.com {
type master;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};

Thanks a lot,

JeLo



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[John Miller]

Hi Jeronimo,

First of all, please just tell us the real domain.  Yes, we could try and
talk about a fictitious example.com or company.com, but having the real
domain name lets us actually query your nameservers.

Let me be sure I understand: you have two DNS servers.  Each of them is
authoritative for the same domain.  Are both set as master?

The two servers have different copies of the zone--what's your reason for
that?

If both servers think they are authoritative for a zone, then they will
answer recursive queries for those zones themselves.  From the manual:

Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache.

What exactly are you trying to achieve?

John



On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral jelocab...@gmail.comwrote:

 Dear, I would like to ask for solution related with DNS (bind)
 configuration to allow forward requests to another DNS but related with
 the same domain.

 I'm asking about two authoritative name servers serving the same domain
 but with different zone file info on each and have one of them forward
 recursive queries to another one if first one cannot find some particular
 subdomain record that is missing in his version of zone file.

 My named.conf.local is as follow, but it doesn't work:

 zone company.com {
 type master;
 file /etc/bind/zones/company.com.db;
 allow-transfer { key company; };
 check-names ignore;
 forward first;
 forwarders { 172.16.1.1; };
 };

 Thanks a lot,

 JeLo


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[Jeronimo L. Cabral]

Dear John, this is my scenario:

1) Office 1: people work with some machines and fill up a local master zone
company.com with records in DNS1
2) Office 2: people works with some others machines and fill up a local
master zone company.com with another records in DNS2

So both office have a different master zone.

Both offices belong to the same company, so I need that any client PC can
resolve a hostname from company.com domain, independently if this record
is in DNS1 or DNS2.

Thanks again, regards.

JeLo



On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.edu wrote:

 Hi Jeronimo,

 First of all, please just tell us the real domain.  Yes, we could try and
 talk about a fictitious example.com or company.com, but having the
 real domain name lets us actually query your nameservers.

 Let me be sure I understand: you have two DNS servers.  Each of them is
 authoritative for the same domain.  Are both set as master?

 The two servers have different copies of the zone--what's your reason for
 that?

 If both servers think they are authoritative for a zone, then they will
 answer recursive queries for those zones themselves.  From the manual:

 Forwarding occurs only on those queries for which the server is not
 authoritative and does not have the answer in its cache.

 What exactly are you trying to achieve?

 John



 On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral 
 jelocab...@gmail.comwrote:

 Dear, I would like to ask for solution related with DNS (bind)
 configuration to allow forward requests to another DNS but related with
 the same domain.

 I'm asking about two authoritative name servers serving the same domain
 but with different zone file info on each and have one of them forward
 recursive queries to another one if first one cannot find some particular
 subdomain record that is missing in his version of zone file.

 My named.conf.local is as follow, but it doesn't work:

 zone company.com {
 type master;
 file /etc/bind/zones/company.com.db;
 allow-transfer { key company; };
 check-names ignore;
 forward first;
 forwarders { 172.16.1.1; };
 };

 Thanks a lot,

 JeLo


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 --
 John Miller
 Systems Engineer
 Brandeis University
 johnm...@brandeis.edu
 (781) 736-4619

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[Kevin Darcy]

Oh, I thought this was an external-versus-internal scenario. But, this 
is even easier.


A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the 
stealth variety, if you want) of the other

B) People use nsupdate to maintain the zone

For security, TSIG-sign the updates. For fast change propagation, set up 
NOTIFY if and as necessary.


- Kevin

On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:

Dear John, this is my scenario:

1) Office 1: people work with some machines and fill up a local master 
zone company.com http://company.com with records in DNS1
2) Office 2: people works with some others machines and fill up a 
local master zone company.com http://company.com with another 
records in DNS2


So both office have a different master zone.

Both offices belong to the same company, so I need that any client PC 
can resolve a hostname from company.com http://company.com 
domain, independently if this record is in DNS1 or DNS2.


Thanks again, regards.

JeLo



On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.edu 
mailto:johnm...@brandeis.edu wrote:


Hi Jeronimo,

First of all, please just tell us the real domain. Yes, we could
try and talk about a fictitious example.com http://example.com
or company.com http://company.com, but having the real domain
name lets us actually query your nameservers.

Let me be sure I understand: you have two DNS servers.  Each of
them is authoritative for the same domain.  Are both set as master?

The two servers have different copies of the zone--what's your
reason for that?

If both servers think they are authoritative for a zone, then they
will answer recursive queries for those zones themselves.  From
the manual:

Forwarding occurs only on those queries for which the server is
not authoritative and does not have the answer in its cache.

What exactly are you trying to achieve?

John



On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral
jelocab...@gmail.com mailto:jelocab...@gmail.com wrote:

Dear, I would like to ask for solution related with DNS (bind)
configuration to allow forward requests to another DNS but
related with the same domain.

I'm asking about two authoritative name servers serving the
same domain but with different zone file info on each and have
one of them forward recursive queries to another one if first
one cannot find some particular subdomain record that is
missing in his version of zone file.

My named.conf.local is as follow, but it doesn't work:

zone company.com http://company.com {
type master;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};

Thanks a lot,

JeLo


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
to unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




-- 
John Miller

Systems Engineer
Brandeis University
johnm...@brandeis.edu mailto:johnm...@brandeis.edu
(781) 736-4619

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[John Miller]

First of all, unless you need separate views for each office, don't go down
that path.  Why are you attempting this as opposed to standard master-slave
replication?

There's something else I'm not understanding here: why would recursive
queries from one office go to the other office's nameservers?  What's
preventing you from setting up a second recursive nameserver in each office?

John



On Wed, Apr 30, 2014 at 4:32 PM, Jeronimo L. Cabral jelocab...@gmail.comwrote:

 Dear John, this is my scenario:

 1) Office 1: people work with some machines and fill up a local master
 zone company.com with records in DNS1
 2) Office 2: people works with some others machines and fill up a local
 master zone company.com with another records in DNS2

 So both office have a different master zone.

 Both offices belong to the same company, so I need that any client PC can
 resolve a hostname from company.com domain, independently if this
 record is in DNS1 or DNS2.

 Thanks again, regards.

 JeLo



 On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.eduwrote:

 Hi Jeronimo,

 First of all, please just tell us the real domain.  Yes, we could try and
 talk about a fictitious example.com or company.com, but having the
 real domain name lets us actually query your nameservers.

 Let me be sure I understand: you have two DNS servers.  Each of them is
 authoritative for the same domain.  Are both set as master?

 The two servers have different copies of the zone--what's your reason for
 that?

 If both servers think they are authoritative for a zone, then they will
 answer recursive queries for those zones themselves.  From the manual:

 Forwarding occurs only on those queries for which the server is not
 authoritative and does not have the answer in its cache.

 What exactly are you trying to achieve?

 John



 On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral jelocab...@gmail.com
  wrote:

 Dear, I would like to ask for solution related with DNS (bind)
 configuration to allow forward requests to another DNS but related with
 the same domain.

 I'm asking about two authoritative name servers serving the same domain
 but with different zone file info on each and have one of them forward
 recursive queries to another one if first one cannot find some particular
 subdomain record that is missing in his version of zone file.

 My named.conf.local is as follow, but it doesn't work:

 zone company.com {
 type master;
 file /etc/bind/zones/company.com.db;
 allow-transfer { key company; };
 check-names ignore;
 forward first;
 forwarders { 172.16.1.1; };
 };

 Thanks a lot,

 JeLo


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 --
 John Miller
 Systems Engineer
 Brandeis University
 johnm...@brandeis.edu
 (781) 736-4619

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users





-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[Jeronimo L. Cabral]

In office #1, the company.com master zone is updated automatically from
some Windows machines inn DNS1 and in office #2 the same zone is updated
manually in DNS2 by the administrator who shouldn't update (using freeze
and unfreeze) the master zone from office #1. This is the scenario, and we
need that a simple query to DNS1 be responded with any record from both
zones.

Thanks again


On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy k...@chrysler.com wrote:

  Oh, I thought this was an external-versus-internal scenario. But, this
 is even easier.

 A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the
 stealth variety, if you want) of the other
 B) People use nsupdate to maintain the zone

 For security, TSIG-sign the updates. For fast change propagation, set up
 NOTIFY if and as necessary.


 - Kevin


 On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:

 Dear John, this is my scenario:

  1) Office 1: people work with some machines and fill up a local master
 zone company.com with records in DNS1
 2) Office 2: people works with some others machines and fill up a local
 master zone company.com with another records in DNS2

  So both office have a different master zone.

  Both offices belong to the same company, so I need that any client PC
 can resolve a hostname from company.com domain, independently if this
 record is in DNS1 or DNS2.

  Thanks again, regards.

  JeLo



 On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.eduwrote:

  Hi Jeronimo,

  First of all, please just tell us the real domain.  Yes, we could try
 and talk about a fictitious example.com or company.com, but having
 the real domain name lets us actually query your nameservers.

  Let me be sure I understand: you have two DNS servers.  Each of them is
 authoritative for the same domain.  Are both set as master?

  The two servers have different copies of the zone--what's your reason
 for that?

  If both servers think they are authoritative for a zone, then they will
 answer recursive queries for those zones themselves.  From the manual:

 Forwarding occurs only on those queries for which the server is not
 authoritative and does not have the answer in its cache.

