Re this setup:

My Public Authoritative DNS Server at <public dns ip>:

example.com.            A    <public webserver IP>
foo.bar.example.com.   TXT   "Hello World"

My Private Authoritative DNS Server at

foo.bar.example.com.    A    ""
bar.bar.example.com.  CNAME  "foo.bar.example.com"

So I have two authoritative DNS servers, one in the public domain, one in the private domain. I need the public one to serve some TXT records, but not A records, for a specific subset of domains. The private one needs to serve A and CNAME records, for internal use only, but will not serve TXT records.

If my clients have their DNS server IPs in the wrong order (public,private), is the public authoritative DNS server response going to prevent the private DNS server from being queried?


Client has resolv.conf set to:

<public dns ip>

If they run nslookup foo.bar.example.com from their console, will it resolve to or will the public DNS server tell them the name doesn't exist and to stop looking?

  • 123
  • 7

3 Answers3


Resolving does not work like you think it does. When you have multiple lines in your resolv.conf they are used as a fallback: the system always use the first nameserver and only if it does not reply at all (which is different from replying that a name does not exist) it will then query the second one and so on. This applies per query basically.

You should setup things differently: have only one authoritative nameserver and if you use bind use its views mechanism to reply different things to different clients. Let the normal tree walking of the DNS by the clients to find it.

But otherwise in theory you are right: if the "public" server does reply and say NXDOMAIN, search will stop there. Except you are mixing authoritative and recursive (the ones in resolv.conf) which is a very bad habit. And you still have a setup that is more complicated than needed and it will give you problems later on.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • You say it is more complicated than needed - I'm only giving the part of the story that's required to answer the question. This set up is done this way for a good reason. Also I'm not using `bind`; the public DNS is third-party controlled via API & webui. I'm not mixing authoritative and recursive, I have two authoritative - this is the problem. – StampyCode Dec 12 '17 at 14:50
  • Putting an authoritative nameserver IP inside a `/etc/resolv.conf` file is clearly mixing authoritative and recursive as this file is only there to list recursive nameservers to use. You may have your reasons you do not wish to disclose, but based on what you say I can tell you this is not a recommended setup and I gave you ideas to do differently, as you clearly have some false ideas on how the DNS works. Sorry not to be able to do more. – Patrick Mevzek Dec 12 '17 at 14:56
  • Ahh I didn't realise you were saying mixing them in the `resolv.conf` file was the problem - yeah I agree with you there, we don't do that, but was just using this as an example to illustrate the use of duplicate internal/external authoritative servers. – StampyCode Dec 13 '17 at 11:22

This is a common setup in Windows networks; where (due to Active-Directory DNS integration) the recursive resolver is also the authoritative server for that DNS zones.

If a zone with the same name (but different records) also exists in public DNS, attempts to query the public records will terminate at the internal recursive resolver ( as it is authoritative for that zone, it can authoritatively state that the record does not exist.); thus the public zone is masked by the private zone for any client using the private resolver.

  • 111
  • 2
  • From Windows DNS Server help file: " Important A DNS server cannot forward queries for the domain names in the zones it hosts. For example, the authoritative DNS server for the zone widgets.example.com cannot forward queries according to the domain name widgets.example.com. The DNS server authoritative for widgets.example.com can forward queries for DNS names that end with hr.widgets.example.com, if hr.widgets.example.com is delegated to another DNS server. " – CGretski Jan 09 '18 at 20:32

In my opinion if your <public dns ip> is not having the A record for the domain, then it is definitely come to the secondary DNS server

  • I'm gonna need a more authoritative response... It makes sense in my mind that the authoritative server would say "no and stop looking" and it would be totally justified to do so. I'm just not sure if that's what actually happens. – StampyCode Dec 12 '17 at 12:47