BIND 9.8.2: forward zone not working

[Gerry Reno]

Using BIND 9.8.2

When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers
this means that the ISP and the internal network nameservers will both have SOA record for the domain.

/etc/resolv.conf looks like this:

domain company.com
nameserver 192.168.2.105


/etc/named.conf contains:

forwarders { isp_nameservers; };
recursion yes;

What is the preferred way to forward DNS requests to the ISP nameservers in order to resolve the domain's external
servers without using BIND views?

I tried using a forward zone but it does not work in 9.8.2.

zone "www.company.com" {
type forward;
forward only;
forwarders { isp_nameservers; };
};


Everything resolves fine both our domain and other external domains with the exception of our domain's external server's
(www,mail).

What do we need to get this forward zone working?

-Gerry

[Drunkard Zhang]

2013/3/19 Gerry Reno <gr...@verizon.net>:

> Using BIND 9.8.2
>
> When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers
> this means that the ISP and the internal network nameservers will both have SOA record for the domain.
>
> /etc/resolv.conf looks like this:
>
> domain company.com
> nameserver 192.168.2.105
>
>
> /etc/named.conf contains:
>
> forwarders { isp_nameservers; };
> recursion yes;
>
> What is the preferred way to forward DNS requests to the ISP nameservers in order to resolve the domain's external
> servers without using BIND views?
>
> I tried using a forward zone but it does not work in 9.8.2.
>
> zone "www.company.com" {
> type forward;
> forward only;
> forwarders { isp_nameservers; };
> };
>

If a domain name has CNAME, you must forward the CNAMEed one too. In
this example, both www.company.com and company.com has to be
forwarded.

$ dig +nocmd www.company.com +multiline +noall +answer
www.company.com. 1800 IN CNAME company.com.
company.com. 1605 IN A 208.74.66.138

>
> Everything resolves fine both our domain and other external domains with the exception of our domain's external server's
> (www,mail).
>
> What do we need to get this forward zone working?
>
> -Gerry
>
>

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

[Gerry Reno]

I don't see CNAME involved. We have no local record for www.

A dig at the ISP shows www.company.com:

www.company.com 43200 IN A XX.XX.XX.XX

-Gerry

[b...@bitrate.net]

On Mar 18, 2013, at 20.27, Gerry Reno <gr...@verizon.net> wrote:

> Using BIND 9.8.2
>
> When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers
> this means that the ISP and the internal network nameservers will both have SOA record for the domain.

it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just "hijacking" or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent.

it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels.

-ben

[Gerry Reno]

If it was more than just a few labels I would do it another way.

But this will suffice, if I can only get bind to actually get the forward zone working.

I don't need any delegation. I'm not looking to slave the zone.

I just need the forward zone to work and send the question over to the ISP.

-Gerry

[Mark Andrews]

In message <5147D5AE...@verizon.net>, Gerry Reno writes:
> If it was more than just a few labels I would do it another way.
>
> But this will suffice, if I can only get bind to actually get the forward zon
> e working.
>
> I don't need any delegation. I'm not looking to slave the zone.
>
> I just need the forward zone to work and send the question over to the ISP.
>
> -Gerry

Add the delegation. Delegation are about change of authority. The
SOA record stands for "Start Of Authority". For this to work
properly there needs to be a corresponding zone cut in the public
zone as well so that the negative responses come back with a
appropriate SOA record.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

[b...@bitrate.net]

On Mar 18, 2013, at 23.04, Gerry Reno <gr...@verizon.net> wrote:

> On 03/18/2013 10:25 PM, b...@bitrate.net wrote:
>> On Mar 18, 2013, at 20.27, Gerry Reno <gr...@verizon.net> wrote:
>>
>>> Using BIND 9.8.2
>>>
>>> When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers
>>> this means that the ISP and the internal network nameservers will both have SOA record for the domain.
>> it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just "hijacking" or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent.
>>
>> it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels.
>>
>> -ben
>>
>

> If it was more than just a few labels I would do it another way.
>

> But this will suffice, if I can only get bind to actually get the forward zone working.