  What exactly are you trying to achieve?

  John



  On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral 
 jelocab...@gmail.com wrote:

  Dear, I would like to ask for solution related with DNS (bind)
 configuration to allow forward requests to another DNS but related with
 the same domain.

 I'm asking about two authoritative name servers serving the same domain
 but with different zone file info on each and have one of them forward
 recursive queries to another one if first one cannot find some particular
 subdomain record that is missing in his version of zone file.

  My named.conf.local is as follow, but it doesn't work:

  zone company.com {
 type master;
 file /etc/bind/zones/company.com.db;
 allow-transfer { key company; };
 check-names ignore;
 forward first;
 forwarders { 172.16.1.1; };
 };

  Thanks a lot,

  JeLo


  ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 --
 John Miller
 Systems Engineer
 Brandeis University
 johnm...@brandeis.edu
 (781) 736-4619

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing 
 listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[Kevin Darcy]

I'm still not understanding your constraints. If *all* updates come in 
through Dynamic Update, then you don't need freeze/unfreeze.


- Kevin

On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:
In office #1, the company.com http://company.com master zone is 
updated automatically from some Windows machines inn DNS1 and in 
office #2 the same zone is updated manually in DNS2 by the 
administrator who shouldn't update (using freeze and unfreeze) the 
master zone from office #1. This is the scenario, and we need that a 
simple query to DNS1 be responded with any record from both zones.


Thanks again


On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy k...@chrysler.com 
mailto:k...@chrysler.com wrote:


Oh, I thought this was an external-versus-internal scenario. But,
this is even easier.

A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of
the stealth variety, if you want) of the other
B) People use nsupdate to maintain the zone

For security, TSIG-sign the updates. For fast change propagation,
set up NOTIFY if and as necessary.

- Kevin


On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:

Dear John, this is my scenario:

1) Office 1: people work with some machines and fill up a local
master zone company.com http://company.com with records in DNS1
2) Office 2: people works with some others machines and fill up a
local master zone company.com http://company.com with another
records in DNS2

So both office have a different master zone.

Both offices belong to the same company, so I need that any
client PC can resolve a hostname from company.com
http://company.com domain, independently if this record is in
DNS1 or DNS2.

Thanks again, regards.

JeLo



On Wed, Apr 30, 2014 at 5:21 PM, John Miller
johnm...@brandeis.edu mailto:johnm...@brandeis.edu wrote:

Hi Jeronimo,

First of all, please just tell us the real domain.  Yes, we
could try and talk about a fictitious example.com
http://example.com or company.com http://company.com,
but having the real domain name lets us actually query your
nameservers.

Let me be sure I understand: you have two DNS servers.  Each
of them is authoritative for the same domain.  Are both set
as master?

The two servers have different copies of the zone--what's
your reason for that?

If both servers think they are authoritative for a zone, then
they will answer recursive queries for those zones
themselves.  From the manual:

Forwarding occurs only on those queries for which the server
is not authoritative and does not have the answer in its cache.

What exactly are you trying to achieve?

John



On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral
jelocab...@gmail.com mailto:jelocab...@gmail.com wrote:

Dear, I would like to ask for solution related with DNS
(bind) configuration to allow forward requests to another
DNS but related with the same domain.

I'm asking about two authoritative name servers serving
the same domain but with different zone file info on each
and have one of them forward recursive queries to another
one if first one cannot find some particular subdomain
record that is missing in his version of zone file.

My named.conf.local is as follow, but it doesn't work:

zone company.com http://company.com {
  type master;
  file /etc/bind/zones/company.com.db;
  allow-transfer { key company; };
  check-names ignore;
  forward first;
  forwarders { 172.16.1.1; };
};

Thanks a lot,

JeLo


___
Please visit
https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




-- 
John Miller

Systems Engineer
Brandeis University
johnm...@brandeis.edu mailto:johnm...@brandeis.edu
(781) 736-4619

___
Please visit
https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org mailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visithttps://lists.isc.org/mailman/listinfo/bind-users  to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org  

Re: Forwarding request to another DNS server but the same domain

[Jeronimo L. Cabral]

DNS1 with dynamic update and DNS2 with manually update


On Wed, Apr 30, 2014 at 8:11 PM, Kevin Darcy k...@chrysler.com wrote:

  I'm still not understanding your constraints. If *all* updates come in
 through Dynamic Update, then you don't need freeze/unfreeze.

 -
 Kevin


 On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:

 In office #1, the company.com master zone is updated automatically from
 some Windows machines inn DNS1 and in office #2 the same zone is updated
 manually in DNS2 by the administrator who shouldn't update (using freeze
 and unfreeze) the master zone from office #1. This is the scenario, and we
 need that a simple query to DNS1 be responded with any record from both
 zones.

  Thanks again


 On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy k...@chrysler.com wrote:

  Oh, I thought this was an external-versus-internal scenario. But, this
 is even easier.

 A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the
 stealth variety, if you want) of the other
 B) People use nsupdate to maintain the zone

 For security, TSIG-sign the updates. For fast change propagation, set up
 NOTIFY if and as necessary.


 - Kevin


 On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:

 Dear John, this is my scenario:

  1) Office 1: people work with some machines and fill up a local master
 zone company.com with records in DNS1
 2) Office 2: people works with some others machines and fill up a local
 master zone company.com with another records in DNS2

  So both office have a different master zone.

  Both offices belong to the same company, so I need that any client PC
 can resolve a hostname from company.com domain, independently if this
 record is in DNS1 or DNS2.

  Thanks again, regards.

  JeLo



 On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.eduwrote:

  Hi Jeronimo,

  First of all, please just tell us the real domain.  Yes, we could try
 and talk about a fictitious example.com or company.com, but having
 the real domain name lets us actually query your nameservers.

  Let me be sure I understand: you have two DNS servers.  Each of them
 is authoritative for the same domain.  Are both set as master?

  The two servers have different copies of the zone--what's your reason
 for that?

  If both servers think they are authoritative for a zone, then they
 will answer recursive queries for those zones themselves.  From the manual:

 Forwarding occurs only on those queries for which the server is not
 authoritative and does not have the answer in its cache.

  What exactly are you trying to achieve?

  John



  On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral 
 jelocab...@gmail.com wrote:

  Dear, I would like to ask for solution related with DNS (bind)
 configuration to allow forward requests to another DNS but related
 with the same domain.

 I'm asking about two authoritative name servers serving the same domain
 but with different zone file info on each and have one of them forward
 recursive queries to another one if first one cannot find some particular
 subdomain record that is missing in his version of zone file.

  My named.conf.local is as follow, but it doesn't work:

  zone company.com {
 type master;
 file /etc/bind/zones/company.com.db;
 allow-transfer { key company; };
 check-names ignore;
 forward first;
 forwarders { 172.16.1.1; };
 };

  Thanks a lot,

  JeLo


  ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 --
 John Miller
 Systems Engineer
 Brandeis University
 johnm...@brandeis.edu
 (781) 736-4619

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list

 bind-users mailing 
 listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding request to another DNS server but the same domain

[Chris Buxton]

Either do as Kevin Darcy said or else use separate names:

company.com
office1.company.com
office2.company.com

The admin in office 2 updates the office2 zone. The dynamic updates in office 1 
go to the office1 zone. The company.com zone delegates both. Everyone can find 
everything via that delegation, but each office has its own zone. Everyone is 
happy.

Chris

On Apr 30, 2014, at 4:36 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote:

 DNS1 with dynamic update and DNS2 with manually update
 
 
 On Wed, Apr 30, 2014 at 8:11 PM, Kevin Darcy k...@chrysler.com wrote:
 I'm still not understanding your constraints. If *all* updates come in 
 through Dynamic Update, then you don't need freeze/unfreeze.
 
 - 
 Kevin
 
 
 On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:
 In office #1, the company.com master zone is updated automatically from 
 some Windows machines inn DNS1 and in office #2 the same zone is updated 
 manually in DNS2 by the administrator who shouldn't update (using freeze and 
 unfreeze) the master zone from office #1. This is the scenario, and we need 
 that a simple query to DNS1 be responded with any record from both zones.
 
 Thanks again
 
 
 On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy k...@chrysler.com wrote:
 Oh, I thought this was an external-versus-internal scenario. But, this is 
 even easier.
  
 A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the 
 stealth variety, if you want) of the other
 B) People use nsupdate to maintain the zone
 
 For security, TSIG-sign the updates. For fast change propagation, set up 
 NOTIFY if and as necessary.
 
  
- Kevin
 
 
 On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
 Dear John, this is my scenario:
 
 1) Office 1: people work with some machines and fill up a local master zone 
 company.com with records in DNS1
 2) Office 2: people works with some others machines and fill up a local 
 master zone company.com with another records in DNS2
 
 So both office have a different master zone.
 
 Both offices belong to the same company, so I need that any client PC can 
 resolve a hostname from company.com domain, independently if this record 
 is in DNS1 or DNS2. 
 
 Thanks again, regards.
 
 JeLo
 
 
 
 On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.edu wrote:
 Hi Jeronimo,
 
 First of all, please just tell us the real domain.  Yes, we could try and 
 talk about a fictitious example.com or company.com, but having the real 
 domain name lets us actually query your nameservers.
 
