forwarder is ignored when authoritative zone is added
I've recently had an issue that I'm having some issues finding information on solving. I have internal DNS resolvers...they act as recursive name servers for general internet queries, but we have forwarders explicitly defined for specific internal zones being served by other name servers. My configuration has one particular zone configured as such: zone internal.organization.com IN { type forward; forward only; forwarders {172.x.x.x; 172.x.x.x; }; }; I have our main zone, organization.com, hosted in an external area outside of a firewall with a wildcard record contained in it for anything that is not explicitly defined. I have some services that I need to reach using names that are in this external zone internally. What I'm trying to do is to slave the organization.com zone to my internal recursive resolver to mitigate any possible network issues. So I setup the internal resolver as a slave for the organization.com zone and found that queries against internal.organization.com were getting answered with the wildcard for the external organization.com zone. I can't seem to figure out why the forwarders are getting ignored. Is it an order of precedence, say authoritative zones are respected over forwarders...or something else?? Thanks for any assistance anyone can provide, or point me to some documentation I'm missing, Frank ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder is ignored when authoritative zone is added
The one thing I can think of off the top of my head is to ensure the child subdomain is properly delegated in the parent. If you try to zone level forward a child domain on a server that loads the parent it will ignore the forward if it can see the child doesn't exist as a true delegation. I assume the logic is, why would I forward a subdomain I know doesn't exist. -Ben Croswell On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org wrote: I've recently had an issue that I'm having some issues finding information on solving. I have internal DNS resolvers...they act as recursive name servers for general internet queries, but we have forwarders explicitly defined for specific internal zones being served by other name servers. My configuration has one particular zone configured as such: zone internal.organization.com IN { type forward; forward only; forwarders {172.x.x.x; 172.x.x.x; }; }; I have our main zone, organization.com, hosted in an external area outside of a firewall with a wildcard record contained in it for anything that is not explicitly defined. I have some services that I need to reach using names that are in this external zone internally. What I'm trying to do is to slave the organization.com zone to my internal recursive resolver to mitigate any possible network issues. So I setup the internal resolver as a slave for the organization.com zone and found that queries against internal.organization.com were getting answered with the wildcard for the external organization.com zone. I can't seem to figure out why the forwarders are getting ignored. Is it an order of precedence, say authoritative zones are respected over forwarders...or something else?? Thanks for any assistance anyone can provide, or point me to some documentation I'm missing, Frank ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder is ignored when authoritative zone is added
On 26/10/12 12:56, Ben Croswell wrote: The one thing I can think of off the top of my head is to ensure the child subdomain is properly delegated in the parent. If you try to zone level forward a child domain on a server that loads the parent it will ignore the forward if it can see the child doesn't exist as a true delegation. I assume the logic is, why would I forward a subdomain I know doesn't exist. I should think that internal.org... is properly delegated, so the forward will not be concerned about a subdomain, only about the domain, that is actually forwarded. internal.org... will then be looked up in the normal recursive way, so another forward statement might solve this issue. -Ben Croswell On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org mailto:lists%2bisc@elitists.org wrote: I've recently had an issue that I'm having some issues finding information on solving. I have internal DNS resolvers...they act as recursive name servers for general internet queries, but we have forwarders explicitly defined for specific internal zones being served by other name servers. My configuration has one particular zone configured as such: zone internal.organization.com http://internal.organization.com IN { type forward; forward only; forwarders {172.x.x.x; 172.x.x.x; }; }; I have our main zone, organization.com http://organization.com, hosted in an external area outside of a firewall with a wildcard record contained in it for anything that is not explicitly defined. I have some services that I need to reach using names that are in this external zone internally. What I'm trying to do is to slave the organization.com http://organization.com zone to my internal recursive resolver to mitigate any possible network issues. So I setup the internal resolver as a slave for the organization.com http://organization.com zone and found that queries against internal.organization.com http://internal.organization.com were getting answered with the wildcard for the external organization.com http://organization.com zone. I can't seem to figure out why the forwarders are getting ignored. Is it an order of precedence, say authoritative zones are respected over forwarders...or something else?? Thanks for any assistance anyone can provide, or point me to some documentation I'm missing, Frank ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder is ignored when authoritative zone is added
