Forwarding from delegated zone not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Forwarding from delegated zone not working

seanliam73
Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
        directory "/var/named";
        listen-on port 53 { listen addr; };
        auth-nxdomain yes;
        recursion yes;
        allow-query { ip addresses; };
        listen-on-v6 { any; };
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };

        channel querylog {
                file "data/query.log";
                severity debug 5;
        };

        category default { default_debug; };
        category queries { querylog; };
};

zone "example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};

zone "development.example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding from delegated zone not working

Ben Croswell
If the AD environment loads company.com you need to make sure it has NS delegations. The nameserver will ignore the zone forwarded if it knows the child doesn't exist.

On Oct 10, 2017 11:22 AM, "seanliam73" <[hidden email]> wrote:
Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
        directory "/var/named";
        listen-on port 53 { listen addr; };
        auth-nxdomain yes;
        recursion yes;
        allow-query { ip addresses; };
        listen-on-v6 { any; };
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };

        channel querylog {
                file "data/query.log";
                severity debug 5;
        };

        category default { default_debug; };
        category queries { querylog; };
};

zone "example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};

zone "development.example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Forwarding from delegated zone not working

Darcy Kevin (FCA)
In reply to this post by seanliam73
It doesn't work to delegate to a forwarder; you have to delegate to something that's authoritative for the zone (master or slave). Delegated nameservers are expected to have a full copy of the zone, either as the source (master) or through replication (slave).

Now, if you have restrictions/limitations that prevent you both from a) delegating directly from AD to the authoritative nameservers, and b) replicating from the authoritative nameservers to the BIND instance in question, then you'd need to look into some sort of "DNS proxy", but that's not BIND, and really beyond the scope of this list.

                                                                                                                                                - Kevin

-----Original Message-----
From: bind-users [mailto:[hidden email]] On Behalf Of seanliam73
Sent: Tuesday, October 10, 2017 11:22 AM
To: [hidden email]
Subject: Forwarding from delegated zone not working

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that so that all requests for that subdomain are sent to the bind 9 instance. I would then like to set up zone forwarding so that further subdomains can be managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance at receive the expected results. However if I query from the AD server that is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some configuration.

*main instance config*

options {
        directory "/var/named";
        listen-on port 53 { listen addr; };
        auth-nxdomain yes;
        recursion yes;
        allow-query { ip addresses; };
        listen-on-v6 { any; };
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };

        channel querylog {
                file "data/query.log";
                severity debug 5;
        };

        category default { default_debug; };
        category queries { querylog; };
};

zone "example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};

zone "development.example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Forwarding from delegated zone not working

Darcy Kevin (FCA)
In reply to this post by Ben Croswell

But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.

 

The assumption I made in my post was that the delegation was pointed to the forwarding BIND instance, which is a non-starter.

 

-          Kevin

 

 

From: bind-users [mailto:[hidden email]] On Behalf Of Ben Croswell
Sent: Tuesday, October 10, 2017 11:38 AM
To: seanliam73 <[hidden email]>
Cc: [hidden email]
Subject: Re: Forwarding from delegated zone not working

 

If the AD environment loads company.com you need to make sure it has NS delegations. The nameserver will ignore the zone forwarded if it knows the child doesn't exist.

 

On Oct 10, 2017 11:22 AM, "seanliam73" <[hidden email]> wrote:

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
        directory "/var/named";
        listen-on port 53 { listen addr; };
        auth-nxdomain yes;
        recursion yes;
        allow-query { ip addresses; };
        listen-on-v6 { any; };
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };

        channel querylog {
                file "data/query.log";
                severity debug 5;
        };

        category default { default_debug; };
        category queries { querylog; };
};

zone "example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};

zone "development.example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding from delegated zone not working

Tony Finch
In reply to this post by seanliam73
seanliam73 <[hidden email]> wrote:
>
> I know the forwarding is working because I can query the main bind9
> instance at receive the expected results. However if I query from the AD
> server that is doing the delegation I get a SERVFAIL error.

I guess one possible cause for this problem might be if the AD server is
making iterative queries (RD=0) rather than recursive queries (RD=1). In
this the BIND forwarding setup will not work because forwarding only
applies to recursive queries.

It's probably more reliable to set up the subdomain and sub-sub-domains
with proper delegations, so that normal iterative resolution works.

A few unrelated notes...

> options {
>         directory "/var/named";
>         listen-on port 53 { listen addr; };
>         auth-nxdomain yes;

Don't use this option, it has been useless since 2001.

>         recursion yes;
>         allow-query { ip addresses; };
>         listen-on-v6 { any; };
>         dnssec-enable no;

There should not be any reason to turn off DNSSEC support.

>         dnssec-validation no;
>         dnssec-lookaside auto;

dnssec-lookaside is now obsolete, but even before it was decommissioned
these two lines contradicted each other!

> };

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Lundy, Fastnet, Irish Sea, Southeast Shannon: Southwesterly 5 to 7,
occasionally gale 8 later. Slight or moderate, becoming moderate or rough.
Occasional rain. Moderate or good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Forwarding from delegated zone not working

Ben Croswell
In reply to this post by Darcy Kevin (FCA)
I guess i made the assumption that zone was properly forwarded at the MS end.

 However as you mentioned if it was only delegated then it would SERVFAIL at the BIND server when receiving an iterative query from MS if BIND isn't authoritative.