 Let me be sure I understand: you have two DNS servers.  Each of them is 
 authoritative for the same domain.  Are both set as master?
 
 The two servers have different copies of the zone--what's your reason for 
 that?
 
 If both servers think they are authoritative for a zone, then they will 
 answer recursive queries for those zones themselves.  From the manual: 
 
 Forwarding occurs only on those queries for which the server is not 
 authoritative and does not have the answer in its cache.
 
 What exactly are you trying to achieve?
 
 John
 
 
 
 On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral jelocab...@gmail.com 
 wrote:
 Dear, I would like to ask for solution related with DNS (bind) 
 configuration to allow forward requests to another DNS but related with the 
 same domain.
 
 I'm asking about two authoritative name servers serving the same domain but 
 with different zone file info on each and have one of them forward 
 recursive queries to another one if first one cannot find some particular 
 subdomain record that is missing in his version of zone file.
 
 My named.conf.local is as follow, but it doesn't work:
 
 zone company.com {
 type master;
 file /etc/bind/zones/company.com.db;
 allow-transfer { key company; };
 check-names ignore;
 forward first;
 forwarders { 172.16.1.1; };
 };
 
 Thanks a lot, 
 
 JeLo
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 -- 
 John Miller
 Systems Engineer
 Brandeis University
 johnm...@brandeis.edu
 (781) 736-4619
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
 
 ___
 

Re: Forwarding requests when DNS name doesn't exist?

[Marc Lampo]

An unwise decision, from security point of view !

You are about to open the DNS channel - public DNS resolving available for
internal clients.
Consequently data leakage, file transfer in/out over DNS become possible ...

As far as the question about internal fake zones is concerned :
if the name server has knowledge, because it is authoritative, it will use
that knowledge and will not try to query name servers on the Internet.
It becomes bogus for that zone : no delegation, but having knowledge.

Kind regards,

Marc


On Thu, Oct 10, 2013 at 10:28 AM, Peter Olsson p...@leissner.se wrote:

 (This is probably a silly question, but I
 want to explore every possibility.)

 We have a proxy firewall, with no contact
 between inside and outside. We have a fake
 internal DNS root for zones that we use
 internally. This works fine, since lookup
 of external names are only made from the
 outside of the proxy servers.

 We are about to change to a transparent
 firewall, which means that we remove the
 proxy servers. Then we have to let the
 inside get access to real outside DNS.

 Is there any way with bind, or any other
 DNS product, to keep our internal fake zones
 and have them selectively forwarded to external
 DNS for all names that don't exist in the
 internal fake zones?
 Clients would first ask internal DNS, and if
 the name exists there they will use that, but
 if the name doesn't exist internally they won't
 get a negative response. Instead their request
 would be forwarded to external DNS.

 Thanks!

 Peter Olsson
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding query-source (was Re: name caching and forwarding)

[Matus UHLAR - fantomas]

On 04.03.13 17:35, Shawn Bakhtiar wrote:

A better solution may be (if feasible) to register and get an internet AS
number and enable BGP on both links.  If one fails the upstream routers
(even if from desperate providers) will detect a fail and re-rout via the
active link.


you don't need AS number for this, provider-independent IP Addresses are
quite enough (at least here in Europe)

I just did not want to explain this more deeply - that is question for the
OP and their ISP.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: forwarding query-source (was Re: name caching and forwarding)

[Shawn Bakhtiar]

A better solution may be (if feasible) to register and get an internet AS 
number and enable BGP on both links. If one fails the upstream routers (even if 
from desperate providers) will detect a fail and re-rout via the active link.

http://en.wikipedia.org/wiki/Border_Gateway_Protocol

This is NOT a load balancing solution, you will still have one active route at 
any given time, but you can setup your servers on the same IP segment if you 
choose, and let the routers deal with where the traffic is coming from or going 
to. You can use egress ACLs to sudo balance the outgoing too, but that's very 
hackish.


 Date: Sat, 2 Mar 2013 16:16:28 +0100
 From: uh...@fantomas.sk
 To: bind-users@lists.isc.org
 Subject: Re: forwarding  query-source (was Re: name caching and forwarding)
 
 On 01.03.13 17:23, Lawrence K. Chen, P.Eng. wrote:
  I thought I had read somewhere the query-source default is to try making
  queries from all the IPs on my system.
 
 No, the default is to use special IP 0.0.0.0 that causes the system (not
 the BIND) to select source IP address.
 
  And, my DNS servers have two IPs on themusing policy based routing,
  the first IP routes out on my fast though less reliable internet
  connection and the second IP routes out on my slower but reliable (though
  the router is acting up on this link now) internet connection.
 
 You are apparently aware that source IP address has nothing to do with the
 link the packets are out by default - this is why you've had to configure
 policy routing.
 
  Problem I found was that when my fast internet connection goes
  downqueries stop working.  Had to explicitly set query-source to use
  the second IP.
 
 When your link is down, the packets sent through the link will not be
 delivered.
 
 The whole solution about using multiple links requires provider-independent
 IP Addresses, both ISP's cooperation or much of playing with routing, NAT
 and other servers' configuration - not only DNS, if you want e.g.  your mail
 to get delivered.
 
  So, I thought I could trick my caching servers to handle the dual routing
  that I wanted, by setting the two prod servers to 'forward first' to my
  dev server, which sends its queries out on fast connection and assume that
  they would query out over the slow connection if the 'forward first'
  doesn't yield an answer.
 
 you can do this by using server {} bind statement for the forwarders, with
 different IP in query-source and possibly other *-source options.
 
  And, then I was surprised by a flood of email.  My mailservers weren't
  able to resolve addresses because the forwarder wasn't responding  I
  suppose its because its udp it isn't quick about deciding that there's no
  service to answer.
 
 This has nothing to do with UDP. The bind tries to forward and has own
 timeouts (3 to 12 seconds iirc) when forwarder in unreachable.
 
   Does this timeout problem also impact forward only
  and a list of forwarders?  I have a set of servers with 10.x.x.x IPs with
  local caching DNS servers configured to forward only to a pair of caching
  DNS servers with public IPs.
 
 Yes, with the difference that forward only will only try forwarders, and
 when they fail, it will fail too. forward first will do the resolution by
 itself when all forwarders fail, thus it should be more reliable.
 
  So, how would I make forwarding not prevent resolution?  Or can I get bind
  to try both IPs in trying to do queries?
 
 BIND always wants to be responsive, so it will repeatedly try all forwarders
 (it will prefer servers that respond but time to time it re-tries those
 unresponsive too).
 
 
 I'm not sure whether you are solving the problem with multiple links at
 right level.  Your router(s) could possibly detect the link outage sooner
 and switch to another link, maybe with NATting to other IP.  However, your
 DNS problem chould be solved by BIND configuration.
 -- 
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Chernobyl was an Windows 95 beta test site.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding query-source (was Re: name caching and forwarding)

[Matus UHLAR - fantomas]

On 01.03.13 17:23, Lawrence K. Chen, P.Eng. wrote:

I thought I had read somewhere the query-source default is to try making
queries from all the IPs on my system.


No, the default is to use special IP 0.0.0.0 that causes the system (not
the BIND) to select source IP address.


And, my DNS servers have two IPs on themusing policy based routing,
the first IP routes out on my fast though less reliable internet
connection and the second IP routes out on my slower but reliable (though
the router is acting up on this link now) internet connection.


You are apparently aware that source IP address has nothing to do with the
link the packets are out by default - this is why you've had to configure
policy routing.


Problem I found was that when my fast internet connection goes
downqueries stop working.  Had to explicitly set query-source to use
the second IP.


When your link is down, the packets sent through the link will not be
delivered.

The whole solution about using multiple links requires provider-independent
IP Addresses, both ISP's cooperation or much of playing with routing, NAT
and other servers' configuration - not only DNS, if you want e.g.  your mail
to get delivered.


So, I thought I could trick my caching servers to handle the dual routing
that I wanted, by setting the two prod servers to 'forward first' to my
dev server, which sends its queries out on fast connection and assume that
they would query out over the slow connection if the 'forward first'
doesn't yield an answer.


you can do this by using server {} bind statement for the forwarders, with
different IP in query-source and possibly other *-source options.


And, then I was surprised by a flood of email.  My mailservers weren't
able to resolve addresses because the forwarder wasn't responding  I
suppose its because its udp it isn't quick about deciding that there's no
service to answer.


This has nothing to do with UDP. The bind tries to forward and has own
timeouts (3 to 12 seconds iirc) when forwarder in unreachable.


 Does this timeout problem also impact forward only
and a list of forwarders?  I have a set of servers with 10.x.x.x IPs with
local caching DNS servers configured to forward only to a pair of caching
DNS servers with public IPs.


Yes, with the difference that forward only will only try forwarders, and
when they fail, it will fail too. forward first will do the resolution by
itself when all forwarders fail, thus it should be more reliable.


So, how would I make forwarding not prevent resolution?  Or can I get bind
to try both IPs in trying to do queries?


BIND always wants to be responsive, so it will repeatedly try all forwarders
(it will prefer servers that respond but time to time it re-tries those
unresponsive too).


