Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 518
  • Last Modified:

DNS local + forwarding

I have a DNS server which must be a master for its  local domain and should forward to another given host all the dns queries that are not related with its domain.

I wrote this named.conf file:

options {
      directory "/var/named";
      forward first;
             forwarders {
                  10.10.10.254;
             };
};
zone "mydom"{
     type master;
     file "named.mydom";
};
zone "0.0.127.in-addr.arpa"{
     type master;
     file "named.local";
};
zone "30.10.10.in-addr.arpa"{
     type master;
     file "named.rev.30.10.10";
};

10.10.10.254 is the higher level DNS to whom requests should be sent.

Local domain (10.10.30.0) works fine.

Thank you in advance.
Livio
0
livio
Asked:
livio
  • 3
  • 2
1 Solution
 
jlevieCommented:
If you want the local DNS server to always forward requests for data that it doesn't already have in cache or isn't authoritative for you need the configuration to include a "forward only" directive, like so:

options {
...
  forwarders { 10.10.10.254; };
  forward only;
...

In what you show in the question you have the "forward first" and "forwarders" directives in opposite order to what I know to work. If forwarding of DNS requests isn't working at present, try swapping the oder of those lines. Also, per the question, I don't see where you've told bind to issue queries on port 53. Any time there is a firewall between your nameserver and the Internet you need that enabled on late versions of bind (8.x & later) inorder to query Internet nameservers. Since you reference private address ranges there is likely a firewall in your path and the options should look like:

options {
  ...
  forwarders { 10.10.10.254; };
  forward only;
  query-source address * port 53;
  ...
There are two things to keep in mind with respect to the use of forwarders. One is that the local of bind will only forward requests for things it isn't authoritative for. That means that you could not have the local bind be authoritative for some-domain.tld and expect it to forward requests to an upstream DNS that is also authoritative for some-domain.tld, even if the local bind doesn't have all of the data for some-domain.tld. You can, however, have the local DNS be authoritative for sub.some-domain.tld and have it forward requests to the nameserver for some-domain.tld for things that aren't in sub.some-domain.tld.

The other thing to keep in mind is that bind will only wai for a short time for a response from the upstream DNS if you aren't using "forward only". If the response isn't received within that time period the local copy of bind will atthemt to access the Internet for the data. Using "forward only" will force the local bind to wait for the resonse from the upstream DNS and it will never attempt to contact an Internet nameserver.
0
 
livioAuthor Commented:
There is no firewall. If I set it up to connect to the root servers it works.

I got this message in the log/messages when I start it:
 No root nameservers for class IN  

Thank you, Jlevie.
0
 
jlevieCommented:
I don't see a root nameservers zone definition in your question. Regardless of whether the server is to forward or not you need that zone for bind to operate properly and it should look something like:

zone "." {
        type hint;
        file "named.root";
};

Where "named.root" contains the list all of the root servers.
0
 
livioAuthor Commented:
Jlevie, adding the root nameserver zone it works, but with this configuration is it using the root nameservers or the forward nameserver?

Why I have to add the root nameservers if it does not use them?

Thank you very much.

Livio
0
 
jlevieCommented:
Using the "forward first" directive Bind must have the list of root servers as it will contact the root servers if it doesn't get promptly a reply from the forwarder. Also I'm reasonably certain that you have to have a hints file even if you use "forward only". If you want to be sure that this copy of bind doesn't attempt to contact Internet nameservers change "forward first" to forward only".
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now