Re: Bind9 local DNS not forwarding query to public DNS

2024-03-12 Thread Dan Ritter 
Muhammad Yousuf Khan wrote: 
> Need your experience advice, We have a BIND9 DNS server that operates both
> privately and publicly for the domain example xyz.com. I use the private
> DNS for certain secure nodes on our local network. I want all VPN users to
> be able to resolve these secure nodes using our local DNS, which is
> functioning correctly.
> 
> So I force assign all VPN user local DNS so that they can access the secure
> records and local DNS can forward their query to public DNS in case the
> record is not found in the zone file.
> 
>  locally everything is working just fine, the issue arises when a VPN user
> queries an A record that is on public. For example, if "secure.xyz.com" has
> a local entry in the zone file, it works as expected. However, when the
> entry is not present, I expect BIND to conditionally forward the query to a
> remote DNS server and resolve it for the VPN client. Unfortunately, this is
> not happening. BIND only searches for entries that are available in the
> local zone file and then times out. Here are my configuration files.
> 
> here is my bind config
> 
> 
>  options {
>  directory "/var/cache/bind";
>  recursion yes;   // Enable DNS recursion
>  allow-recursion { localhost; };

^ only localhost is allowed to do recursive queries. But you
want all your internal users to be allowed to do that.

>  allow-query { any; };   // Allow queries from any
> IP address
>  forwarders {
>   8.8.8.8;
>  };
>  dnssec-validation auto;
>  listen-on-v6 { any; };
>  };
> 
>   zone "xyz.com" {
>   type master;
>   file "/etc/bind/db.xyz.com";
>   forwarders {
>   8.8.8.8;
>   8.8.4.4;// Additional forwarder (optional)

^ you do not want forwarders here.

-dsr-

Re: Bind9 local DNS not forwarding query to public DNS

2024-03-12 Thread Eduardo M KALINOWSKI 

On 12/03/2024 12:48, Muhammad Yousuf Khan wrote:

   Dear All,
Need your experience advice, We have a BIND9 DNS server that operates 
both privately and publicly for the domain example xyz.com 
. I use the private DNS for certain secure nodes on our 
local network. I want all VPN users to be able to resolve these secure 
nodes using our local DNS, which is functioning correctly.


So I force assign all VPN user local DNS so that they can access the 
secure records and local DNS can forward their query to public DNS in 
case the record is not found in the zone file.


  locally everything is working just fine, the issue arises when a VPN 
user queries an A record that is on public. For example, if 
"secure.xyz.com " has a local entry in the zone 
file, it works as expected. However, when the entry is not present, I 
expect BIND to conditionally forward the query to a remote DNS server 
and resolve it for the VPN client. Unfortunately, this is not happening. 
BIND only searches for entries that are available in the local zone file 
and then times out. Here are my configuration files.


here is my bind config


  options {
              directory "/var/cache/bind";
              recursion yes;                   // Enable DNS recursion
              allow-recursion { localhost; };


You're only allowing recursion from localhost. I guess you need to allow 
the internal VPN addresses here. Maybe that's the (commented) acl below, 
so try something like


allow-recursion { "trusted"; };

(Maybe the acl needs to be defined before it's used, I'm not sure.)


              //acl trusted {192.168.1.0/24; };


But remember to add localhost to the acl, so that local processes can 
also use the recursive server.



              querylog yes;
              allow-transfer { none; };       // Disable zone transfers by 
default
              allow-query { any; };           // Allow queries from any IP 
address
              forwarders {
                   8.8.8.8;
              };
              dnssec-validation auto;
              listen-on-v6 { any; };
      };

       zone "xyz.com" {
           type master;
           file "/etc/bind/db.xyz.com";
           forwarders {
               8.8.8.8;
               8.8.4.4;                    // Additional forwarder (optional)
           };
       };



Thanks,

Yousuf




--
pension:
A federally insured chain letter.

Eduardo M KALINOWSKI
edua...@kalinowski.com.br

Bind9 local DNS not forwarding query to public DNS

2024-03-12 Thread Muhammad Yousuf Khan 
  Dear All,
Need your experience advice, We have a BIND9 DNS server that operates both
privately and publicly for the domain example xyz.com. I use the private
DNS for certain secure nodes on our local network. I want all VPN users to
be able to resolve these secure nodes using our local DNS, which is
functioning correctly.

So I force assign all VPN user local DNS so that they can access the secure
records and local DNS can forward their query to public DNS in case the
record is not found in the zone file.

 locally everything is working just fine, the issue arises when a VPN user
queries an A record that is on public. For example, if "secure.xyz.com" has
a local entry in the zone file, it works as expected. However, when the
entry is not present, I expect BIND to conditionally forward the query to a
remote DNS server and resolve it for the VPN client. Unfortunately, this is
not happening. BIND only searches for entries that are available in the
local zone file and then times out. Here are my configuration files.

here is my bind config


 options {
 directory "/var/cache/bind";
 recursion yes;   // Enable DNS recursion
 allow-recursion { localhost; };
 //acl trusted { 192.168.1.0/24; };
 querylog yes;
 allow-transfer { none; };   // Disable zone transfers
by default
 allow-query { any; };   // Allow queries from any
IP address
 forwarders {
  8.8.8.8;
 };
 dnssec-validation auto;
 listen-on-v6 { any; };
 };

  zone "xyz.com" {
  type master;
  file "/etc/bind/db.xyz.com";
  forwarders {
  8.8.8.8;
  8.8.4.4;// Additional forwarder (optional)
  };
  };



Thanks,

Yousuf