Conditional forwarder for subdomain through DNS proxy
I have a Windows AD domain : contoso.local
I want to forward all requests to some.contoso.local
to another DNS server through forwarding DNS server:
contoso.Local.DNS => Proxy.DNS => some.contoso.local.DNS
I can not allow direct forwarding from contoso.Local.DNS => some.contoso.local.DNS
for some reason. Proxy.DNS
is required.
The Proxy.DNS
is simple Bind9 machine with config (partial)
zone "some.contoso.local" {
type forward;
forward only;
forwarders { 1.2.3.4; }
}
On contoso.Local.DNS
there is NS record saying some.contoso.local NS ip.of.Proxy.DNS
Problem:
- When I query
a.some.contoso.local
directly throughProxy.DNS
, there is all OK. - When I query
a.some.contoso.local
throughcontoso.Local.DNS
there is query fault.
The reason I think is contoso.Local.DNS
sends query to Proxy.DNS
with flags = 0x0000
, and nslookup
client sets flags = 0x0100
. This bit means Allow recursive request
.
Can I somehow override this problem either to
- tell Windows DNS to set
Allow recursive request
bit or to - make Bind9 ignore this bit is not set
- or anyway else ?
Solution 1:
Following the NS
record is part of recursive resolution -- so at this point it has already been decided that contoso.local.DNS
is going to be the recursive resolver responsible for the entire query.
So the query being sent out is not the final query, but rather the next step, and the proxy would not be able to know what the client wants. At the same time, forward-only servers do not expect queries with "recursion desired" clear, since all they can do is forward to another (recursive) server, which may or may not be authoritative for the current query -- but queries as part of a recursive lookup always need to be directed at a server that is authoritative.
Since a forward-only server is never authoritative, it needs to reject non-recursive queries, that is what you are seeing -- but altering the flag isn't sufficient.