I'm not sure whether you are solving the problem with multiple links at
right level.  Your router(s) could possibly detect the link outage sooner
and switch to another link, maybe with NATting to other IP.  However, your
DNS problem chould be solved by BIND configuration.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding based on Client IPs

[Mark Andrews]

In message 
CAKdykDsixDysXM1005+gwKuqsb81rYP8xNuJpUnZVP+b9-9=h...@mail.gmail.com
, Siju George writes:
 Hi,
 
 Currently I am using Bind9 for DNS.
 I wish to do the following forward.
 
 1. Forward to domain Name Servers based on client IPS.
 
 a. Forward one set of LAN users to OpenDNS DNS servers soo that I
 can restrict them
 b. Forward a second set of LAN users to google DNS server
 c. Forward a third set of LAN users by default through OpenDNS
 but for some domains through google DNS.
 
 Could you please let me know if this is possible with Bind9 or any
 other DNS server?

You can do this with 3 views and forwarder declarations.  For the last
view use forward zones to send the queries to the other server.
 
 Thanks
 
 Siju
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
  from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding based on Client IPs

[Siju George]

On Wed, Apr 4, 2012 at 12:14 PM, Matus UHLAR - fantomas
uh...@fantomas.sk wrote:
 On 04.04.12 11:54, Siju George wrote:

 Currently I am using Bind9 for DNS.
 I wish to do the following forward.

 1. Forward to domain Name Servers based on client IPS.

   a. Forward one set of LAN users to OpenDNS DNS servers soo that I
 can restrict them
   b. Forward a second set of LAN users to google DNS server
   c. Forward a third set of LAN users by default through OpenDNS
 but for some domains through google DNS.


 why forward those queries? Is there any reason why you can't resolve them
 with your bind?


The only reason I need to forward then to OpenDNS (
http://www.opendns.com/ ) is because I use their filtering.
I guess I can avoid forwarding to google dns and resolve them with bind itself?

Thanks

Siju
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding based on Client IPs

[Matus UHLAR - fantomas]

On 04.04.12 11:54, Siju George wrote:


Currently I am using Bind9 for DNS.
I wish to do the following forward.

1. Forward to domain Name Servers based on client IPS.

  a. Forward one set of LAN users to OpenDNS DNS servers soo that I
can restrict them
  b. Forward a second set of LAN users to google DNS server
  c. Forward a third set of LAN users by default through OpenDNS
but for some domains through google DNS.


On 04.04.12 12:33, Siju George wrote:

The only reason I need to forward then to OpenDNS (
http://www.opendns.com/ ) is because I use their filtering.
I guess I can avoid forwarding to google dns and resolve them with bind itself?


I guess you could even do the opendns filtering yourself, if opendns will 
provide you required data (and they are available for BIND as RPZ 
zones). I don't know if opendns provide such feature. However, who 
needs to use such filtering, should access opendns services directly, 
not through other server - I guess opendns filters depending on source 
IP, which will be the same for all clients using your dns server.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #9: Out of error messages.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: forwarding @ to a different domain?

[Lightner, Jeff]

Just as a follow on to that prior thread.

I was able to setup the CNAME for www and * at the Registrar without A records 
as indicated.  Unfortunately the * at registrar equated to *. Meaning for 
example ftp.mydomain.com would work with that CNAME but the domain itself, 
mydomain.com, would not.   Despite the ecommerce vendor (Amazon ultimately) 
saying one should NOT setup A records their response to us was to leave the two 
CNAMES (www and *) in place and setup an 3 A records for the domain itself.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
/dev/rob0
Sent: Sunday, January 08, 2012 6:33 PM
To: bind-users@lists.isc.org
Subject: Re: forwarding @ to a different domain?

On Sunday 08 January 2012 09:48:42 enigmedia wrote:
 Hi All: I have a situation where I need to forward requests for
 mydomain.com and www.mydomain.com to a third party:

mydomain.com is a real domain, and probably not yours. If for some
reason you do not want to mention your real domain name, use
example.com (or example.TLD for most top-level domains), which is
reserved for examples.

 mydomain.myshopify.com (while still pointing other things like
 MX records elsewhere).

 I realize I can point a CNAME for WWW to
 mydomain.myshopify.com, but how do I point mydomain.com to
 this third party if there is no A record to point to?

This is beginning to be a FAQ here, perhaps due to the popularity of
such hosting services (which seem to have been designed by people who
have a poor understanding of DNS.)

This was my reply in a thread last month; refer to the entire thread
for more:

https://lists.isc.org/pipermail/bind-users/2011-December/085918.html
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[Jukka Pakkanen]

www in cname mydomain.myshopify.com.
mydomain.com. in cname mydomain.myshopify.com.

Is this what you are looking for?


8.1.2012 17:48, enigmedia kirjoitti:

Hi All: I have a situation where I need to forward requests for mydomain.com
and www.mydomain.com to a third party: mydomain.myshopify.com (while still
pointing other things like MX records elsewhere).

I realize I can point a CNAME for WWW to mydomain.myshopify.com, but how do
I point mydomain.com to this third party if there is no A record to point to?

TIA


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[Ben Croswell]

You can't cnane mydomain.com to anything because it has, at the minimum, ns
and soa records.

-Ben Croswell
On Jan 8, 2012 1:11 PM, Jukka Pakkanen jukka.pakka...@qnet.fi wrote:


 www in cname mydomain.myshopify.com.
 mydomain.com. in cname mydomain.myshopify.com.

 Is this what you are looking for?


 8.1.2012 17:48, enigmedia kirjoitti:

 Hi All: I have a situation where I need to forward requests for 
 mydomain.com
 and www.mydomain.com to a third party: mydomain.myshopify.com (while
 still
 pointing other things like MX records elsewhere).

 I realize I can point a CNAME for WWW to mydomain.myshopify.com, but
 how do
 I point mydomain.com to this third party if there is no A record to
 point to?

 TIA


 __**_
 Please visit 
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
  unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users


 __**_
 Please visit 
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
  unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[enigmedia (onl)]

On Sun, 08 Jan 2012 20:00:07 +0200 Jukka Pakkanen jukka.pakka...@qnet.fi 
wrote



www in cname mydomain.myshopify.com.
mydomain.com. in cname 

mydomain.myshopify.com.


Is this what you are looking for?



Yes, but I thought you couldn't use a cname for the root record of the 
domain?




8.1.2012 17:48, enigmedia kirjoitti:
 Hi All: I have a situation where I 

need to forward requests for

 mydomain.com
 and www.mydomain.com to a 

third party: mydomain.myshopify.com (while

 still
 pointing other things 

like MX records elsewhere).


 I realize I can point a CNAME for WWW to 

mydomain.myshopify.com, but

 how do
 I point mydomain.com to this 

third party if there is no A record to point

 to?

 TIA


 

___
 Please visit 

https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this 

list


 bind-users mailing list
 bind-users@lists.isc.org
 

https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit 

https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this 

list


bind-users mailing list
bind-users@lists.isc.org


https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[enigmedia (onl)]

On Sun, 8 Jan 2012 13:20:56 -0500 Ben Croswell ben.crosw...@gmail.com wrote




You can't cnane mydomain.com to anything because it has, at the minimum, ns



and soa records.


-Ben Croswell


Thanks Ben...that's what I thought. So just to ask the question 
another way:


How do I point requests for http://mydomain.com; and 
http://www.mydomain.com; to http://mydomain.myshopify.com;?


Or is there no 
way to do this in DNS, and I need to instead point the domain to my webserver 
and set up a permanent redirect there?



On Jan 8, 2012 1:11 PM, Jukka 

Pakkanen jukka.pakka...@qnet.fi wrote:



 www in cname mydomain.myshopify.com.
 mydomain.com. in cname 

mydomain.myshopify.com.


 Is this what you are looking for?


 

8.1.2012 17:48, enigmedia kirjoitti:


 Hi All: I have a situation where I 

need to forward requests for 

 mydomain.com
 and www.mydomain.com to 

a third party: mydomain.myshopify.com (while

 still
 pointing other 

things like MX records elsewhere).


 I realize I can point a CNAME for 

WWW to mydomain.myshopify.com, but

 how do
 I point mydomain.com 

to this third party if there is no A record to

 point to?

 TIA





 __**_
 Please 

visit
 

https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mai



lman/listinfo/bind-usersto unsubscribe from this list


 bind-users 

mailing list

 bind-users@lists.isc.org

 

https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mai



lman/listinfo/bind-users



 

__**_

 Please visit
 

https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mai


lman/listinfo/bind-usersto unsubscribe from this list

 bind-users 

mailing list

 bind-users@lists.isc.org

 

https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mai


lman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[Jukka Pakkanen]

8.1.2012 19:02, enigmedia (onl) kirjoitti:
On Sun, 08 Jan 2012 20:00:07 +0200 Jukka Pakkanen 
jukka.pakka...@qnet.fi wrote



www in cname mydomain.myshopify.com.
mydomain.com. in cname 

mydomain.myshopify.com.


Is this what you are looking for?



Yes, but I thought you couldn't use a cname for the root record of the 
domain?


Oh yeas... I confused this to pointing the domain to an IP address / A 
record.


Is an A record pointing to the server and a dedicated IP address there 
an option?



