-1

I have a Windows AD domain : contoso.local I want to forward all requests to some.contoso.local to another DNS server through forwarding DNS server:

contoso.Local.DNS => Proxy.DNS => some.contoso.local.DNS

I can not allow direct forwarding from contoso.Local.DNS => some.contoso.local.DNS for some reason. Proxy.DNS is required.

The Proxy.DNS is simple Bind9 machine with config (partial)

zone "some.contoso.local" {
  type forward;
  forward only;
  forwarders { 1.2.3.4; }
}

On contoso.Local.DNS there is NS record saying some.contoso.local NS ip.of.Proxy.DNS

Problem:

  • When I query a.some.contoso.local directly through Proxy.DNS, there is all OK.
  • When I query a.some.contoso.local through contoso.Local.DNS there is query fault.

The reason I think is contoso.Local.DNS sends query to Proxy.DNS with flags = 0x0000, and nslookup client sets flags = 0x0100. This bit means Allow recursive request. dns flags

Can I somehow override this problem either to

  • tell Windows DNS to set Allow recursive request bit or to
  • make Bind9 ignore this bit is not set
  • or anyway else ?
filimonic
  • 323
  • 3
  • 13

2 Answers2

1

Following the NS record is part of recursive resolution -- so at this point it has already been decided that contoso.local.DNS is going to be the recursive resolver responsible for the entire query.

So the query being sent out is not the final query, but rather the next step, and the proxy would not be able to know what the client wants. At the same time, forward-only servers do not expect queries with "recursion desired" clear, since all they can do is forward to another (recursive) server, which may or may not be authoritative for the current query -- but queries as part of a recursive lookup always need to be directed at a server that is authoritative.

Since a forward-only server is never authoritative, it needs to reject non-recursive queries, that is what you are seeing -- but altering the flag isn't sufficient.

Simon Richter
  • 3,209
  • 17
  • 17
  • And is there ANY way to override it except directly forwarding without any kind of proxy? Override this flag on Proxy.DNS or tell contoso.local.DNS to allow forwarding (I can not create ConditionalForwarder on windows DNS for a subzone). Will creating stub zone on Proxy.DNS help me ? – filimonic Apr 15 '21 at 13:06
  • @filimonic, no. This is not the final query. If you build something tricky to get this query answered, the origin server will disregard the additional records it didn't ask for, and send another query, to another server it is not allowed to talk to. – Simon Richter Apr 15 '21 at 13:20
-1

[Answering myself] You should create both: NS record and Conditional forwarder.

First you create NS record for some.contoso.local on contoso.local.DNS (on windows server: RightClick on zone name -> New Delegation ...) and specify the name of some.contoso.local.DNS server (the real master of this zone).

This will guarantee that in case of zone transfers of contoso.local zone, secondary server will receive information that some.contoso.local is hosted by some.contoso.local.DNS and will avoid answers like no such host.

To avoid validation (If some.contoso.local.DNS server is not accessible from contoso.local.DNS) you should create this record through PowerShell.

At this step, if you're not using proxy, it's finished. Windows DNS will automatically forward to NS specified, but those queries will be non-forwardable.

If you need to forward queries not directly to NS server but through proxy, see next step.

Second : Only if first step is done, Windows Server DNS MMC Snap-In will allow you creating conditional forwarder for zone some.contoso.local to ANY server you want. You write here forwarder Proxy.DNS : This will solve problem of some.contoso.local.DNS server is inaccessible from contoso.local.DNS server : all queries will be forwarded unmodified this way:

Client => contoso.Local.DNS => Proxy.DNS => some.contoso.local.DNS

filimonic
  • 323
  • 3
  • 13