From Newsgroup: comp.protocols.dns.bind
--0000000000007df50d05ae685846
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
[ Classification Level: GENERAL BUSINESS ]
Or, if you absolutely *must* use the same namespace internally and
externally (oftentimes you can't talk the business out of that), your
internal version should be a more-or-less a superset of your external
version.
How you keep those in sync is up to you. For us, we have a centralized management system that makes the relevant updates in parallel. The big
caveat with that is, those few situations where the DNS needs to be "schizophrenic", i.e. resolve differently in the internal versus external versions of the zones. We try to keep that nonsense to a minimum, but when
we can't talk people out of it, we handle it on an exception basis.
I suppose another approach is to have a backend database which tags each
record as being "internal", "external" or "both", and then the respective versions of the zones get generated accordingly. You'd need something to
ensure referential integrity, though, otherwise you might end up with
dangling references (e.g. CNAME/MX/SRV targets), bad delegations, etc.
- Kevin
P.S. No offense to schizophrenics. I guess a more accurate term would be "multiple personality".
On Thu, Sep 3, 2020 at 3:52 AM Matus UHLAR - fantomas <
uhlar@fantomas.sk> wrote:
On 02.09.20 15:00, Taylor Vierrether via bind-users wrote:
I am attempting to set up an internal DNS server that is authoritative
for
internal resources, but also will respond for external resources on the same domain that it does not have records for.
For example, I have a domain sub.example.com , and I want to have
internal
entries in the BIND zone file for host1.sub.example.com and host2.sub.example.com. That part is working fine. However, there is a publicly available DNS entry for sub.example.com that I want my interna=
l
clients to be able to resolve, but I don=E2=80=99t want to have the IP =
in the
BIND
zone file, because the IP is dynamic.
you can delegate that entry elsewhere.
There are also some hosts (host3.sub.example.com ) and (host4.sub.example.com) that are externally resolvable that I don=E2=80=
=99t want
to put in my internal BIND file because they are not controlled by me. (Think CNAME to a SaaS application)
you can delegate those records somewhere.
I=E2=80=99ve attempted to do this as follows, and it seems to make sense=
that it
would work, but it does not.
named.conf:
zone =E2=80=9Csub.example.com" IN {
type master;
file "/etc/bind/sub.example.com.zone";
forward first;
forwarders { 1.1.1.1; 1.0.0.1; };
};
forwarding is not used for zone other than "type forward".
What actually happens, is if I query for sub.example.com I get the
following from nslookup:
*** Can't find sub.example.com: No answer
if you search for "sub.example.com" record, you can not delegate that one=
,
of course.
you apparently should use redesign your DNS. Easiest way would be using different domain internally.
And if I query for host3.example.com , I get the following from nslookup=
:
** server can't find host3.sub.example.com: NXDOMAIN
note that nslookup is very bad program for tracking DNS errors.
use "host" or "dig" for that case.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory. _______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--0000000000007df50d05ae685846
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>[ Classification Level: <font color=3D"blue">GENERAL = BUSINESS</font> ]</div><br class=3D"cursAfter">Or, if you absolutely *must*=
use the same namespace internally and externally (oftentimes you can't=
talk the business out of that), your internal version should be a more-or-= less a superset of your external version.<div><br></div><div>How you keep t= hose in sync is up to you. For us, we have a centralized management system = that makes the relevant updates in parallel. The big caveat with that is, t= hose few situations where the DNS needs to be "schizophrenic", i.=
e. resolve differently in the internal versus external versions of the zone=
s. We try to keep that nonsense to a minimum, but when we can't talk pe= ople out of it, we handle it on an exception basis.</div><div><br></div><di= v>I suppose another approach is to have a backend database=C2=A0which tags = each record as being "internal", "external" or "bo= th", and then the respective versions of the zones get generated accor= dingly. You'd need something to ensure referential integrity, though, o= therwise you might end up with dangling references (e.g. CNAME/MX/SRV targe= ts), bad delegations, etc.</div><div><br></div><div>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 - Kevin</div><div><br></div><div>P.S. No offense to schizophrenics. =
I guess a more accurate term would be "multiple personality".</di= v><div><br><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_a= ttr">On Thu, Sep 3, 2020 at 3:52 AM Matus UHLAR - fantomas <<a href=3D"m= ailto:
