Conditional forwarder for subdomain through DNS proxy

I have a Windows AD domain : contoso.local I want to forward all requests to some.contoso.local to another DNS server through forwarding DNS server:

contoso.Local.DNS => Proxy.DNS => some.contoso.local.DNS

I can not allow direct forwarding from contoso.Local.DNS => some.contoso.local.DNS for some reason. Proxy.DNS is required.

The Proxy.DNS is simple Bind9 machine with config (partial)

zone "some.contoso.local" {
  type forward;
  forward only;
  forwarders { 1.2.3.4; }
}

On contoso.Local.DNS there is NS record saying some.contoso.local NS ip.of.Proxy.DNS

Problem:

  • When I query a.some.contoso.local directly through Proxy.DNS, there is all OK.
  • When I query a.some.contoso.local through contoso.Local.DNS there is query fault.

The reason I think is contoso.Local.DNS sends query to Proxy.DNS with flags = 0x0000, and nslookup client sets flags = 0x0100. This bit means Allow recursive request. dns flags

Can I somehow override this problem either to

  • tell Windows DNS to set Allow recursive request bit or to
  • make Bind9 ignore this bit is not set
  • or anyway else ?

Solution 1:

Following the NS record is part of recursive resolution -- so at this point it has already been decided that contoso.local.DNS is going to be the recursive resolver responsible for the entire query.

So the query being sent out is not the final query, but rather the next step, and the proxy would not be able to know what the client wants. At the same time, forward-only servers do not expect queries with "recursion desired" clear, since all they can do is forward to another (recursive) server, which may or may not be authoritative for the current query -- but queries as part of a recursive lookup always need to be directed at a server that is authoritative.

Since a forward-only server is never authoritative, it needs to reject non-recursive queries, that is what you are seeing -- but altering the flag isn't sufficient.