0

I have configured a zone in my bind9 installation. Its supposed to be a public nameserver which I am managing through a python script for dyndns subdomains. But my main website is hosted by 3rd party somewhere else and in near future I want to host them locally too. For now I want bind9 to look into local database for name resolution and in case of failure redirect to(or fetch from) external dns. Here is my config but its not working for external queries (example.com and www.example.com). 

$ cat /etc/bind/named.conf.local
include "/etc/bind/zones.rfc1918";
zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
    allow-transfer { any; };
    update-policy local;
};

$ cat /etc/bind/zones/db.example.com
$ORIGIN .
$TTL 172800     ; 2 days
example.com               IN SOA  ns1.example.com. hostmaster.example.com. (
                          116        ; serial
                          7200       ; refresh (2 hours)
                          900        ; retry (15 minutes)
                          1857600    ; expire (3 weeks 12 hours)
                          8400       ; minimum (2 hours 20 minutes)
                          )
                    NS      ns1.example.com.
                    NS      ns1.external-host.com.
                    NS      ns2.external-host.com.
ns1.external-host.com      A       1.2.3.1
ns2.external-host.com      A       1.2.3.2

$ORIGIN example.com.
ns1                     A       1.1.1.1
@            IN         NS      ns1.external-host.com.
@            IN         NS      ns2.external-host.com.
www            IN         NS      ns1.external-host.com.
www           IN         NS      ns2.external-host.com.
clients                 A       1.1.1.1
$ORIGIN clients.example.com.
$TTL 3600       ; 1 hour
test                    A       2.2.2.2
Thomas
  • 4,155
  • 5
  • 21
  • 28
bakasan
  • 93
  • 1
  • 10
  • Are you sure about "www IN NS ns1.external-host.com" and the other one? This looks strange. Certainly not something to do when you begin DNS configuration. – Patrick Mevzek Mar 17 '18 at 17:04
  • Your requirements are not clear to me, nor the content of your zone. The fact that the web hosting is by 3rd party has no consequences you just put their IP in the zone and that is all. OR a CNAME to a name they control if they want to be able to easily change the IP. – Patrick Mevzek Mar 17 '18 at 17:07

1 Answers1

1

I think this is not possible because one of your name servers is local (non reachable from the other one). Technically, you may try the forwarders or multi-master option. But it's not the good way for a small setup even if it works.

DNS is based on the information which server is the zone master - this is set by type. A zone master responsible to have the current information and theirefore there should be only one (as there may get differences between instances). Zone slaves know the master and may ask it directly for the whole zone. If the master knows also it's slaves, it's also able to transfer the whole zone. This is what you should do.

Keep the public name server where it is and keep it the master. In your local environment install the second bind and add the zone as slave. Also add the slave to the master so the automatic update works. To proove look into the logs of both, there should be made AXFR- or IXFR-requests.

So your zone definitions may look like this, assuming master is 1.2.3.4 and slave 5.6.7.8:

master:

zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
    also-notify { 5.6.7.8; };
    notify yes;
};

slave:

zone "example.com" {
    type slave;
    file "/etc/bind/zones/db.example.com"; // this is the file updated.
    allow-notify { 1.2.3.4; };
    allow-transfer { 1.2.3.4; };
};

As you see, the slave needs to be reachable from the master as it's address is statically configured.

michi.0x5d
  • 154
  • 8
  • The slave contacts the master. The NOTIFY sent by master is an **optional** feature to make convergence faster. But it is not mandatory. The slave will do regular checks, based on timing value in the SOA record, and start AXFR/IXFR queries towards the master. Also, this is not mandatory either. All nameservers could be provisioned by out of band means, like zonefiles being transfered through rsync over ssh from some central place. – Patrick Mevzek Mar 17 '18 at 17:03
  • I ended up creating zone file for my subdomain and also keeping the the existing nameserver ns1.external-host.com. on my domain provider. Since I couldn't make changes on external nameserver. side question: shouldn't other public dns like 8.8.8.8 and my domain-name provider etc. cache my records? because everytime I run nslookup or ping on my computer I can see the requests being relayed to my nameserver. – bakasan Mar 18 '18 at 08:10
  • @bakasan Yes, your entries should be cached, this is what TTL controls. In case your are using NS-Records as in your question, you redirect the dns client to another nameserver. But 8.8.8.8 is not a single nameserver, instead it's a group reached by anycast (which is more complicated). If trying to ask 8.8.8.8 you have a chance to always get another server (which itself caches). Instead try to ask the dns server of your ISP or set up a bind resolver (without zones!) to verify the cache. – michi.0x5d Mar 18 '18 at 08:49