0

We're doing business with let's say, a.com, which is traceable through root servers. The company behind a.com, also provides a private DNS server, which is available only through a VPN, which is needed to resolve services, hosted on sub-domains.

We created a forwarding for one of those subdomains/services sub.a.com. This works pretty ok, however, querying for sub.a.com also makes their private nameserver return 

;; AUTHORITY SECTION:
a.com.      31672   IN  NS  dns002.dmz.local.
a.com.      31672   IN  NS  dns001.dmz.local.

However, this is wrong, but BIND now caches the NS records for a.com through their private nameserver. Subsequent queries for a.com now fail, as their private nameserver is now authoritative, but says that a A record does not exist.

I understand the problem is on the side of a.com. However, they're unwilling to fix their setup. Can I tell BIND to only forward and allow cache updates for the domain I'm forwarding for, in this case sub.a.com.

hbogert
  • 411
  • 1
  • 4
  • 18
  • Bind supports the [response policy zone](https://en.wikipedia.org/wiki/Response_policy_zone) which is a method to use your own resolver to fix (or break...) the internet. Most likely you could use a [`NSDNAME` or `NSIP`](http://www.zytrax.com/books/dns/ch7/rpz.html#policy-nsdname-trigger) trigger to fix your problem. – HBruijn Sep 05 '17 at 12:51
  • Why would BIND accept a NS record for `a.com` from the private DNS server in the first place? Does BIND trust a forwarded-to DNS server that much? – hbogert Sep 05 '17 at 15:07
  • @HBrujin That'd offline the "bad" nameservers, but wouldn't help inject the correct nameservers I think. – Andrew B Sep 06 '17 at 01:11
  • @hbogert If that is truly working as you're described (which we can't help you confirm with the information given), you should probably contact the developers of BIND. Using out of zone authority information learned from a forwarder definitely sounds like a bug. As a dirty hack you could try defining a forwarder for `a.com` that points at the IP addresses of the internet facing nameservers, but if I were in your shoes my goal would be working with ISC to eliminate the need for that config ASAP. – Andrew B Sep 06 '17 at 01:13
  • @AndrewB Can't reproduce with Bind 9.10. Though, I'm eager to know what changed between 9.9.5 and 9.10.3 to cause this change in behaviour. – hbogert Sep 06 '17 at 09:04

0 Answers0