Internal and External DNS from Different Servers, Same Zone

domain-name-system bind domain-controller

I am either having trouble understanding how DNS works, or I am having trouble configuring my DNS correctly (either one isn't good). I am currently working with a domain, I'll call it webdomain.com, and I need to allow all of our internal users to get out to dotster to get our public DNS entries just like the rest of the world. Then, on top of that, I want to be able to supply just a few override DNS entries for testing servers and equipment that is not available publically. As an example:

  • public.webdomain.com - should get this from dotster

  • outside.webdomain.com - should get this from dotster as well

  • testing.webdomain.com - should get this from my internal dns controller

The problem that I seem to be running into at every turn is that if I have an internal DNS controller that contains a zone for webdomain.com then I can get my specified internal entries but never get anything from the public DNS server. This holds true regardless of the type of DNS server I use also--I have tried both a Linux Bind9 and a Windows 2008 Domain Controller.

I guess my big question is: am I being unreasonable to think that a system should be able to check my specified internal DNS and in the case where a requested entry doesn't exist it should fail over to the specified public dns server -OR- is this just not the way DNS works and I am lost in the sauce?

It seems like it should be as simple as telling my internal DNS server to forward any requests that it can't fulfill to dotster, but that doesn't seem to work. Could this be a firewall issue?

Thanks in advance

EXTENDED

OK, so I did a bunch of research and have been plugging at this for a few hours. I have this in my named.conf and I am STILL seeing the same result. Internal calls are fed, but anything external (in the zone controlled domain) is just dumped. Any assistance would be great! Also, this is an Ubuntu 9.04 OS I am working with.

Code removed because it was wrong.

THE CORRECT WAY -- ADDED AFTER QUESTION CLOSED

Well, thanks to the folks here on serverfault I now have this working perfectly on my server and in a much more succinct fashion. Here is how you do it. From a base install of bind9 edit your named.conf.local file and add in a zone for EACH subdomain that you want to redirect:

/etc/bind/named.conf

// WEBDOMAIN.COM ENTRIES
    zone "test.webdomain.com" {
            type master;
            file "/etc/bind/zones/test.webdomain.com";
    };

    zone "alpha.webdomain.com" {
            type master;
            file "/etc/bind/zones/alpha.webdomain.com";
    };

    zone "beta.webdomain.com" {
            type master;
            file "/etc/bind/zones/beta.webdomain.com";
    };

// INTERNETSITE.COM ENTRIES
    zone "internal.internetsite.com" {
            type master;
            file "/etc/bind/zones/internal.internetsite.com";
    };

    zone "dev.internetsite.com" {
            type master;
            file "/etc/bind/zones/dev.internetsite.com";
    };

Edit your /etc/bind/named.conf.options file and add any forwarders you want to use into the correct location:

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        forwarders {
                208.67.222.222;
                208.67.220.220;
                8.8.8.8;
                8.8.4.4;
        };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Create a new folder called zones at /etc/bind/zones/ and add a new file for EACH of the zones you created above that match the 'file' attribute above. Using test.webdomain.com as an example:

/etc/bind/zones/test.webdomain.com

$TTL    604800
@       IN      SOA     test.webdomain.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@                       IN      NS      test.webdomain.com.
test.webdomain.com.    IN      A       10.0.1.20

Where 10.0.1.20 is the A record ip address that you want this (sub)domain to forward to. By doing it this way the record for test.webdomain.com is authoritative for only the subdomain and the global DNS will supply any other subdomains or root domains as usual.


Solution 1:

What you'll want to do is create a DNS zone for testing.webdomain.com on your internal DNS server. This way the webdomain.com DNS isn't hosted by your internal server, but is instead hosted by dotster.

When someone queries for www.webdomain.com the request will be forwarded to dotster for the lookup (since your local DNS server isn't authoritative for that zone), while requests for testing.webdomain.com will be handled by your internal DNS server.

Solution 2:

You need Split-view DNS. For your border machines, use an external resolver. For your test environment, use a separate, internal resolver. The internal resolver will have your testing entry in DNS and answers from one view; but the outside world will see a different "view" of your zone, that omits the test environment.

Other SF entries that may be of interest:

  • https://serverfault.com/search?q=split-view+dns

I only have time today to skim your extended post, so here's a first glance:

options {                                       
    directory "/etc/bind";                   
    listen-on {          // why are these lines needed?
            10.0.1.5;    // the way it is set up, only your loopback
            127.0.0.1;   // and your LAN clients will be able to
                         // get answers; the outside world can't see boo
                         // because there's no interface/port pair
                         // to contact. I would just get rid of this and
              };         // not worry about what interfaces are being bound to
    // BTW, that listen-on line is why your outside queries are failing.
    auth-nxdomain no;                      
    allow-query { any; };                   
    recursion no;                          
    version "0";                           
};

Also, the external match-clients statement

view "external" {
    match-clients { !localnets; any; };

can be made into

view "external" {
    match-clients { any; };

because when you add to match-clients, it's already assuming that there's nothing to match to begin with; negating an ACL really won't add much (because it never "existed" in that view to begin with, so there's no reason to cancel it out).

I'm sure that I've probably missed some things, but these are the most obvious culprits.

Solution 3:

It seems your zone definition is not correct. It misses the IP address for the name server declared as "webdomain.com".

I suggest you change the zone definition as

$TTL    604800
@       IN      SOA     webdomain.com. email.webdomain.com. (
                              4         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      webdomain.com.
webdomain.com.  IN A 10.0.1.5
test    IN      A       10.0.1.20

then restart the server (e.g. /etc/init.d/bind9 restart).

Since the zone could not be loaded, due to the error, the domain could not be resolved.

Related

Cloning a VPS into a local VM?
Conflicts between ACLs and umask
Apache not Forwarding Client x509 Certificate to Tomcat via mod_proxy
Transition domain to new web host without waiting for DNS propagation
Which storage protocol to use for ESX storage?
SVN Authentication with LDAP and Active Directory
Updating Dell PowerEdge firmware on Ubuntu?
Send custom Host header with CloudFront
Simple one-way synchronisation of user password list between servers
403 Forbidden error on Mac OSX - Apache and nginx
Transparent firewall with nftables and VLANs
Secure remote RDP worker prevent file transfer