As 10.in-addr.arpa is private namespace *all* of you recursive servers should be configured to serve it. This is similar to how all of your recursive nameservers know where the root servers are except you are using a slave zone instead of a hint zone.
i.e. 10.in-addr.arpa { type slave; masters { <address of AD server>; }; file “slave/10.in-addr.arpa”;// adjust to match your local conventions. request-ixfr no; // only use AXFR for 10.in-addr.arpa as it is coming from AD as IXFR does not work well. forwarders { /* empty */ }; // use iterative resolution for the children of 10.in-addr.arpa. }; Forwarding should NEVER be needed if servers are reachable at the IP level. If the solution says “configure a forward zone” it is almost always wrong. Do the similar for the top of all other private namespaces you are using. Mark > On 4 Apr 2020, at 03:06, bind-li...@iano.org wrote: > > Hi, > > In summary, my question is whether there is a way to configure a bind caching > server to provide recursion in response to iterative queries for records in a > forward type zone. > > The background is that we have: > > - AD domain controllers that are authoritative for all of 10.in-addr.arpa. in > our data centers - most clients point to these for DNS resolution. > - Linux bind caching resolvers in our data centers - domain controllers > forward to these for anything they don’t own. > - Some AWS VPCs which have been allocated subdomains of 10.in-addr.arpa. and > are routable from our data centers. These have Route53 inbound endpoints > which answer queries for those subdomains. > - The bind caching resolvers have forwarding rules for those subdomains to > the AWS inbound endpoints. > > The subdomains in our AWS VPCs have NS records, but the servers those point > to refuse queries for records in the subdomains. The zone resolution is taken > care of by the Route53 resolver service. The Route53 inbound endpoints > successfully resolve queries from our data centers for those subdomains as > long as the recursion desired flag is set to 1 in the query. If recursion > desired is set to 0 they do not send any reply at all. > > We want to be able to resolve PTR records in the subdomains in the AWS VPCs > from our data centers where, as I said above, the clients point to the domain > controllers for DNS resolution. > > Because the AD domain controllers already own 10.in-addr.arpa, they refuse to > allow us to configure conditional forwarding for its subdomains. So we > delegated the subdomains to the inbound endpoints. Because they are > delegations, the domain controllers set the recursion desired flag to 0 on > the queries they send to the endpoints, and we are not getting replies from > the endpoints. > > As a workaround we tried delegating to our linux bind caching resolvers but > we ran into the same issue, that the domain controllers set recursion desired > to 0. As a result, when our linux caching servers have the result in cache, > the lookup is successful, but when it would require a fresh lookup it gets a > reply with no answers. Hence my question, is there a way to tell our bind > caching resolvers to ignore the recursion desired flag and provide recursion > anyway? > > Thanks, > Maria > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users