"forward first" set on a master zone not working as expected

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

"forward first" set on a master zone not working as expected

Bind-Users forum mailing list
Hello,

I am attempting to set up an internal DNS server that is authoritative for internal resources, but also will respond for external resources on the same domain that it does not have records for.

For example, I have a domain sub.example.com, and I want to have internal entries in the BIND zone file for host1.sub.example.com and host2.sub.example.com. That part is working fine. However, there is a publicly available DNS entry for sub.example.com that I want my internal clients to be able to resolve, but I don’t want to have the IP in the BIND zone file, because the IP is dynamic. There are also some hosts (host3.sub.example.com) and (host4.sub.example.com) that are externally resolvable that I don’t want to put in my internal BIND file because they are not controlled by me. (Think CNAME to a SaaS application)

I’ve attempted to do this as follows, and it seems to make sense that it would work, but it does not. 


named.conf:

zone “sub.example.com" IN {
        type master;
        file "/etc/bind/sub.example.com.zone";
        forward first;
        forwarders { 1.1.1.1; 1.0.0.1; };
};


$ttl 600
@                      300 SOA   dns.sub.example.com. (
                              taylor.viertaxa.com.      ; address of responsible party
                              2020090101                ; serial number
                              300                       ; refresh period
                              300                       ; retry period
                              604800                    ; expire time
                              300                     ) ; minimum ttl
                      300 NS    elinore.ns.cloudflare.com.
                      300 NS    hal.ns.cloudflare.com.
host1                   60  A     10.x.x.x
host2                   60  A     10.x.x.x

What I would expect to happen, is that BIND sees “forward first” and attempts to look up the hostname host3.sub.example.com on the listed forwarders, and succeeds (there’s an entry publicly available for that one. 

What actually happens, is if I query for sub.example.com I get the following from nslookup:
*** Can't find sub.example.com: No answer

And if I query for host3.example.com, I get the following from nslookup:
** server can't find host3.sub.example.com: NXDOMAIN


BIND version:

Package: bind9
Version: 1:9.11.5.P4+dfsg-5.1+deb10u2


Thank you in advance for any help you might be able to provide. 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (858 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: "forward first" set on a master zone not working as expected

Matus UHLAR - fantomas
On 02.09.20 15:00, Taylor Vierrether via bind-users wrote:

> I am attempting to set up an internal DNS server that is authoritative for
> internal resources, but also will respond for external resources on the
> same domain that it does not have records for.
>
> For example, I have a domain sub.example.com , and I want to have internal
> entries in the BIND zone file for host1.sub.example.com and
> host2.sub.example.com.  That part is working fine.  However, there is a
> publicly available DNS entry for sub.example.com that I want my internal
> clients to be able to resolve, but I don’t want to have the IP in the BIND
> zone file, because the IP is dynamic.

you can delegate that entry elsewhere.

>  There are also some hosts (host3.sub.example.com ) and
> (host4.sub.example.com) that are externally resolvable that I don’t want
> to put in my internal BIND file because they are not controlled by me.
> (Think CNAME to a SaaS application)

you can delegate those records somewhere.

>I’ve attempted to do this as follows, and it seems to make sense that it
> would work, but it does not.
>
>
>named.conf:
>
>zone “sub.example.com" IN {
>        type master;
>        file "/etc/bind/sub.example.com.zone";
>        forward first;
>        forwarders { 1.1.1.1; 1.0.0.1; };
>};

forwarding is not used for zone other than "type forward".

>What actually happens, is if I query for sub.example.com I get the following from nslookup:
>*** Can't find sub.example.com: No answer

if you search for "sub.example.com" record, you can not delegate that one,
of course.

you apparently should use redesign your DNS. Easiest way would be using
different domain internally.

>And if I query for host3.example.com , I get the following from nslookup:
>** server can't find host3.sub.example.com: NXDOMAIN

note that nslookup is very bad program for tracking DNS errors.
use "host" or "dig" for that case.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: "forward first" set on a master zone not working as expected

Kevin Darcy
[ Classification Level: GENERAL BUSINESS ]

Or, if you absolutely *must* use the same namespace internally and externally (oftentimes you can't talk the business out of that), your internal version should be a more-or-less a superset of your external version.

How you keep those in sync is up to you. For us, we have a centralized management system that makes the relevant updates in parallel. The big caveat with that is, those few situations where the DNS needs to be "schizophrenic", i.e. resolve differently in the internal versus external versions of the zones. We try to keep that nonsense to a minimum, but when we can't talk people out of it, we handle it on an exception basis.

I suppose another approach is to have a backend database which tags each record as being "internal", "external" or "both", and then the respective versions of the zones get generated accordingly. You'd need something to ensure referential integrity, though, otherwise you might end up with dangling references (e.g. CNAME/MX/SRV targets), bad delegations, etc.

                                                                                            - Kevin

P.S. No offense to schizophrenics. I guess a more accurate term would be "multiple personality".


On Thu, Sep 3, 2020 at 3:52 AM Matus UHLAR - fantomas <[hidden email]> wrote:
On 02.09.20 15:00, Taylor Vierrether via bind-users wrote:
> I am attempting to set up an internal DNS server that is authoritative for
> internal resources, but also will respond for external resources on the
> same domain that it does not have records for.
>
> For example, I have a domain sub.example.com , and I want to have internal
> entries in the BIND zone file for host1.sub.example.com and
> host2.sub.example.com.  That part is working fine.  However, there is a
> publicly available DNS entry for sub.example.com that I want my internal
> clients to be able to resolve, but I don’t want to have the IP in the BIND
> zone file, because the IP is dynamic.

you can delegate that entry elsewhere.

>  There are also some hosts (host3.sub.example.com ) and
> (host4.sub.example.com) that are externally resolvable that I don’t want
> to put in my internal BIND file because they are not controlled by me.
> (Think CNAME to a SaaS application)

you can delegate those records somewhere.

>I’ve attempted to do this as follows, and it seems to make sense that it
> would work, but it does not.
>
>
>named.conf:
>
>zone “sub.example.com" IN {
>        type master;
>        file "/etc/bind/sub.example.com.zone";
>        forward first;
>        forwarders { 1.1.1.1; 1.0.0.1; };
>};

forwarding is not used for zone other than "type forward".

>What actually happens, is if I query for sub.example.com I get the following from nslookup:
>*** Can't find sub.example.com: No answer

if you search for "sub.example.com" record, you can not delegate that one,
of course.

you apparently should use redesign your DNS. Easiest way would be using
different domain internally.

>And if I query for host3.example.com , I get the following from nslookup:
>** server can't find host3.sub.example.com: NXDOMAIN

note that nslookup is very bad program for tracking DNS errors.
use "host" or "dig" for that case.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users