uhlar@fantomas.sk">
uhlar@fantomas.sk</a>> wrote:<br></div><blockqu= ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s= olid;padding-left:1ex">On 02.09.20 15:00, Taylor Vierrether via bind-users = wrote:<br>
> I am attempting to set up an internal DNS server that is authoritative=
for<br>
> internal resources, but also will respond for external resources on th= e<br>
> same domain that it does not have records for.<br>
><br>
> For example, I have a domain <a href=3D"
http://sub.example.com" rel=3D= "noreferrer" target=3D"_blank">sub.example.com</a> , and I want to have int= ernal<br>
> entries in the BIND zone file for <a href=3D"
http://host1.sub.example.= com" rel=3D"noreferrer" target=3D"_blank">host1.sub.example.com</a> and<br> > <a href=3D"
http://host2.sub.example.com" rel=3D"noreferrer" target=3D"= _blank">host2.sub.example.com</a>.=C2=A0 That part is working fine.=C2=A0 H= owever, there is a<br>
> publicly available DNS entry for <a href=3D"
http://sub.example.com" re= l=3D"noreferrer" target=3D"_blank">sub.example.com</a> that I want my inter= nal<br>
> clients to be able to resolve, but I don=E2=80=99t want to have the IP=
in the BIND<br>
> zone file, because the IP is dynamic.<br>
you can delegate that entry elsewhere.<br>
>=C2=A0 There are also some hosts (<a href=3D"
http://host3.sub.example.c= om" rel=3D"noreferrer" target=3D"_blank">host3.sub.example.com</a> ) and<br=
> (<a href=3D"
http://host4.sub.example.com" rel=3D"noreferrer" target=3D= "_blank">host4.sub.example.com</a>) that are externally resolvable that I d= on=E2=80=99t want<br>
> to put in my internal BIND file because they are not controlled by me.=
> (Think CNAME to a SaaS application)<br>
you can delegate those records somewhere.<br>
>I=E2=80=99ve attempted to do this as follows, and it seems to make sens=
e that it<br>
> would work, but it does not.<br>
><br>
><br>
>named.conf:<br>
><br>
>zone =E2=80=9C<a href=3D"
http://sub.example.com" rel=3D"noreferrer" tar= get=3D"_blank">sub.example.com</a>" IN {<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 type master;<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 file "/etc/bind/<a href=3D"
http://sub.= example.com" target=3D"_blank">sub.example.com</a>.zone";<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 forward first;<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 forwarders { 1.1.1.1; 1.0.0.1; };<br> >};<br>
forwarding is not used for zone other than "type forward".<br>
>What actually happens, is if I query for <a href=3D"
http://sub.example.= com" rel=3D"noreferrer" target=3D"_blank">sub.example.com</a> I get the fol= lowing from nslookup:<br>
>*** Can't find <a href=3D"
http://sub.example.com" rel=3D"noreferrer=
" target=3D"_blank">sub.example.com</a>: No answer<br>
if you search for "<a href=3D"
http://sub.example.com" rel=3D"noreferre=
r" target=3D"_blank">sub.example.com</a>" record, you can not delegate=
that one,<br>
of course.<br>
you apparently should use redesign your DNS. Easiest way would be using<br> different domain internally.<br>
>And if I query for <a href=3D"
http://host3.example.com" rel=3D"noreferr= er" target=3D"_blank">host3.example.com</a> , I get the following from nslo= okup:<br>
>** server can't find <a href=3D"
http://host3.sub.example.com" rel= =3D"noreferrer" target=3D"_blank">host3.sub.example.com</a>: NXDOMAIN<br>
note that nslookup is very bad program for tracking DNS errors.<br>
use "host" or "dig" for that case.<br>
-- <br>
Matus UHLAR - fantomas, <a href=3D"mailto:
uhlar@fantomas.sk" target=3D"_bla= nk">
uhlar@fantomas.sk</a> ; <a href=3D"
http://www.fantomas.sk/" rel=3D"nore= ferrer" target=3D"_blank">
http://www.fantomas.sk/</a><br>
Warning: I wish NOT to receive e-mail advertising to this address.<br> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.<br>
I just got lost in thought. It was unfamiliar territory.<br> _______________________________________________<br>
Please visit <a href=3D"
https://lists.isc.org/mailman/listinfo/bind-users" = rel=3D"noreferrer" target=3D"_blank">
https://lists.isc.org/mailman/listinfo= /bind-users</a> to unsubscribe from this list<br>
ISC funds the development of this software with paid support subscriptions.=
Contact us at <a href=3D"
https://www.isc.org/contact/" rel=3D"noreferrer" = target=3D"_blank">
https://www.isc.org/contact/</a> for more information.<br=
bind-users mailing list<br>
<a href=3D"mailto:
bind-users@lists.isc.org" target=3D"_blank">bind-users@li= sts.isc.org</a><br>
<a href=3D"
https://lists.isc.org/mailman/listinfo/bind-users" rel=3D"norefe= rrer" target=3D"_blank">
https://lists.isc.org/mailman/listinfo/bind-users</= a><br>
</blockquote></div></div></div>
--0000000000007df50d05ae685846--
--- Synchronet 3.18a-Linux NewsLink 1.113