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[Jukka Pakkanen]

8.1.2012 20:46, Jukka Pakkanen kirjoitti:

8.1.2012 19:02, enigmedia (onl) kirjoitti:
On Sun, 08 Jan 2012 20:00:07 +0200 Jukka Pakkanen 
jukka.pakka...@qnet.fi wrote



www in cname mydomain.myshopify.com.
mydomain.com. in cname 

mydomain.myshopify.com.


Is this what you are looking for?



Yes, but I thought you couldn't use a cname for the root record of 
the domain?


Oh yeas... I confused this to pointing the domain to an IP address / A 
record.


Is an A record pointing to the server and a dedicated IP address there 
an option?


Of course don't need to be dedicated address either, but that's the way 
we usually do it.  Helps with the ptr records.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[Matthew Seaman]

On 08/01/2012 17:09, enigmedia (onl) wrote:
 How do I point requests for http://mydomain.com; and
 http://www.mydomain.com; to http://mydomain.myshopify.com;?

Look up an A record (or ) for mydomain.myshopify.com, then
create a similar A (or ) record pointing to the same address in your
zone file.

If mydomain.myshopify.com is likely to change address (some HA/LB setups
can result in this) then you're out of luck, and you'll have to
use your webserver to redirect the traffic.

 Or is there no way to do this in DNS, and I need to instead point the
 domain to my webserver and set up a permanent redirect there?

Yes.  That would work, but it means that the people using your site will
see the URL change to http://mydomain.myshopify.com/

You might find it better to put the CNAME in for www.mydomain.com
pointing at mydomain.myshopify.com and then use a 301 redirect from
mydomain.com to www.mydomain.com -- so your users see the site as
www.mydomain.com.

Wouldn't it be nice if HTTP clients and servers understood
_http._tcp.mydomain.com SRV records?  That's becoming the standard
solution to this sort of problem nowadays, but unfortunately, the HTTP
specifications predate that idea and there is no client side support for
it generally available.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[/dev/rob0]

On Sunday 08 January 2012 09:48:42 enigmedia wrote:
 Hi All: I have a situation where I need to forward requests for
 mydomain.com and www.mydomain.com to a third party:

mydomain.com is a real domain, and probably not yours. If for some 
reason you do not want to mention your real domain name, use 
example.com (or example.TLD for most top-level domains), which is 
reserved for examples.

 mydomain.myshopify.com (while still pointing other things like
 MX records elsewhere).
 
 I realize I can point a CNAME for WWW to
 mydomain.myshopify.com, but how do I point mydomain.com to
 this third party if there is no A record to point to?

This is beginning to be a FAQ here, perhaps due to the popularity of 
such hosting services (which seem to have been designed by people who 
have a poor understanding of DNS.)

This was my reply in a thread last month; refer to the entire thread 
for more:

https://lists.isc.org/pipermail/bind-users/2011-December/085918.html
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding a subzone of a master zone

[Olivier Cherrier]

On Tue, Apr 19, 2011 at 01:37:23AM -0700, chris.p.bux...@gmail.com wrote:
 You're getting a bit confused, because your configuration is complex. Some of 
 your observations are in contradiction with your disabling of recursion, so I 
 believe you are partially mistaken.
 
 - You're mixing authoritative and recursive service in one config. This often 
 leads to confusion.
 - Your recursion algorithm must be able to track down a particular domain 
 while not being able to resolve from the Internet root.
 
 Rather than turning off recursion, why not just set up your own root zone 
 (type master)? That way, your server can recurse to sub.example.com based on 
 the delegation, while returning immediate negative answers for anything 
 unknown. Just make sure you delegate example.com (and all other zones) from 
 your private root zone.
 
 A forwarders list in example.com or a zone of type forward named 
 sub.example.com will not have any effect so long as recursion is disabled. 
 Forwarding is a configuration aspect of the recursion algorithm.
 

Hi Chris,

Thank you very much for the clarification.

With your help and this message
http://fixunix.com/dns/549124-re-disable-root-hints.html
(from you too ;-), I get it working now!

Thanks,
Have a nice day.

-- 
Olivier Cherrier - Symacx.com
mailto:o...@symacx.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding a subzone of a master zone

[Kevin Darcy]

I'd like to reinforce what Chris said, and recommend the use of an 
internal root zone for networks/enterprises which have no public 
Internet connectivity, or whose connectivity to the Internet is 
exclusively through application-level proxies. Don't make Internet names 
resolvable on your internal network if that resolution isn't necessary 
-- this provides a level of security in addition to your other levels 
(see Defense in Depth), since many worms and malware can't recover 
from DNS resolution failure of whatever Internet name they're trying to 
resolve. It also allows you to better control your own DNS destiny, 
including blackholing of various domains, if that should become 
necessary in an emergency. Another optional benefit is it allows you to 
centrally control your mail routing, if you have MTAs that use the 
standard MX-record method of routing SMTP mail.


A lot of people seem to be scared by the prospect of setting up their 
own root zone. It's really not much different than any other zone, 
except that

-- there is no delegation from any parent zone (obviously), and
-- all of your other nameservers need to slave, stub, forward or have 
hints files referring to your own internal root-zone infrastructure, 
rather than the Internet root-zone infrastructure. This means you can't 
use the compiled-in defaults for the root zone, but those are useless to 
you anyway if you don't have direct connectivity to those nameservers.



- Kevin

On 4/19/2011 4:37 AM, Chris Buxton wrote:

You're getting a bit confused, because your configuration is complex. Some of 
your observations are in contradiction with your disabling of recursion, so I 
believe you are partially mistaken.

- You're mixing authoritative and recursive service in one config. This often 
leads to confusion.
- Your recursion algorithm must be able to track down a particular domain while 
not being able to resolve from the Internet root.

Rather than turning off recursion, why not just set up your own root zone (type 
master)? That way, your server can recurse to sub.example.com based on the 
delegation, while returning immediate negative answers for anything unknown. 
Just make sure you delegate example.com (and all other zones) from your private 
root zone.

A forwarders list in example.com or a zone of type forward named 
sub.example.com will not have any effect so long as recursion is disabled. 
Forwarding is a configuration aspect of the recursion algorithm.

Regards,
Chris Buxton
BlueCat Networks

On Apr 18, 2011, at 11:57 PM, Olivier Cherrier wrote:


Hi,

I am experiencing problems to get a working forwarding configuration.


I am using BIND 9.3.6-P1 and the server has the global recursion parameter
on. The server is not on a public network (not on Internet -- no access
to root servers).


I have a zone called example.com for which the server is master.
A delegation called sub.example.com is in place and is working well.

I want to change the recursion parameter from 'yes' to 'no' in order to
get rid of the timeouts we get when we query something that is not
defined in our DNS server (like www.google.com).
Doing this breaks the delegation sub.example.com, meaning the server
doesn't do the research anymore for the subzone.
So I deleted the delegation and configured a forward zone to the right
IP addresses.  The problem is named doesn't even try to query those
forwarders and directly reply: No answer

While it works for some other forwarded zones (reverse and non-reverse),
I fail to understand why it doesn't work for that particular zone.
The only difference I see is that this forwarded zone is a subzone of
example.com for which the server is master.

So my question: Is there any limitation to forward a subzone while we
are master for the parent zone?


Thanks a lot!
Best regards.

--
Olivier Cherrier - Symacx.com
mailto:o...@symacx.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding a subzone of a master zone

[Jan-Piet Mens]

 I'd like to reinforce what Chris said, and recommend the use of an
 internal root zone for networks/enterprises which have no public
 Internet connectivity

+1

 A lot of people seem to be scared by the prospect of setting up
 their own root zone. 

It really isn't difficult, and I discuss this topic, with examples, in
section 18.3 of Alternative DNS Servers, which is available as a
freely downloadable PDF. [*]

-JP

[*] No desire to advertise, and apologies if it sounds that way. Intention
is to help original poster.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding a subzone of a master zone

[Chris Buxton]

You're getting a bit confused, because your configuration is complex. Some of 
your observations are in contradiction with your disabling of recursion, so I 
believe you are partially mistaken.

- You're mixing authoritative and recursive service in one config. This often 
leads to confusion.
- Your recursion algorithm must be able to track down a particular domain while 
not being able to resolve from the Internet root.

Rather than turning off recursion, why not just set up your own root zone (type 
master)? That way, your server can recurse to sub.example.com based on the 
delegation, while returning immediate negative answers for anything unknown. 
Just make sure you delegate example.com (and all other zones) from your private 
root zone.

A forwarders list in example.com or a zone of type forward named 
sub.example.com will not have any effect so long as recursion is disabled. 
Forwarding is a configuration aspect of the recursion algorithm.

Regards,
Chris Buxton
BlueCat Networks

On Apr 18, 2011, at 11:57 PM, Olivier Cherrier wrote:

   Hi,
 
 I am experiencing problems to get a working forwarding configuration.
 
 
 I am using BIND 9.3.6-P1 and the server has the global recursion parameter
 on. The server is not on a public network (not on Internet -- no access
 to root servers).
 
 
 I have a zone called example.com for which the server is master.
 A delegation called sub.example.com is in place and is working well.
 
