Bind9 DNS configuration for a private sub-domain from a public domain name

We currently have a private DNS service that we wish to migrate to Bind9. So I have to migrate the current configuration to Bind9, but I'm having trouble setting it up.

Here is the context.

I have a public domain name "acme.com" managed by a registrar. At this registrar I manage public domain names, such as :

acme.com        IN  A  < Public IP server 1 >
www.acme.com    IN  A  < Public IP server 1 >
*.acme.com      IN  A  < Public IP server 1 >
other.acme.com  IN  A  < Public IP server 2 >

On the company's internal DNS server, we have sub-domain names for "acme.com" such as "application-1.acme.com".

The configuration of Bind9 that I made allows me for the moment to resolve public domain names like "google.com" and also private domain names like "application-1.acme.com".

However, if I try to resolve domain names managed by our registrar, such as "acme.com" or "www.acme.com", the DIG application gives me this answer :

dig @10.0.0.254 acme.com
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @10.0.0.254 acme.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25017
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a231205f94a3ec92010000005fa95de884db288162c0f9b9 (good)
;; QUESTION SECTION:
;acme.com.                      IN      A
;; AUTHORITY SECTION:
acme.com.               600     IN      SOA     ns1.acme.inc. admin. acme.inc. 2020110501 3600 600 86400 600
;; Query time: 2 msec
;; SERVER: 192.168.0.245 #53(10.0.0.254)
;; WHEN: Mon Nov 09 16:19:03 CET 2020
;; MSG SIZE  rcvd: 124

Here is my named.conf file:

acl "trusted" {
        // some ip range
};
options {
        directory "/var/cache/bind";
        listen-on { any; };
        listen-on-v6 { any; };
        allow-query { any; };
        allow-transfer { none; };
        pid-file "/var/run/named/named.pid";
        allow-recursion { trusted; };
        recursion yes;
        forward only;
        forwarders { 8.8.8.8;  8.8.4.4; };
        dnssec-validation auto;
        auth-nxdomain no;
};
view "trusted" {
    match-clients { trusted; };
    recursion yes;
    zone "acme.com" IN {
      type master;
      file "/etc/bind/zones/acme.com.zone";
    };
};

And here the acme.com.zone file:

$TTL    3600;
@       IN      SOA     ns1.acme. admin.acme. (
                     2020110501;
                           3600;
                            600;
                          86400;
                            600 );
        IN      NS     ns1.acme.

ns1.acme.      IN     A            10.0.0.254

application-1  IN     A            10.0.1.1
application-2  IN     A            10.0.1.2
application-3  IN     A            10.0.1.3

I do not understand what’s wrong with my settings.


Because the BIND server is authoritative for example.com, it won't perform recursion even in case of a NXDOMAIN for a subdomain. You would either need to use another level of subdomains application.sub.example.com or configure the individual exceptions with Response Policy Zones (RPZ).