Bind9 DNS configuration for a private sub-domain from a public domain name
We currently have a private DNS service that we wish to migrate to Bind9. So I have to migrate the current configuration to Bind9, but I'm having trouble setting it up.
Here is the context.
I have a public domain name "acme.com" managed by a registrar. At this registrar I manage public domain names, such as :
acme.com IN A < Public IP server 1 >
www.acme.com IN A < Public IP server 1 >
*.acme.com IN A < Public IP server 1 >
other.acme.com IN A < Public IP server 2 >
On the company's internal DNS server, we have sub-domain names for "acme.com" such as "application-1.acme.com".
The configuration of Bind9 that I made allows me for the moment to resolve public domain names like "google.com" and also private domain names like "application-1.acme.com".
However, if I try to resolve domain names managed by our registrar, such as "acme.com" or "www.acme.com", the DIG application gives me this answer :
dig @10.0.0.254 acme.com
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @10.0.0.254 acme.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25017
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a231205f94a3ec92010000005fa95de884db288162c0f9b9 (good)
;; QUESTION SECTION:
;acme.com. IN A
;; AUTHORITY SECTION:
acme.com. 600 IN SOA ns1.acme.inc. admin. acme.inc. 2020110501 3600 600 86400 600
;; Query time: 2 msec
;; SERVER: 192.168.0.245 #53(10.0.0.254)
;; WHEN: Mon Nov 09 16:19:03 CET 2020
;; MSG SIZE rcvd: 124
Here is my named.conf file:
acl "trusted" {
// some ip range
};
options {
directory "/var/cache/bind";
listen-on { any; };
listen-on-v6 { any; };
allow-query { any; };
allow-transfer { none; };
pid-file "/var/run/named/named.pid";
allow-recursion { trusted; };
recursion yes;
forward only;
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-validation auto;
auth-nxdomain no;
};
view "trusted" {
match-clients { trusted; };
recursion yes;
zone "acme.com" IN {
type master;
file "/etc/bind/zones/acme.com.zone";
};
};
And here the acme.com.zone file:
$TTL 3600;
@ IN SOA ns1.acme. admin.acme. (
2020110501;
3600;
600;
86400;
600 );
IN NS ns1.acme.
ns1.acme. IN A 10.0.0.254
application-1 IN A 10.0.1.1
application-2 IN A 10.0.1.2
application-3 IN A 10.0.1.3
I do not understand what’s wrong with my settings.
Because the BIND server is authoritative for example.com
, it won't perform recursion even in case of a NXDOMAIN
for a subdomain. You would either need to use another level of subdomains application.sub.example.com
or configure the individual exceptions with Response Policy Zones (RPZ).