 I want to change the recursion parameter from 'yes' to 'no' in order to
 get rid of the timeouts we get when we query something that is not
 defined in our DNS server (like www.google.com).
 Doing this breaks the delegation sub.example.com, meaning the server
 doesn't do the research anymore for the subzone.
 So I deleted the delegation and configured a forward zone to the right
 IP addresses.  The problem is named doesn't even try to query those
 forwarders and directly reply: No answer
 
 While it works for some other forwarded zones (reverse and non-reverse),
 I fail to understand why it doesn't work for that particular zone.
 The only difference I see is that this forwarded zone is a subzone of
 example.com for which the server is master.
 
 So my question: Is there any limitation to forward a subzone while we
 are master for the parent zone?
 
 
 Thanks a lot!
 Best regards.
 
 -- 
 Olivier Cherrier - Symacx.com
 mailto:o...@symacx.com
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding

[Kevin Oberman]

 Date: Sun, 12 Dec 2010 22:15:41 -0800 (PST)
 From: Ed Arizona colinedwardhar...@yahoo.com
 Sender: bind-users-bounces+oberman=es@lists.isc.org
 
 
 
 We're seeing an issue with regarding to a bind9 server setup as a 'forward 
 only' 
 system.  
 
 
 The server is multihomed on five unique subnets.  Any host local to any of 
 those 
 subnets can use this server to properly resolve the zone served.  Any host 
 outside of the local subnets, cannot.
 
 Routing is properly set up and hosts on various remote subnets can
 reach the dns server on port 53.
 
 When we downrev to bind8 using the same named.conf configuration file,
 the issue disappears.  Is this is a known issue?  Is there a
 configuration item I'm not aware of that I need to set or unset?

I'm sorry, but I can't find the issue. I see a description of the
set-up and a statement that bind 8 works, both nothing about what is
failing on BIND 9.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding

[Mark Andrews]

Firstly please get a sane email client.  Printed quotable is supposed to
be readable by old mail clients.  Your client is turning the line breaks
you entered into =A0 rather than preserving.

Secondly the default for allow-recursion is {localhost; localnets;}.
The clients that you are having problems with do not match this acl.

Mark

In message 437749.18198...@web55604.mail.re4.yahoo.com, Ed Arizona writes:
 =0A=0AWe're seeing an issue with regarding to a bind9 server setup as a 'fo=
 rward only' =0Asystem.=A0 =0A=0A=0AThe server is multihomed on five unique =
 subnets.=A0 Any host local to any of those =0Asubnets can use this server t=
 o properly resolve the zone served.=A0 Any host =0Aoutside of the local sub=
 nets, cannot.=0A=0ARouting is properly set up and hosts on various remote s=
 ubnets can reach the dns =0Aserver on port 53.=0A=0AWhen we downrev to bind=
 8 using the same named.conf configuration file, the issue =0Adisappears.=A0=
  Is this is a known issue?=A0 Is there a configuration item I'm not =0Aawar=
 e of that I need to set or unset?=0A=0AThanks, Colin=0A=0A=0A  
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding + validating name server : protocol error or simply unexplored fields ?

[Mark Andrews]

In message 006001cb7ffe$7a6f5b10$6f4e11...@eurid.eu, Marc Lampo writes:
 Hello,
 
  
 
 Much attention has been given to DNSSEC - how it brings security - the
 chain-of-trust - the root zone signed - activities of tld's to get
 signed - ...
 but we - I belong to an organisation in charge of a tld - should also pay
 attention to the validating, client, side of DNSSEC.
 
 What I see in practice, but which might simply be implementation of a
 name service,
 
 is that a forwarding + validating name server,
 
 that forwards to a caching name server which is not aware of DNSSEC,
 
 cannot resolve anything : all responses for either signed or unsigned
 domains return SERVFAIL !

This is expected.  The forwarder MUST be dnssec aware otherwise it
will not return the correct answers to queries with DO set and
SHOULD be validating itself so that bogus results are not cached.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Niobos]

On 2010-08-10 02:39, CLOSE Dave (DAE) wrote:
 Based on suggestions here, I now have a named.conf file like this:
 
options { ... };
logging { ... };
zone . IN { type forward; forwarders { PUB; }; forward only; };
zone HOST1 { type forward; forwarders { PRIV; }; };
zone HOST2 { type forward; forwarders { PRIV; }; };
# PUB and PRIV are actually IP addresses, both on the LAN (not WAN)
 
 Does anyone see a hidden gotcha that will bite me later?
Someone naming their host com, org, net or some other existing TLD.

greets,
Niobos

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Tony Finch]

On Mon, 9 Aug 2010, CLOSE Dave (DAE) wrote:

 Based on suggestions here, I now have a named.conf file like this:

options { ... };
logging { ... };
zone . IN { type forward; forwarders { PUB; }; forward only; };
zone HOST1 { type forward; forwarders { PRIV; }; };
zone HOST2 { type forward; forwarders { PRIV; }; };
# PUB and PRIV are actually IP addresses, both on the LAN (not WAN)

 I think this means that simple queries for HOST1 or HOST2 (without a
 domain) will be forwarded to PRIV while all other queries will be
 forwarded to PUB. Queries forwarded to PUB will be tried with and
 without the domain search arguments from resolv.conf. Queries to PRIV
 either won't try the search domains or, since they will fail, will
 eventually try without them. If so, that is exactly what I want.

If the number of local HOST names is greater than the number of TLDs or
changes more frequently, you might want to invert this configuration, and
set each TLD to forward to your PUB server and everything else to PRIV.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND PLYMOUTH: SOUTHWEST 5 TO 7, VEERING WEST 4
OR 5. SLIGHT OR MODERATE. RAIN THEN SHOWERS. MODERATE OR POOR, BECOMING GOOD.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Kevin Darcy]

On 8/10/2010 9:16 AM, Tony Finch wrote:

On Mon, 9 Aug 2010, CLOSE Dave (DAE) wrote:

   

Based on suggestions here, I now have a named.conf file like this:

options { ... };
logging { ... };
zone . IN { type forward; forwarders { PUB; }; forward only; };
zone HOST1 { type forward; forwarders { PRIV; }; };
zone HOST2 { type forward; forwarders { PRIV; }; };
# PUB and PRIV are actually IP addresses, both on the LAN (not WAN)

I think this means that simple queries for HOST1 or HOST2 (without a
domain) will be forwarded to PRIV while all other queries will be
forwarded to PUB. Queries forwarded to PUB will be tried with and
without the domain search arguments from resolv.conf. Queries to PRIV
either won't try the search domains or, since they will fail, will
eventually try without them. If so, that is exactly what I want.
 

If the number of local HOST names is greater than the number of TLDs or
changes more frequently, you might want to invert this configuration, and
set each TLD to forward to your PUB server and everything else to PRIV.

   
The canonical list of TLDs changes from time to time, and thus would 
need to be updated. How dynamic is the PRIV set of names?




- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[CLOSE Dave (DAE)]

Sten Carlsen wrote:

 I believe you could use forwarding to the internal server for each individual 
 name:
 
 zone HOST1 {
type forward;
forwarders{ private.domain.server.IP; };
 }
 
 This should do the trick but not elegant, not easy. I would start hinting to 
 management that changes are needed as this is not manageable in the long 
 term. 
 Think also about adding search domains to the hosts that need these lookups.

Well, of course, I've already complained about the lack of domains on 
the PRIV server. But it's a production system already installed at a 
large number of customer sites. Changing it will be a long and difficult 
process. I know what needs to be fixed there but I can't do it myself.

Your suggestion of separate forwarding zones for each PRIV host, while 
not elegant as you say, may be fairly practical. I can script an update 
to named.conf based on the actual hosts present on the PRIV system. I've 
tried that and it works! Thanks for the idea.
-- 
Dave Close

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Kevin Darcy]

On 8/6/2010 7:28 PM, CLOSE Dave (DAE) wrote:

Sten Carlsen wrote:

   

I believe you could use forwarding to the internal server for each individual 
name:

zone HOST1 {
type forward;
forwarders{ private.domain.server.IP; };
}

This should do the trick but not elegant, not easy. I would start hinting to
management that changes are needed as this is not manageable in the long term.
Think also about adding search domains to the hosts that need these lookups.
 

Well, of course, I've already complained about the lack of domains on
the PRIV server. But it's a production system already installed at a
large number of customer sites. Changing it will be a long and difficult
process. I know what needs to be fixed there but I can't do it myself.

Your suggestion of separate forwarding zones for each PRIV host, while
not elegant as you say, may be fairly practical. I can script an update
to named.conf based on the actual hosts present on the PRIV system. I've
tried that and it works! Thanks for the idea.
   
If you're going to script this _anyway_, why not create separate master 
zones for all of the PRIV names, as previously suggested?


That way you can still resolve the names even if access/connectivity to 
the PRIV server(s) is temporarily interrupted.


The only downside I can see to that is that if the *values* of the PRIV 
names are very dynamic, you might have to run the script quite 
frequently, which can lead to concurrency/locking issues. Using nsupdate 
to make the actual changes to the zones should alleviate most of those 
issues.



- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[CLOSE Dave (DAE)]

I asked:
 My company has two internal name servers accessible to me. One (PUB) is
 the usual Internet-facing server than can resolve most internal and all
 public names. The other (PRIV) is a special purpose server that only
 resolves names in a special private domain. If I list both servers in
 resolv.conf, some names cannot be resolved. If PUB is listed first,
 names in the special domain fail; if PRIV is listed first, all other
 names fail.

