I have:
- internal DNS server
ns1.internal
with IP192.168.0.4
. - external DNS server with an external TLD
mydns.example.com
and internal IP192.168.0.5
. It's accessible both from the Internet (via a static NAT rule) and from the local network.
I'm trying to setup my external DNS server to forward zone subzone.mydns.example.com
to the internal DNS server. The internal DNS server is authoritative for this zone.
Important: I can't modify the internal DNS server configuration. I can read it, however, if that's needed to diagnose the issue.
File /etc/named.conf
on the external DNS server:
options {
directory "/var/named";
version "get lost";
recursion yes;
allow-transfer {"none";};
allow-query { any; };
allow-recursion { any; };
};
logging{
channel example_log{
file "/var/log/named/named.log" versions 3 size 2m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};
category default{
example_log;
};
};
// Zones:
zone "mydns.example.com" {
type master;
file "mydns.example.com.zone";
allow-update{none;};
};
zone "subzone.mydns.example.com" {
type forward;
forwarders { 192.168.0.4; };
};
File /var/named/mydns.example.com.zone
on the external DNS server:
$TTL 1
$ORIGIN mydns.example.com.
@ IN SOA mydns.example.com. root.mydns.example.com. (
2003080800 ; se = serial number
60 ; ref = refresh
60 ; ret = update retry
60 ; ex = expiry
60 ; min = minimum
)
@ IN NS mydns.example.com.
So, now I try to resolve some DNS records. The external server zone seems to work.
workstation$ dig mydns.example.com NS +tcp +short
mydns.example.com.
But the forwarded zone does not work:
workstation$ dig subzone.mydns.example.com NS +tcp
; <<>> DiG 9.8.1-P1 <<>> subzone.mydns.example.com NS +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36887
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;subzone.mydns.example.com. IN NS
;; AUTHORITY SECTION:
mydns.example.com. 1 IN SOA mydns.example.com. root.mydns.example.com. 2003080800 60 60 60 60
;; Query time: 3 msec
;; SERVER: 91.144.182.3#53(91.144.182.3)
;; WHEN: Thu Jul 19 17:27:54 2012
;; MSG SIZE rcvd: 108
The results are identical when these commands are executed on remote Internet host and on an internal host.
If I try to resolve subzone.mydns.example.com.
from external name server AND specify the internal server explicitly, I get:
mydns$ dig @192.168.0.4 subzone.mydns.example.com NS
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @192.168.0.4 subzone.mydns.example.com NS
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 87
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; QUESTION SECTION:
;subzone.mydns.example.com. IN NS
;; ANSWER SECTION:
subzone.mydns.example.com. 3600 IN NS ns1.internal.
;; ADDITIONAL SECTION:
ns1.internal. 3600 IN A 192.168.0.4
;; Query time: 613 msec
;; SERVER: 192.168.0.4#53(192.168.0.4)
;; WHEN: Thu Jul 19 18:20:55 2012
;; MSG SIZE rcvd: 163
What's wrong? How do I configure the forwarding DNS zone to work as I expect?
Add a 'forward only;' statement to the forwarded zone:
I did and other step more, the first one mentioned by @brandon-xavier:
and the new one:
But I don't know why it is neccesary...
You have to configure the A RR for the NS "subzone.mydns.example.com." on your external DNS. It's named "glue record" and will correspond to the IP of your internal DNS. Currently, your external DNS is not capable to known the IP of the internal DNS. Regards
If the zone being forwarded to is an active directory domain, then you may also need to configure dnssec-validation to no. The default is auto.
/etc/bind/named.conf.options