The thing that brings me back to a delegation issue is the statement of slaving an external version of the second level domain the internal DNS server. I know if I was splitting a domain I would not put internal only delegations external. -Ben Croswell On Oct 26, 2012 7:23 AM, Sten Carlsen st...@s-carlsen.dk wrote: On 26/10/12 12:56, Ben Croswell wrote: The one thing I can think of off the top of my head is to ensure the child subdomain is properly delegated in the parent. If you try to zone level forward a child domain on a server that loads the parent it will ignore the forward if it can see the child doesn't exist as a true delegation. I assume the logic is, why would I forward a subdomain I know doesn't exist. I should think that internal.org... is properly delegated, so the forward will not be concerned about a subdomain, only about the domain, that is actually forwarded. internal.org... will then be looked up in the normal recursive way, so another forward statement might solve this issue. -Ben Croswell On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org wrote: I've recently had an issue that I'm having some issues finding information on solving. I have internal DNS resolvers...they act as recursive name servers for general internet queries, but we have forwarders explicitly defined for specific internal zones being served by other name servers. My configuration has one particular zone configured as such: zone internal.organization.com IN { type forward; forward only; forwarders {172.x.x.x; 172.x.x.x; }; }; I have our main zone, organization.com, hosted in an external area outside of a firewall with a wildcard record contained in it for anything that is not explicitly defined. I have some services that I need to reach using names that are in this external zone internally. What I'm trying to do is to slave the organization.com zone to my internal recursive resolver to mitigate any possible network issues. So I setup the internal resolver as a slave for the organization.com zone and found that queries against internal.organization.com were getting answered with the wildcard for the external organization.com zone. I can't seem to figure out why the forwarders are getting ignored. Is it an order of precedence, say authoritative zones are respected over forwarders...or something else?? Thanks for any assistance anyone can provide, or point me to some documentation I'm missing, Frank ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder is ignored when authoritative zone is added
In article mailman.521.1351232171.11945.bind-us...@lists.isc.org, Frank Even lists+isc@elitists.org wrote: I've recently had an issue that I'm having some issues finding information on solving. I have internal DNS resolvers...they act as recursive name servers for general internet queries, but we have forwarders explicitly defined for specific internal zones being served by other name servers. My configuration has one particular zone configured as such: zone internal.organization.com IN { type forward; forward only; forwarders {172.x.x.x; 172.x.x.x; }; }; I have our main zone, organization.com, hosted in an external area outside of a firewall with a wildcard record contained in it for anything that is not explicitly defined. I have some services that I need to reach using names that are in this external zone internally. What I'm trying to do is to slave the organization.com zone to my internal recursive resolver to mitigate any possible network issues. So I setup the internal resolver as a slave for the organization.com zone and found that queries against internal.organization.com were getting answered with the wildcard for the external organization.com zone. I can't seem to figure out why the forwarders are getting ignored. Is it an order of precedence, say authoritative zones are respected over forwarders...or something else?? Thanks for any assistance anyone can provide, or point me to some documentation I'm missing, Frank Forwarders are only used when the server needs to recurse in the first place. They tell it Instead of following the NS records, ask the forwarder(s). If the server is authoritative for the zone, and there are no NS records delegating the subdomain away, it doesn't need to recurse and just returns what it has (in this case the record synthesized from the wildcard). Why not configure your resolvers as slaves or stubs for the internal subdomain? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder is ignored when authoritative zone is added
On Fri, Oct 26, 2012 at 7:27 AM, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.521.1351232171.11945.bind-us...@lists.isc.org, Frank Even lists+isc@elitists.org wrote: I've recently had an issue that I'm having some issues finding information on solving. I have internal DNS resolvers...they act as recursive name servers for general internet queries, but we have forwarders explicitly defined for specific internal zones being served by other name servers. My configuration has one particular zone configured as such: zone internal.organization.com IN { type forward; forward only; forwarders {172.x.x.x; 172.x.x.x; }; }; I have our main zone, organization.com, hosted in an external area outside of a firewall with a wildcard record contained in it for anything that is not explicitly defined. I have some services that I need to reach using names that are in this external zone internally. What I'm trying to do is to slave the organization.com zone to my internal recursive resolver to mitigate any possible network issues. So I setup the internal resolver as a slave for the organization.com zone and found that queries against internal.organization.com were getting answered with the wildcard for the external organization.com zone. I can't seem to figure out why the forwarders are getting ignored. Is it an order of precedence, say authoritative zones are respected over forwarders...or something else?? Thanks for any assistance anyone can provide, or point me to some documentation I'm missing, Frank Forwarders are only used when the server needs to recurse in the first place. They tell it Instead of following the NS records, ask the forwarder(s). If the server is authoritative for the zone, and there are no NS records delegating the subdomain away, it doesn't need to recurse and just returns what it has (in this case the record synthesized from the wildcard). Why not configure your resolvers as slaves or stubs for the internal subdomain? Now that you put it that way the behavior makes perfect sense. Thanks! I'd rather not do that to avoid having any internal records in external DNS. I'm thinking of maybe running views on the internal box instead, and putting the authoritative zone in an external view and the rest of the current config in the internal view and forwarding lookups to organization.com to the external view. Seems like the only real way around it without a delegation of some some sort from the master zone. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users