RE: Bind DNS Question

Kevin,

Ok, sorry. I've changed it back to have the Root domain. So now when I
perform the command 'dig @10.254.128.1 www.microsoft.com' I get 10.254.128.1
which is what I would suspect. I believe this is your suggestion. Now, you
mention tinkering with "exceptions" to the wildcard-matching. I believe
this is beyond my expertise. If you give me an example of this I'll be able
to take it from there.

Here is the named.conf file:

options {
directory "/var/named";
listen-on { 10.254.128.1; };
};

zone "." in {
type master;
file "test.hosts";
};

And here is the contents of test.hosts:

$TTL 86400
.. IN SOA register-128.unh.edu. root.register-128.unh.edu. (
1
10800
3600
604800
900 )
IN NS register-128.unh.edu.
register-128 86400 IN A 10.254.128.1
*. 86400 IN A 10.254.128.1
register.unh.edu 86400 IN A 10.254.128.1

Dave

-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On Behalf
Of Kevin Darcy
Sent: Tuesday, June 29, 2004 7:59 PM
To: bind-users@isc.org
Subject: Re: Bind DNS Question

Dave,
You're doing things out of order. If you want all names to resolve
to a particular IP address, then the first and foremost thing you need to do
is set up a root zone with a wildcard A record in it.
From what you said -- "(This is working today)" -- I thought you had
already done that. *After* you have your root zone set up, then you can
start tinkering with "exceptions" to the wildcard-matching, like
microsoft.com.

The reason your first named.conf didn't work is because you haven't defined
a root zone anywhere in it. When that happens, named uses a compiled-in list
of Internet root nameservers. But it can't use those nameservers since you
(presumably) have no direct Internet connectivity.
So it thrashes around trying to get the root information and basically can't
resolve much of anything.

The reason your second named.conf didn't work the way you wanted is because
you defined "global" forwarding. Now named can get the root-zone information
all right (through the forwarders), but *all* queries then get forwarded by
default (if they are not found in cache), thus making the per-domain
forwarding for microsoft.com superfluous, and not meeting the requirements
as you have described them.

So, to repeat: set up your root domain with a wildcard in it. Then we can
talk about how to override that for microsoft.com specifically.



- Kevin

Lucas, David wrote:

>Kevin,
>
>Thanks for responding to my question.
>
>Here is the current named.conf file:
>
>options {
> directory "/var/named";
> listen-on { 10.254.128.1; };
> };
>
>zone "microsoft.com" in {
> type forward;
> forwarders { x.x.x.x; y.y.y.y; };
> forward only;
> };
>
>When I perform the following command 'dig @10.254.128.1 www.microsoft.com'
I
>get, "connection timed out; no servers could be reached" but as soon as I
>make the following change into the named.conf file it works!!
>
>options {
> directory "/var/named";
> listen-on { 10.254.128.1; };
> forwarders { x.x.x.x; y.y.y.y; };
> };
>
>zone "microsoft.com" in {
> type forward;
> forwarders { x.x.x.x; y.y.y.y; };
> forward only;
> };
>
>I'd like to get this portion to work first before I try yo add the Root
into
>the mix. I thought I read somewhere that you need to specify forwarders
>under options in order to get forwarding to work. Of course, I can't find
>where I read that, or I may be dreaming it!!! If that is the case then why
>is there an option to add forwarders under a zone??
>
>Thanks in advance for any help that anyone can give me!!!
>
>Dave
>
>-----Original Message-----
>From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
Behalf
>Of Kevin Darcy
>Sent: Monday, June 28, 2004 11:12 PM
>To: bind-users@isc.org
>Subject: Re: Bind DNS Question
>
>Lucas, David wrote:
>
>
>
>>Hello Everyone,
>>
>>I was wondering if any Bind experts can help me out with this one. I'm
>>working on our campus network registration system and would like to
>>accomplish the following:
>>
>>1. A computer when they are in the Unknown state they will get a
>>"Bogus" DNS server. That DNS server thinks it's the root server for
>>everything. So when a user types www.cnn.com they resolve to a webpage
>>
>>
>that we specify.
>
>
>>(This is working today)
>>
>>2. I want a user to be able to get to windowsupdate.microsoft.com from
>>our private addresses that are assigned when a computer is in the unknown
>>
>>
>state.
>
>
>>Now, I have half this working. I have a proxy server that is
>>restricting access to only Microsoft. When I bring everything onto the
>>same DNS server it does not work. Basically for the proxy server to
>>work correctly I need to have the public addresses resolved via DNS. I
>>only want public addresses to be handed out for domains that I specify.
>>
>>This is what I have tried:
>>
>>- I have tried to set a forward for zone microsoft.com, well it
>>forwards all requests to the public DNS servers, which in turn gives me
>>public addresses for everything.
>>
>>
>>
>How did you specify forwarding? With a "type forward" zone, e.g.
>
>zone "microsoft.com" {
> type forward;
> forwarders { x.x.x.x; y.y.y.y; };
> forward only;
>};
>
>? Or did you put the "forwarders" and/or "forward only" in the "options"
>block? I can't imagine how "everything" could have started forwarding if
>forwarding was only defined for microsoft.com...
>
>
>
>> I don't want this I only want Microsoft's public addresses.
>>- I've tried to specify a NS record for Microsoft and that to didn't
>>work, actually it killed everything for resolving the names.
>>
>>
>>
>Actually, you may need to do *both* delegation and a "type forward"
>zone. If you have a "fake" root zone with a wildcard A record in it (I
>assume this is how you implemented #1 above), named may need to see a
>delegation for microsoft.com before it will forward queries for that
domain.
>Otherwise, since it is authoritative for the root zone, it'll just "know"
>that microsoft.com doesn't exist. In this case, it doesn't really matter to
>_what_ you delegate microsoft.com, since all of the queries will be
>forwarded anyway. Just make up some bogus nameserver names and addresses.
>
>
> - Kevin
>
>
>
>
>
>
>
>
>