Solved

CNAME setup to point to External Domain - BIND9

Posted on 2014-09-11
16
2,878 Views
Last Modified: 2014-09-12
I need help with the syntax to setup a CNAME that points to an external domain that we are not authoritative for if that makes a difference.

I'm using the explicit $ORIGIN statement.

If I put a period at the end of the name in the left hand column the zone won't load.

But if I leave it off, it loads, but I'm thinking I end up with mydomain.org.mydomain.org and
www.mydomain.org.mydomain.org

And should I comment out the lines for the A records?  

Err Msg:

root@nameserver:/etc/bind# named-checkzone mydomain.org zone-mydomain.org

dns_master_load: zone-mydomain.org:36: mydomain.org: CNAME and other data
dns_master_load: zone-mydomain.org:36: mydomain.org: CNAME and other data
dns_master_load: zone-mydomain.org:36: mydomain.org: CNAME and other data
dns_master_load: zone-mydomain.org:36: mydomain.org: CNAME and other data
zone mydomain.org/IN: loading from master file zone-mydomain.org failed: CNAME and other data
zone mydomain.org/IN: not loaded due to errors.

; NAMED Configuration for www_mydomain_com Domain
 ;
$TTL 6h
$ORIGIN domain_com_
@      IN      SOA      dns_server_domain_org_ postmaster_domain_org_ (
                        2014090902      ; serial
                        3h            ; refresh
                        1h            ; retry
                        1w            ; expire
                        1d )           ; minimum
;
;name servers
;
            IN      NS      dns_server_domain_org_
            IN      NS      ns1_secondarynameservers_net_
            IN      NS      ns2_secondarynameservers_net_
            IN      NS      ns3_secondarynameservers_net_
;
;should I comment out this line?
            IN      A      192_168_1_55
;

            IN      MX 5      mailserver_mydomain_org_
;
;

www            IN      A      192_168_1_55
            

*_www_domain_org_ IN      A      192_168_1_55

;      Aliases

mydomain_org       IN CNAME   vendor_domain_xxx_com_
www_mydomain_org   IN CNAME   vendor_domain_xxx_com_
*_mydomain_org     IN CNAME *_vendor_domain_xxx_com_
*_www_mydomain_org IN CNAME *_vendor_domain_xxx_com_
0
Comment
Question by:mobot
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
The period needs to go at the end of the host you are directing the CNAME to.

Lets say I wanted to redirect my www.domain.com to www.google.com

www     IN CNAME    www.google.com.    <PERIOD GOES HERE.

If you are pointing a host via CNAME, you shouldn't have an A record for it.
0
 

Author Comment

by:mobot
Comment Utility
The underscores represent a period.  My apologies for not pointing that out.  I had posted up on another site that didn't accept url's.  And I do understand where the periods go.  What puzzles me is when I put the period at the end of the left hand column the zone don't load.  I have other zones that work just fine that way.

The difference between them and this zone file is were authoritative for all the other domains.  In this instance I'm trying to create a CNAME record that redirects www.mydomain.org to www.vendordomain.com.  And we're not authoritative for www.vendordomain.com.  

So let me ask you, does not being authoritative for the vendor domain matter?  Should I still be able to create that CNAME record anyway and have it work?  Also note I tried it with and without the A record and it didn't make a difference.  When I had the period after .org it always threw that err msg.

My line in the zone file   www.mydomain.org.  IN  CNAME  www.vendordomain.com.

Err msg:
user@nameserver:/etc/bind# named-checkzone mydomain.org zone-mydomain.org

dns_master_load: zone-mydomain.org:36: mydomain.org: CNAME and other data
zone mydomain.org/IN: loading from master file zone-mydomain.org failed: CNAME and other data
zone mydomain.org/IN: not loaded due to errors.
0
 
LVL 12

Accepted Solution

by:
Kent W earned 500 total points
Comment Utility
In your zone file, if you do NOT place a period after a resource, it WILL append @origin.
A period means DON'T append my origin.  Within your record, you should refrain from explicitly naming your @origin.
So instead of
www.mydomain.org. IN CNAME www.vendorname.com.

Your entries to make this work are -

@origin (assumed to be "mydomain.org".)

www IN CNAME www.vendordomain.com.
 
The ending period if very important here or it will become www.vendordomain.com.mydomain.org

I suspect what may be happening is you have an A record for www, elsewhere, or are cname-ing www to your @origin already.  Any other resource record entries for "www" would make the www CNAME fail.

So, If you already have a
www IN A ip.add.ress
or
www IN CNAME @origin

Then you will have to ditch the www for your new CNAME and use something like
www2 IN CNAME www.vendordomain.com, unless you are good with ditching your other A/CNAME for www.

If you are still getting errors, grab some entries from your /var/log/messages or wherever you have bind dumping logs to.

Probably the most important thing -
You would want the left colum to be www, not "www.mydomain.org."...while it technically may work, you are bypassing what your @origin is there for.
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
most of the time i would use;

mynewname.domain.com.  in cname     othername.otherdomain.com.

above comment from mugojava seems very comprehensive.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
CNAME is not very stable. Especially RFCs say it should be cached forever, so indeed you will berak your nameservers in same domain. Also with mail server CNAME does not work at all.

You need to move e.g. your website and change DNS to new parent etc...
0
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
That is not correct. It causes two lookups, but that's the only issue. It's just like any other resource record, TTL is how you set cache times. TTL can also be see per record.

CNAME records don't have anything special that cause them to cache longer than other record types,other than not understanding the cache time is ALSO on the corresponding A record or external host you are sending it to.  If you have a certain time you want on TTL, set it on the A record also.

In OPs case, I don't think he can control the external FQDN he's sending the www to.  So no way he can really control the final destination's A record.
That also doesn't really matter unless the endpoint changes their IP address.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
If your DNS server is in the domain you "redirect" with cname you wipe yourself off internet fairly quickly...
0
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
I'm not even sure what that means.  Got documentation to back that up?
I've never had a problem in over 20 years of admining Bind.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 61

Expert Comment

by:gheist
Comment Utility
RFC 1912 to start with
0
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
I know that RFC.  What section exactly applies to what OP is trying to accomplish?

Define "wipe yourself off the internet"?  How, exactly?

While CNAMES are not the best way to do things, sometimes they are required to meet an end goal.

Do you realize how many "non SOA" servers have CNAMES to Google apps resources?  Millions, if not more, I would assume.

CNAME is much more "polite" than setting up a non-SOA A record to an IP.  In many instances, that won't even work if, say, the web server is using name-based vhosts (which most are).
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
2.4 says CNAMES can work only for individual A records and nothing else.
0
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
Your interpenetration of that section is incorrect.  You are confusing "should not co-exist" and actually stating the reverse of what that section outlines.  If the resource you are CNAME-ing is in your SOA, that may be somewhat correct, but OP is just redirecting to an external domain.  It works, and works well, as most any Google Apps for Business user can tell you.

And I'll stop there, because this is just getting silly.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Well, i hope one day you learn how your theory "works"
0
 
LVL 12

Expert Comment

by:Kent W
Comment Utility
My "theory" has been working just fine for every corporate email I've setup with Gmail for biz.

I won't respond further to you.

Thanks
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
So can you write a new RFC explaining that old standards-compliant behaviour asker is getting should be "fixed" somehow...
0
 

Author Closing Comment

by:mobot
Comment Utility
Many thanks, truncating www.mydomain.org to just www solved the problem just as you pointed out.  These two links were also helpful.  I'm passing these along and hope they help out someone else.

http://www.zytrax.com/books/dns/ch8/cname.html
http://www.zytrax.com/books/dns/apa/dot.html
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now