Can Bind return IP address of CNAME record for outside host on authoritative server?

1

I'm running BIND 9.9.4 in a master/slave configuration on Redhat 7.4 with chroot. The servers are set with the "recursion no;" option in the named.conf file. I have an entry in one of my zone files:

test    IN    CNAME    server.outsidedomain.com.

When I query the dns server for test.mydomain.com I would like it to return the IP address of server.outsidedomain.com but not "recurse" any other lookups (actually I have a handful of CNAME records that refer to hosts outside my domain).

Zone file snippet: (sanitized)

$TTL 3h
@                       IN  SOA ns01.mydomain.com.  admin.mydomain.com. (
                        2018032007   ; serial number
                        2h           ; refresh
                        1h           ; retry
                        4d           ; expire
                        1d          ; default TTL
)

@                       NS  ns01.mydomain.com.
@                       NS  ns02.mydomain.com.

test                    CNAME    server.outsidedomain.com.

named.conf snippet: (sanitized)

options {
    listen-on port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    allow-query-cache { 1.1.1.2; };
    allow-transfer { key "ns02.mydomain.com"; };

    recursion no;

    dnssec-enable yes;
    dnssec-lookaside auto;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    version "Unavailable";
};

nslookup output: (sanitized)

# nslookup test.mydomain.com
Server: 1.1.1.1
Address: ns01.mydomain.com

Name: server.outsidedomain.com

dig output: (sanitized)

dig test.mydomain.com

; <<>> DiG 9.11.3 <<>> test.mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36042
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.mydomain.com.            IN      A

;; ANSWER SECTION:
test.mydomain.com.     10800   IN      CNAME   server.outsidedomain.com.

I would like/expect to see: (sanitized)

# nslookup test.mydomain.com
Server: ns01.mydomain.com
Address: 1.1.1.1

Name: server.outsidedomain.com
Address: 5.5.5.5
Aliases: test.mydomain.com

John Malia

Posted 2018-03-26T18:18:44.877

Reputation: 11

This is kind of what recursion does. see the description here for how a remote-zone CNAME request is resolved: https://ns1.com/articles/comparing-alias-and-cname-records

– Frank Thomas – 2018-03-26T19:31:21.180

Why do you want that it returns the IP address for the CNAME? This is contrary to how the DNS protocol works (if your nameserver is not authoritative on the zone where the CNAME target is). – Patrick Mevzek – 2018-03-26T21:49:34.827

Thank you. The article was helpful. You have confirmed how I thought things (should) work. I have a working knowledge of DNS and know enough to be dangerous. Thank you for sharing your knowledge!! – John Malia – 2018-03-28T14:36:44.017

No answers

Asked: 2018-03-26T18:18:44.877

Viewed: 626 times

Active: 2018-03-26T18:18:44.877