Sunday, September 25, 2016

domain name system - How to properly configure BIND forward zone for an internal DNS server?

I have:




  1. internal DNS server ns1.internal with IP 192.168.0.4.

  2. external DNS server with an external TLD mydns.example.com and internal IP 192.168.0.5. It's accessible both from the Internet (via a static NAT rule) and from the local network.



I'm trying to setup my external DNS server to forward zone subzone.mydns.example.com to the internal DNS server. The internal DNS server is authoritative for this zone.




Important: I can't modify the internal DNS server configuration. I can read it, however, if that's needed to diagnose the issue.



File /etc/named.conf on the external DNS server:



options {
  directory "/var/named";
  version "get lost";

  recursion yes;
  allow-transfer {"none";};

  allow-query { any; };
  allow-recursion { any; };
};

logging{
  channel example_log{
   file "/var/log/named/named.log" versions 3 size 2m;
   severity info;
   print-severity yes;
   print-time yes;

   print-category yes;
 };
 category default{
  example_log;
 };
};

// Zones:

zone "mydns.example.com" {

  type master;
  file "mydns.example.com.zone";
  allow-update{none;};
};

zone "subzone.mydns.example.com" {
  type forward;
  forwarders { 192.168.0.4; };
};



File /var/named/mydns.example.com.zone on the external DNS server:



$TTL 1
$ORIGIN mydns.example.com.
@             IN      SOA   mydns.example.com. root.mydns.example.com. (
                        2003080800 ; se = serial number
                        60         ; ref = refresh
                        60         ; ret = update retry
                        60         ; ex = expiry

                        60         ; min = minimum
                        )

@             IN      NS      mydns.example.com.


So, now I try to resolve some DNS records.
The external server zone seems to work.



workstation$ dig mydns.example.com NS +tcp +short

mydns.example.com.


But the forwarded zone does not work:



workstation$ dig subzone.mydns.example.com NS +tcp

; <<>> DiG 9.8.1-P1 <<>> subzone.mydns.example.com NS +tcp
;; global options: +cmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36887
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;subzone.mydns.example.com.        IN      NS

;; AUTHORITY SECTION:
mydns.example.com.    1       IN      SOA     mydns.example.com. root.mydns.example.com. 2003080800 60 60 60 60

;; Query time: 3 msec

;; SERVER: 91.144.182.3#53(91.144.182.3)
;; WHEN: Thu Jul 19 17:27:54 2012
;; MSG SIZE  rcvd: 108


The results are identical when these commands are executed on remote Internet host and on an internal host.



If I try to resolve subzone.mydns.example.com. from external name server AND specify the internal server explicitly, I get:



mydns$ dig @192.168.0.4 subzone.mydns.example.com NS


; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @192.168.0.4 subzone.mydns.example.com NS
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 87
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;subzone.mydns.example.com.        IN      NS


;; ANSWER SECTION:
subzone.mydns.example.com. 3600 IN NS      ns1.internal.

;; ADDITIONAL SECTION:
ns1.internal.      3600    IN      A       192.168.0.4

;; Query time: 613 msec
;; SERVER: 192.168.0.4#53(192.168.0.4)
;; WHEN: Thu Jul 19 18:20:55 2012

;; MSG SIZE  rcvd: 163


What's wrong? How do I configure the forwarding DNS zone to work as I expect?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...