>
> I don't need any delegation. I'm not looking to slave the zone.

as i said, you'll need to delegate that new zone from the parent. i'm not sure what slaves zones would have to do with that.

-ben

[Gerry Reno]

As I said, if I was going to do this for a bunch of labels I would add an external view and just slave it from the ISP
which holds the SOA for the external answers.

And sure delegation works. You don't even need a forward zone.

So what exactly is the use case for this forward zone? I see a number of postings over several y ears where people
have not been able to get the forward zone working.

-Gerry

[b...@bitrate.net]

On Mar 19, 2013, at 20.30, Gerry Reno <gr...@verizon.net> wrote:

> On 03/19/2013 08:10 PM, b...@bitrate.net wrote:
>> On Mar 18, 2013, at 23.04, Gerry Reno <gr...@verizon.net> wrote:
>>
>>> On 03/18/2013 10:25 PM, b...@bitrate.net wrote:
>>>> On Mar 18, 2013, at 20.27, Gerry Reno <gr...@verizon.net> wrote:
>>>>
>>>>> Using BIND 9.8.2
>>>>>
>>>>> When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers
>>>>> this means that the ISP and the internal network nameservers will both have SOA record for the domain.
>>>> it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just "hijacking" or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent.
>>>>
>>>> it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels.
>>>>
>>>> -ben
>>>>
>>> If it was more than just a few labels I would do it another way.
>>>
>>> But this will suffice, if I can only get bind to actually get the forward zone working.
>>>
>>> I don't need any delegation. I'm not looking to slave the zone.
>> as i said, you'll need to delegate that new zone from the parent. i'm not sure what slaves zones would have to do with that.
>>
>> -ben
>>
>
> As I said, if I was going to do this for a bunch of labels I would add an external view and just slave it from the ISP
> which holds the SOA for the external answers.

i don't know what the point of that would be. you'd still have to overload your other zone.

all i can do at this point is suggest you simply try what has been suggested [by multiple people].

-ben

[Gerry Reno]

It's called Split-DNS.

And delegation was implemented yesterday.

Still no answer about what is the use case for this forward zone. And why many people have posted that they have not
been able to get it to work for years.

[Mark Andrews]

Forward zones affect where recursive queries are sent.

They have 2 purposes:
1. work around firewalls blocking direct access to the authoritative servers
(forward only).
2. allow access to central caches (forward first).

They do not and never have instantiated delegations.

[Kevin Darcy]

On 3/19/2013 8:30 PM, Gerry Reno wrote:
> On 03/19/2013 08:10 PM, b...@bitrate.net wrote:
>> On Mar 18, 2013, at 23.04, Gerry Reno <gr...@verizon.net> wrote:
>>
>>> On 03/18/2013 10:25 PM, b...@bitrate.net wrote:
>>>> On Mar 18, 2013, at 20.27, Gerry Reno <gr...@verizon.net> wrote:
>>>>
>>>>> Using BIND 9.8.2
>>>>>

>>>>> When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers

>>>>> this means that the ISP and the internal network nameservers will both have SOA record for the domain.

>>>> it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just "hijacking" or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent.
>>>>
>>>> it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels.

>>>>
>>>> -ben
>>>>
>>> If it was more than just a few labels I would do it another way.
>>>

>>> But this will suffice, if I can only get bind to actually get the forward zone working.

>>>
>>> I don't need any delegation. I'm not looking to slave the zone.

>> as i said, you'll need to delegate that new zone from the parent. i'm not sure what slaves zones would have to do with that.

> As I said, if I was going to do this for a bunch of labels I would add an external view and just slave it from the ISP
> which holds the SOA for the external answers.
>

> And sure delegation works. You don't even need a forward zone.
>

> So what exactly is the use case for this forward zone?
If you can achieve what you want through delegation alone, and unless
you think that you can squeeze out a performance benefit by forwarding
to a "rich cache", then yeah, there is no compelling use case for
forwarding and you shouldn't do it. Selective forwarding is most
commonly employed when you can't talk directly to the authoritative
nameservers for the zone and need to go through an intermediate resolver.

> I see a number of postings over several y ears where people

> have not been able to get the forward zone working.
Probably because they don't follow the simple advice to delegate the zone.

- Kevin