I have a Windows AD domain : contoso.local
I want to forward all requests to some.contoso.local
to another DNS server through forwarding DNS server:
contoso.Local.DNS => Proxy.DNS => some.contoso.local.DNS
I can not allow direct forwarding from contoso.Local.DNS => some.contoso.local.DNS
for some reason. Proxy.DNS
is required.
The Proxy.DNS
is simple Bind9 machine with config (partial)
zone "some.contoso.local" {
type forward;
forward only;
forwarders { 1.2.3.4; }
}
On contoso.Local.DNS
there is NS record saying some.contoso.local NS ip.of.Proxy.DNS
Problem:
- When I query
a.some.contoso.local
directly throughProxy.DNS
, there is all OK. - When I query
a.some.contoso.local
throughcontoso.Local.DNS
there is query fault.
The reason I think is contoso.Local.DNS
sends query to Proxy.DNS
with flags = 0x0000
, and nslookup
client sets flags = 0x0100
. This bit means Allow recursive request
.
Can I somehow override this problem either to
- tell Windows DNS to set
Allow recursive request
bit or to - make Bind9 ignore this bit is not set
- or anyway else ?
Following the
NS
record is part of recursive resolution -- so at this point it has already been decided thatcontoso.local.DNS
is going to be the recursive resolver responsible for the entire query.So the query being sent out is not the final query, but rather the next step, and the proxy would not be able to know what the client wants. At the same time, forward-only servers do not expect queries with "recursion desired" clear, since all they can do is forward to another (recursive) server, which may or may not be authoritative for the current query -- but queries as part of a recursive lookup always need to be directed at a server that is authoritative.
Since a forward-only server is never authoritative, it needs to reject non-recursive queries, that is what you are seeing -- but altering the flag isn't sufficient.
[Answering myself] You should create both: NS record and Conditional forwarder.
First you create NS record for
some.contoso.local
oncontoso.local.DNS
(on windows server: RightClick on zone name -> New Delegation ...) and specify the name ofsome.contoso.local.DNS
server (the real master of this zone).This will guarantee that in case of zone transfers of
contoso.local
zone, secondary server will receive information thatsome.contoso.local
is hosted bysome.contoso.local.DNS
and will avoid answers likeno such host
.To avoid validation (If
some.contoso.local.DNS
server is not accessible fromcontoso.local.DNS
) you should create this record through PowerShell.At this step, if you're not using proxy, it's finished. Windows DNS will automatically forward to NS specified, but those queries will be non-forwardable.
If you need to forward queries not directly to NS server but through proxy, see next step.
Second : Only if first step is done, Windows Server DNS MMC Snap-In will allow you creating conditional forwarder for zone
some.contoso.local
to ANY server you want. You write here forwarderProxy.DNS
: This will solve problem ofsome.contoso.local.DNS
server is inaccessible fromcontoso.local.DNS
server : all queries will be forwarded unmodified this way:Client => contoso.Local.DNS => Proxy.DNS => some.contoso.local.DNS