 It has been suggested that running a forwarding name server of my own
 might provide a solution. I have tried that, but without success. The
 BIND 9 Administrator Reference doesn't seem to address forwarding with
 any relevant examples, so perhaps I'm not doing something right. Here's
 what I have tried.

 I took the named.conf provided by Fedora 13 (bind-9.7.1-2.P2.fc13.i686),
 commented all the IPv6 lines, and added two options:
forwarders { PRIV; PUB; };
forward only;
 (Using the correct IP addresses for PRIV and PUB, of course.)

 After starting the service, only names in the private domain are
 resolved. dig @localhost for any other name returns an Authority
 section that shows the private domain's authority, but no Answer section.

 What is the right way to accomplish my purpose? If I'm on the right
 track, what did I do wrong?

Lyle Giese responded:
 Assuming your private domain is mydomain.com, in the named.conf for
 the public server put:
 
  zone mydomain.com{
  type forward;
  forward only;
  forwarders { ip address of priv server;}; };
 
  The priv server needs to be authorative(and probably master) for
  mydomain.com.
 
  In resolv.conf on the clients, you only need the pub server.

Nope, that won't help me. I have no ability to modify the PUB server 
(which is probably not BIND anyway). Further, there are actually 
multiple PRIV servers, depending on the physical location, and from most 
physical locations none of them are accessible. (When a PRIV server is 
accessible, only one is visible at a time.) If this problem is to be 
resolved at all, it must be done locally.
-- 
Dave Close

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Joseph S D Yao]

On Fri, Aug 06, 2010 at 10:05:01AM -0700, CLOSE Dave (DAE) wrote:
 Joseph S D Yao wrote:
 
  If you have two forwarders, as you listed, your server will try to
  forward first to one and then to the other.  If it gets any answer at
  all from one - even an error answer - it will not try the other.
 
 So forwarding works exactly the same as listing both servers in 
 resolv.conf? That behavior is exactly what I'm trying to avoid.


This is GOOD behavior.


  There are many ways to try to cascade name servers and try them one at a
  time.  By the good design of BIND, none of them work.
 
 If BIND won't do the job, can you suggest another server that will? I 
 can't be the only one wanting to do something like this.


BIND does it correctly.  It is incorrect to ignore what one server says
and shop around for one that will tell you differently.  That would be
the one run by the identity thief trying to get all your money and leave
you penniless and unclothed under the bridge.


 
  On your new server:
  
  zone . { type hint; file root.hints; };
  zone private.example.com { type forward; forward only;
 forwarders { private.domain.server.IP; }; };
  
  and put the IP address for this name server and no other in your
  /etc/resolv.conf.
 
 Ah, that might work -- in other circumstances. I understand the basic 
 idea to be using separate zones to force forwarding to different servers 
 for different domains. Did I understand correctly?
 
 But an unfortunate characteristic of my PRIV server is that it doesn't 
 use /any/ domain. It only resolves simple, unqualified names like HOST1. 
 This was clearly a mistake in design (from before my time), but I have 
 no ability to change it (in the next five years, anyway).


Then either it's not serving DNS or you haven't found the right buttons.
What is it?  Can you explain a bit more?


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Joseph S D Yao]

On Fri, Aug 06, 2010 at 10:43:01PM +0100, Tony Finch wrote:
...
 As I understand it, BIND makes recursive queries to forwarding servers. If
 the target is authoritative, you configure the zone as a stub. This is not
 documented.


I believe this is incorrect on both counts.  In this form, BIND forwards
all queries, recursive or not, for the specific given domain to the
specific named servers.  If the forwarding is in the options, again all
queries (recursive or not) will be forwarded, but only if the query is
not resolvable by any domain on the server itself.  (forward first
modifies this by trying recursive resolving if the forward fails.)

And this is documented.


 Neither stub nor forward zones work if you are doing DNSSEC validation and
 the parent zone is secure and there is no delegation from the parent zone.
 In this case you have to make the server authoritative for the child zone
 (i.e. you must be the master or a slave) because BIND does not validate
 authoritative zones so it does not trip over the lack of delegation.


I have not tried this yet, but what you have said does not feel
correct.  It is possible that you meant something different from what
you said.  It is also possible that, not having thought it through, I
am wrong.  [I am having problems figuring out what specifically you mean
by generic phrases like the server and don't work.]


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Joseph S D Yao]

On Tue, Aug 10, 2010 at 02:37:54PM -0400, Joseph S D Yao wrote:
...
 Then either it's not serving DNS or you haven't found the right buttons.
 What is it?  Can you explain a bit more?
...


Sorry, in my hurry I didn't fast-forward through the thread.  Glad that
it's working for you now.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Tony Finch]

On Tue, 10 Aug 2010, Joseph S D Yao wrote:
 On Fri, Aug 06, 2010 at 10:43:01PM +0100, Tony Finch wrote:
 ...
  As I understand it, BIND makes recursive queries to forwarding servers. If
  the target is authoritative, you configure the zone as a stub. This is not
  documented.

 I believe this is incorrect on both counts.  In this form, BIND forwards
 all queries, recursive or not, for the specific given domain to the
 specific named servers.

I'm not talking about the queries made to bind, I'm talking about what
bind expects of the target servers you are pointing it at and how it makes
queries to those servers.

  Neither stub nor forward zones work if you are doing DNSSEC validation and
  the parent zone is secure and there is no delegation from the parent zone.
  In this case you have to make the server authoritative for the child zone
  (i.e. you must be the master or a slave) because BIND does not validate
  authoritative zones so it does not trip over the lack of delegation.

 I have not tried this yet,

I have.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND PLYMOUTH: WEST OR SOUTHWEST 5 OR 6,
OCCASIONALLY 7 AT FIRST, DECREASING 3 OR 4. SLIGHT OR MODERATE. RAIN THEN
SHOWERS. MODERATE OR POOR, BECOMING GOOD.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[CLOSE Dave (DAE)]

Based on suggestions here, I now have a named.conf file like this:

   options { ... };
   logging { ... };
   zone . IN { type forward; forwarders { PUB; }; forward only; };
   zone HOST1 { type forward; forwarders { PRIV; }; };
   zone HOST2 { type forward; forwarders { PRIV; }; };
   # PUB and PRIV are actually IP addresses, both on the LAN (not WAN)

I think this means that simple queries for HOST1 or HOST2 (without a 
domain) will be forwarded to PRIV while all other queries will be 
forwarded to PUB. Queries forwarded to PUB will be tried with and 
without the domain search arguments from resolv.conf. Queries to PRIV 
either won't try the search domains or, since they will fail, will 
eventually try without them. If so, that is exactly what I want.

And it seems to work correctly on Fedora 13 with BIND 9.7. Does anyone 
see a hidden gotcha that will bite me later (other than the need to 
maintain the list of HOST*)?
-- 
Dave Close

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[CLOSE Dave (DAE)]

Joseph S D Yao wrote:

 If you have two forwarders, as you listed, your server will try to
 forward first to one and then to the other.  If it gets any answer at
 all from one - even an error answer - it will not try the other.

So forwarding works exactly the same as listing both servers in 
resolv.conf? That behavior is exactly what I'm trying to avoid.

 There are many ways to try to cascade name servers and try them one at a
 time.  By the good design of BIND, none of them work.

If BIND won't do the job, can you suggest another server that will? I 
can't be the only one wanting to do something like this.

 On your new server:
 
 zone . { type hint; file root.hints; };
 zone private.example.com { type forward; forward only;
forwarders { private.domain.server.IP; }; };
 
 and put the IP address for this name server and no other in your
 /etc/resolv.conf.

Ah, that might work -- in other circumstances. I understand the basic 
idea to be using separate zones to force forwarding to different servers 
for different domains. Did I understand correctly?

But an unfortunate characteristic of my PRIV server is that it doesn't 
use /any/ domain. It only resolves simple, unqualified names like HOST1. 
This was clearly a mistake in design (from before my time), but I have 
no ability to change it (in the next five years, anyway).
-- 
Dave Close

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Kevin Darcy]

On 8/6/2010 1:05 PM, CLOSE Dave (DAE) wrote:

Joseph S D Yao wrote:

   

If you have two forwarders, as you listed, your server will try to
forward first to one and then to the other.  If it gets any answer at
all from one - even an error answer - it will not try the other.
 

So forwarding works exactly the same as listing both servers in
resolv.conf? That behavior is exactly what I'm trying to avoid.

   

There are many ways to try to cascade name servers and try them one at a
time.  By the good design of BIND, none of them work.
 

If BIND won't do the job, can you suggest another server that will? I
can't be the only one wanting to do something like this.

   

On your new server:

zone . { type hint; file root.hints; };
zone private.example.com { type forward; forward only;
 

  forwarders { private.domain.server.IP; }; };
   

and put the IP address for this name server and no other in your
/etc/resolv.conf.
 

Ah, that might work -- in other circumstances. I understand the basic
idea to be using separate zones to force forwarding to different servers
for different domains. Did I understand correctly?

But an unfortunate characteristic of my PRIV server is that it doesn't
use /any/ domain. It only resolves simple, unqualified names like HOST1.
This was clearly a mistake in design (from before my time), but I have
no ability to change it (in the next five years, anyway).
   
