•  23-03-2022
  •  | 
  •  

Question

I'm using Bind9 as the DNS server for my office.

We have a zone: example.com. which has to be resolved from our DNS server as authoritative.

On the other hand, we have a sub.example.com. zone, which has to be forwarded to other DNS server.

Bind answers propery when we query for any record at the example.com. zone. But it fails for queries about sub.example.com. as it doesn't do the forwarding. It keeps on looking for the answer locally.

This is the named.conf file

zone "sub.example.com" IN { type forward;
        forwarders {172.21.238.229;172.21.238.230;};
        forward only;
};


zone "example.com" {
        type master;
        forwarders {};
        file "/etc/named/example.com.db";
};

This is the example.com.db file content:

$ORIGIN example.com.
$TTL 1W
@   IN  SOA     dnsldes.example.com. postmaster.example.com. (
                               6            ; serial number
                               3600         ; refresh   [1h]
                               600          ; retry     [10m]
                               86400        ; expire    [1d]
                               3600 )       ; min TTL   [1h]
;


      IN     NS      dnsldes.example.com.

bdred           IN      A       172.22.2.150
dnsldes IN      A       172.21.229.159

This is the output for bdred.example.com query using dig client(which is ok):

; <<>> DiG 9.8.1-P1 <<>> bdred.sub.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9764
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bdred.sub.example.com.         IN      A

;; AUTHORITY SECTION:
example.com.            3600    IN      SOA     dnsldes.example.com. postmaster.example.com. 6 3600 600 86400 3600

;; Query time: 4 msec
;; SERVER: 172.21.229.159#53(172.21.229.159)
;; WHEN: Mon Mar 11 12:55:02 2013
;; MSG SIZE  rcvd: 94

And this is the answer for the dig query, which is not working propery:

; <<>> DiG 9.8.1-P1 <<>> bdred.sub.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26555
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bdred.sub.example.com.         IN      A

;; AUTHORITY SECTION:
example.com.            3600    IN      SOA     dnsldes.example.com. postmaster.example.com. 6 3600 600 86400 3600

;; Query time: 4 msec
;; SERVER: 172.21.229.159#53(172.21.229.159)
;; WHEN: Mon Mar 11 13:09:07 2013
;; MSG SIZE  rcvd: 94

Please, what are we doing wrong?

Was it helpful?

Solution

The solution is no to create a zone in the named.conf. The solution is to use zone delegation as follows: 

$ORIGIN example.com.
$TTL 1W
@   IN  SOA     dnsldes.example.com.  postmaster.example.com. (
                               6            ; serial number
                               3600         ; refresh   [1h]
                               600          ; retry     [10m]
                               86400        ; expire    [1d]
                               3600 )       ; min TTL   [1h]
;


      IN     NS      dnsldes.example.com.


dnsldes IN  A   XXX.XXX.XXX.XXX
bahamas IN  CNAME   bdred



; Delegations and Glue
$ORIGIN sub.example.com.
@       IN      NS      lmzdns1.sub.example.com.

        IN      NS      lmzdns2.sub.example.com.

lmzdns1 IN      A       XXX.XXX.XXX.XXX
lmzdns2 IN      A       XXX.XXX.XXX.XXX

OTHER TIPS

This is a subdomain delegation problem:

Add NS records to your zone’s data file delegating the subdomain to the name server.

Example:

Domain: one.domain Subdomain: sub.one.domain

I need to resolve sub.one.domain only with the google public dns.

To delegate the sub.one.domain to the name server externalns.one.domain, you can add this NS record to the one.domain zone data file:

sub.one.domain.    IN    NS    externalns.one.domain.

You’ll also need to add an A record for externalns.one.domain:

externalns.one.domain    IN    A    8.8.8.8

Regarding my experience and tests, when you want forward a subzone when your server is authoritative on the parent zone, you must:

  • Declared the subzone you want forward in your named.conf as a forward zone type
  • Add the NS records related to the name server you will forward that subzone in the parent zone

With that configuration, your server will send a recursive request to the forwarders list you set in the subzone declaration in named.conf.

If you only add the NS records without declared the zone as forward zone in the named.conf, you delegate the zone and your DNS server will sent an iterative request.

If you only declared the subzone as forward zone type in the named.conf (and the parent zone is authoritative on your server), the forward will be not working.

Notes: You can check the iterative or recursive query by performing a traffic capture, and visible in flags section with parameter (DNS->Flags->Recursion Desired)

Choose delegation or forward can change a lot the DNS requests flow / DNS architecture choice (recursive or iterative DNS request)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top