On Oct 10, 2017 11:44 AM, "Darcy Kevin (FCA)" <[hidden email]> wrote:

But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.

 

The assumption I made in my post was that the delegation was pointed to the forwarding BIND instance, which is a non-starter.

 

-          Kevin

 

 

From: bind-users [mailto:[hidden email]] On Behalf Of Ben Croswell
Sent: Tuesday, October 10, 2017 11:38 AM
To: seanliam73 <[hidden email]>
Cc: [hidden email]
Subject: Re: Forwarding from delegated zone not working

 

If the AD environment loads company.com you need to make sure it has NS delegations. The nameserver will ignore the zone forwarded if it knows the child doesn't exist.

 

On Oct 10, 2017 11:22 AM, "seanliam73" <[hidden email]> wrote:

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
        directory "/var/named";
        listen-on port 53 { listen addr; };
        auth-nxdomain yes;
        recursion yes;
        allow-query { ip addresses; };
        listen-on-v6 { any; };
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };

        channel querylog {
                file "data/query.log";
                severity debug 5;
        };

        category default { default_debug; };
        category queries { querylog; };
};

zone "example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};

zone "development.example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding from delegated zone not working

Bob Harold
In reply to this post by seanliam73

On Tue, Oct 10, 2017 at 11:21 AM, seanliam73 <[hidden email]> wrote:
Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
        directory "/var/named";
        listen-on port 53 { listen addr; };
        auth-nxdomain yes;
        recursion yes;
        allow-query { ip addresses; };

--------- You might also need to add:
           allow-recursion { ip addresses; };

-- 
Bob Harold
 
        listen-on-v6 { any; };
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug 3;
        };

        channel querylog {
                file "data/query.log";
                severity debug 5;
        };

        category default { default_debug; };
        category queries { querylog; };
};

zone "example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};

zone "development.example.company.com" IN {
        type forward;
        forward only;
        forwarders { ip address; };
};




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Forwarding from delegated zone not working

seanliam73
In reply to this post by Ben Croswell
Unfortunately we don't manage the AD server, that has been outsourced.

The team that manage AD have delegated the subdomain to our bind 9 instance
which in turn has a number of forwarding zones configured. This is to manage
DNS over a number of cloud based environments.



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Forwarding from delegated zone not working

seanliam73
In reply to this post by Darcy Kevin (FCA)
Thanks Kevin

That is what I suspected. If I make the delegated server the master/slave
for the sub-domain that has been delegated, could I then set up forward
zones for further sub-domains? i.e

subdomain.example.com (delegated domain set as master zone)
sub.subdomain.example.com (forward zone)

Sean



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Forwarding from delegated zone not working

Darcy Kevin (FCA)
You can certainly configure the subdomains that way, but the same resolver which followed the subdomain.example.com delegation in the first place, to your BIND instance, will presumably follow the delegation of sub.subdomain.example.com (as it is published via NS records in the parent zone) to find the nameservers for that subzone, query them, and expect authoritative responses. Your forwarding config won't be used, by such a resolver, since it'll be sending you non-recursive (RD=0) queries, which are incompatible with forwarding.

Ultimately, the bottom line is that if the "leaf-node" data is not available in an authoritative form, then you can't use delegation alone to facilitate its resolution. You'd need to set up some sort of forwarding, possibly multi-hop forwarding, which is notorious for being fragile, inefficient and lacking in scalability.

You mentioned in another post that the DNS data in question is for a cloud environment. My experience so far (primarily with AWS) is that these cloud providers don't understand how robust DNS enterprise architectures work. If they did, they would have offered authoritative, replicate-able DNS zone data as a basic service, straight out of the gate. Supposedly this "feature" is "on the roadmap" for AWS, but it seems to be a distant goal, with no particular priority. In the meantime, they are requiring their enterprise customers to sacrifice some of the reliability and performance we've built up in our DNS infrastructures over years (and, in some cases, decades), instead stringing together forwarding hierarchies and other nonsense like that.

(Editorial note: I originally got carried away at this point, explaining my model of how DNS is, conceptually, constructed -- authoritative core, inner iterative-resolution layer, outer recursive-resolution layer -- along with a diatribe about how poor/junior enterprise DNS architects try, with sub-optimal results, to build on recursive resolution as a foundation, because that's the only layer they really understand. But I don't want to put anyone to sleep, or fill up their mailboxes with walls of text, so I'll forego that for now, saving the text for some other day).

May I ask: why would you put anything non-AD-related, of actual importance, in a *subdomain* of an Active Directory zone ? Maybe it's just a matter of perspective, but I see Active Directory as just one service we run in our enterprise, among many. So, while it gets its own namespace, it doesn't get to control the *main* namespace -- certainly, we would never put anything non-AD-related *underneath* an AD zone. Granted, I don't know your organization's structure, internal politics, history, etc. But it just seems rather odd to me that you're delegating stuff from an AD zone. I view such namespaces as "leaves", not "branches".

                                                                                                - Kevin


-----Original Message-----
From: bind-users [mailto:[hidden email]] On Behalf Of seanliam73
Sent: Wednesday, October 11, 2017 3:45 AM
To: [hidden email]
Subject: RE: Forwarding from delegated zone not working

Thanks Kevin

That is what I suspected. If I make the delegated server the master/slave for the sub-domain that has been delegated, could I then set up forward zones for further sub-domains? i.e

subdomain.example.com (delegated domain set as master zone) sub.subdomain.example.com (forward zone)

Sean



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users