Ah, so you want to implement something new, but not willing to fix the 
old broken design which is incompatible with what you're trying to 
implement. Gotcha.


The only halfway-reasonable way I see for your to work around this 
broken design is to define each of those unqualified names 
individually in your nameserver config, e.g.


zone HOST1 {
type master;
file HOST1;
};

and hope they don't change too often.


- Kevin





- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Sten Carlsen]

On 06/08/10 19:59, Kevin Darcy wrote:
 On 8/6/2010 1:05 PM, CLOSE Dave (DAE) wrote:
 Joseph S D Yao wrote:

   
 If you have two forwarders, as you listed, your server will try to
 forward first to one and then to the other.  If it gets any answer at
 all from one - even an error answer - it will not try the other.
  
 So forwarding works exactly the same as listing both servers in
 resolv.conf? That behavior is exactly what I'm trying to avoid.

   
 There are many ways to try to cascade name servers and try them one
 at a
 time.  By the good design of BIND, none of them work.
  
 If BIND won't do the job, can you suggest another server that will? I
 can't be the only one wanting to do something like this.

   
 On your new server:

 zone . { type hint; file root.hints; };
 zone private.example.com { type forward; forward only;
  
   forwarders { private.domain.server.IP; }; };
   
 and put the IP address for this name server and no other in your
 /etc/resolv.conf.
  
 Ah, that might work -- in other circumstances. I understand the basic
 idea to be using separate zones to force forwarding to different servers
 for different domains. Did I understand correctly?

 But an unfortunate characteristic of my PRIV server is that it doesn't
 use /any/ domain. It only resolves simple, unqualified names like HOST1.
 This was clearly a mistake in design (from before my time), but I have
 no ability to change it (in the next five years, anyway).

 Ah, so you want to implement something new, but not willing to fix the
 old broken design which is incompatible with what you're trying to
 implement. Gotcha.

 The only halfway-reasonable way I see for your to work around this
 broken design is to define each of those unqualified names
 individually in your nameserver config, e.g.

 zone HOST1 {
 type master;
 file HOST1;
 };

 and hope they don't change too often.
I believe you could use forwarding to the internal server for each
individual name:

zone HOST1 {
   type forward;
   forwarders{ private.domain.server.IP; };
}

This should do the trick but not elegant, not easy. I would start
hinting to management that changes are needed as this is not manageable
in the long term. Think also about adding search domains to the hosts
that need these lookups.

   
  
 - Kevin


   
  
 - Kevin


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   MALE BOVINE MANURE!!! 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Tony Finch]

On Thu, 5 Aug 2010, Lyle Giese wrote:

 zone mydomain.com{
 type forward;
 forward only;
 forwarders { ip address of priv server;}; };

 The priv server needs to be authorative(and probably master) for
 mydomain.com.

As I understand it, BIND makes recursive queries to forwarding servers. If
the target is authoritative, you configure the zone as a stub. This is not
documented.

Neither stub nor forward zones work if you are doing DNSSEC validation and
the parent zone is secure and there is no delegation from the parent zone.
In this case you have to make the server authoritative for the child zone
(i.e. you must be the master or a slave) because BIND does not validate
authoritative zones so it does not trip over the lack of delegation.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
WIGHT PORTLAND PLYMOUTH NORTH BISCAY: SOUTHWESTERLY VEERING WESTERLY OR
NORTHWESTERLY, 4 OR 5, OCCASIONALLY 6 AT FIRST. MODERATE, OCCASIONALLY ROUGH
IN PLYMOUTH AND NORTH BISCAY. RAIN OR SHOWERS, FAIR LATER. MODERATE OR GOOD,
OCCASIONALLY POOR.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding to two servers

[Joseph S D Yao]

On Thu, Aug 05, 2010 at 06:03:34PM -0700, CLOSE Dave (DAE) wrote:
 My company has two internal name servers accessible to me. One (PUB) is 
 the usual Internet-facing server than can resolve most internal and all 
 public names. The other (PRIV) is a special purpose server that only 
 resolves names in a special private domain. If I list both servers in 
 resolv.conf, some names cannot be resolved. If PUB is listed first, 
 names in the special domain fail; if PRIV is listed first, all other 
 names fail.
 
 It has been suggested that running a forwarding name server of my own 
 might provide a solution. I have tried that, but without success. The 
 BIND 9 Administrator Reference doesn't seem to address forwarding with 
 any relevant examples, so perhaps I'm not doing something right. Here's 
 what I have tried.
...


If you have two forwarders, as you listed, your server will try to
forward first to one and then to the other.  If it gets any answer at
all from one - even an error answer - it will not try the other.

There are many ways to try to cascade name servers and try them one at a
time.  By the good design of BIND, none of them work.


On your new server:

options {
...
};

logging {
...
};

zone . {
type hint;
file root.hints;
};

zone private.example.com {
type forward;
forward only;
forwarders { private.domain.server.IP; };
};

and put the IP address for this name server and no other in your
/etc/resolv.conf.

For reliability, you might want to run two identical ones and put both
in /etc/resolv.conf.  If you have multiple locations, run at least one
at each enclave, possibly two.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding DNS Server can not resolved alias records(CNAME)?

[Kevin Darcy]

Note that the name 218.246.85.101 -- which is the target of the 
www.01cool.com alias -- does not exist in the Internet DNS.


I don't what kind of DNS implementation/configuration is running on 
211.99.204.77, but it seems to be returning SERVFAIL for *any* recursive 
query outside of its authoritative zones:


dig cnn.com @211.99.204.77

;  DiG 9.3.0  cnn.com @211.99.204.77
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 800
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cnn.com.   IN  A

which would, of course, include the aforementioned name 218.246.85.101.

For non-recursive queries outside of its authoritative zones, it gives a 
root referral, which is reasonable.


I guess that crippling one's nameserver in this way is marginally better 
than being an open recursor, but not by much...




- Kevin


On 6/25/2010 7:02 AM, ShanyiWan wrote:

Forwarding DNS Server can not resolved alias records(CNAME)?

here:

211.99.204.77   Forwarding DNS

Master Zone (another ip address)

[r...@flyinweb data]# vi 01cool.com.dom

$TTL 7200   ; 2 hours
@IN  SOA  ns1.mymaster.com. root.mymaster.com. (
 5; serial
 10800; refresh
 3600; retry
 604800; expire
 86400; mininum
 )
 NS  ns1.mymaster.com.
 NS  ns2.mymaster.com.
 MX  10 mail.01cool.com.
@   A   218.246.85.101
mailA   218.246.85.199
www CNAME   218.246.85.101.
www1CNAME   517sou.net.

A Record is correct,but CNAME Record is incorrect!

[r...@flyinweb data]# dig @211.99.204.77 01cool.com

;  DiG 9.7.0-P2  @211.99.204.77 01cool.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 17293
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;01cool.com.IN  A

;; ANSWER SECTION:
01cool.com. 7200IN  A   218.246.85.101

;; AUTHORITY SECTION:
01cool.com. 7200IN  NS  ns1.cnolnic.com.
01cool.com. 7200IN  NS  ns2.cnolnic.com.

;; ADDITIONAL SECTION:
ns2.cnolnic.com.6523IN  A   59.151.23.112

;; Query time: 108 msec
;; SERVER: 211.99.204.77#53(211.99.204.77)
;; WHEN: Fri Jun 25 19:00:35 2010
;; MSG SIZE  rcvd: 104

[r...@flyinweb ~]# dig @211.99.204.77 www.01cool.com

;  DiG 9.7.0-P2  @211.99.204.77 www.01cool.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 25575
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.01cool.com.IN  A

;; Query time: 108 msec
;; SERVER: 211.99.204.77#53(211.99.204.77)
;; WHEN: Fri Jun 25 18:57:27 2010
;; MSG SIZE  rcvd: 32
~
--
ShanyiWan
2010-06-25

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



   



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding updates between views

[Chris Buxton]

On Nov 22, 2009, at 7:23 PM, Chris Hills wrote:
On 22/11/09 21:01, Chris Buxton wrote:
 Change the zone from type forward to type slave, and add 
 allow-update-forwarding.
 
 zone dyn.example.com. {
  type slave;
  masters { ::1; };
  allow-update-forwarding { local-networks; };
 };
 
 Then in the external-in view, change allow-update to:
 
  allow-update { ::1; };
 
 Great, works like a charm... but... the update log only records ::1 as the 
 source and not the original address. Is it possible to keep that?

The internal-in view should have some log entry of the forwarded update. I'm 
not sure what category or severity level that would be, though.

Of course, if you were to start using signed updates (either TSIG or GSS-TSIG), 
you would know what key was used.

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding updates between views

[Chris Hills]

On 23/11/09 18:05, Chris Buxton wrote:
 The internal-in view should have some log entry of the forwarded update. I'm 
 not sure what category or severity level that would be, though.

I could not find it in either the query log or the update log. Bug?

 Of course, if you were to start using signed updates (either TSIG or 
 GSS-TSIG), you would know what key was used.

The purpose is to provide a free ipv6-only playground that anyone may
use. Normal updates from external clients are logged as intended. Feel
free to add, modify or remove records under dyn.ipv6.chaz6.com. When
security is required I do of course use keys!

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users