Bind DNS Server - answer a few records for another domain?
 

I have some Bind DNS Servers which I need to be able to resolve some addresses for anotherdomain.com which are not publicly available from anotherdomain.com's DNS servers.

I still want my DNS servers to forward the rest of the anotherdomain.com requests to the real DNS servers for that domain if I don't have a local record.

I have been going round the internet all day trying to figure this out and testing one dns server with a stub zone, a forward zone etc but so far no luck. All I've learnt is that I don't even know if this can even be done, but I must do it.

The only alternatives to my DNS servers answering a few names and forwarding the rest for anotherdomain.com is

1. Host a full zone for anotherdomain.com (but I don't have all the records so this would cut off my users off from the rest of anotherdomain.com's addresses which I don't have)
2. Go round and add a hosts file to every single dang machine in my company to point to those few resources in anotherdomain that I need which aren't publicly available.


Any ideas how I can solve this problem?

Yes, it is relatively easy to do, but only if what you are looking to hold for yourself are full subdomains. It doesn't matter what those subs are, www, mail, or ahdsjahfsa. As long as it is something before the domain name, it can be done.

In your named.conf, define the specific subdomain in its own zone, for example mail.anotherdomain.com. Then your server will only answer queries from your machines for mail.anotherdomain.com, but would still forward anythingelse.anotherdomain.com to the anotherdomain.com nameservers.

Seriously though, what you are doing is either wrong in the first place or just a bad idea. If the other domain doesn't publicly define these other subdomains, why use them? If you are doing something legal, they could identify your server as a slave for their full zone or atleast these subdomains you are interested in, and you can run as a slave for these subs.

Peace,
JimBass

Thanks for that.

You mean I have to define a whole zone for each host.anotherdomain.com?

and leave the zone as the only record for hostaszone.anotherdomain.com?

Reason for this: basically we have been bought by a bigger company and they have granted us access to an intranet and one or two other sites. There are no public dns records because they are internal services that we are using through a limited vpn. The paths on the websites are hard coded so we must have those resolve one way or the other.

It has to do with your ability to define the default company.com, and the ability to pass requests for the other names on the the main company default nameserver. If you didn't define site1.company.com and site2.company.com explicitly, but rather simply did company.com, then any request to your DNS server wouldn't get passed on to the company.com DNS.

You could get them to email you their full zone, and then install that as company.com on your machine. That might be the most elegant and simple way to do this.

Otherwise, yes, you will have to define each subdomain explicitly on your named.conf.

Peace,
JimBass

Ok thanks, I'll try that tomorrow when back at work.

Appreciate the help.

No problem. Write back if something doesn't work.

Peace,
JimBass

thanks, that seems to work really well.

More info please
 

I need to do a similar thing. would like to handle just one sub-domain of a foreign domain. In the named.conf I added a section with the subdomain I would like to handle and indeed all other subdomain of the foreign domain are not handled by me. I have a problem with the subdomain I am trying to handle. Can you please post a zone file that handles this

Many Thanks,

G

I you have the subdomain defined in your named.conf (or named.conf.local, or whatever your distro uses for listing the zones), then all you need to do is create the subdomain zone file. There is nothing special about that file at all. The same way you can do "yoursite.org" in named.conf and have a yoursite.org where your zone files live, you can just as easily have yoursub.theirdomain.com and yoursub.theirdomain.com with the zone files. Try using the tools named-checkconf and named-checkzone on your config and zone files.

Thanks,

I have it almost working with one issue that seems to be a show stopper. I want to act as a proxy for a subdomain, so I want the request to get to me and then I want to redirect it to another server using a CNAME record, cant use an A record as the IP address of where I would like to redirect keep changing (Amazon ELB). And when I use a a CNAME named-checkzone complains about the CNAME

NR,

G

This sounds like a very bad idea, or at least a poorly planned one.

To begin with, CNAME records are not a problem, if named-checkzone is complaining about it, then you must have done something wrong with the setup. I (and most BIND users) have CNAME records in plenty of zones, and named-checkzone doesn't report any problems with them.

Secondly, if you're going to allow the zone to be resolved by its authoritative DNS server, why are you interrupting that process to proxy it? I've had business ask me to "break" DNS for them, and I've done that, but broken is broken. What I mean by that is if a business doesn't want their users going to any myspace pages on the company network, You can define the zone *myspace.com and direct it to an internal address (preferably a page that says, "Company X doesn't allow you to visit myspace from your work machine"), but I can't see why you'd get in the middle of resolving an address by an authoritative nameserver that your going to forward to that nameserver anyway?

Please explain specifically what you're trying to do, why you're trying to proxy a DNS request (do you understand how a name server caches names), and print the actual named-checkzone output if that is where the issue lies.

Peace,
JimBass

Hi Jim,

I need to do a slight twist on your *myspace blocking. I need to get the request, inspect it and allow (based on content) some of the requests to pass on their way.

BR,

G

Then you don't need my *myspace blocking, that blocks every address that ends in myspace.com.

First and foremost, DNS is not the place to do website blocking. That is something that should be left to a content filter/proxy/firewall.

Second, All that is in a DNS query is what the client asked for, and in the reply is the address it should be sent to. In light of that, if for some reason you wanted to allow your LAN to see google.com, www.google.com, maps.google.com, and for some reason block mail.google.com, that can be done in the way I described above. If you have subdomains that are allowed and subdomains that aren't, there's no magic there. You create zones for the subdomains that aren't allowed, and send them elsewhere. That also works well for the next thing that google adds. Suppose in 2 months google puts up a service at new.google.com. In my solution, people can access it easily. If you decide new.google.com is bad, you define a fake zone for it, and it is stopped. Of course this can break badly. The days of a website being static content on just one page are dead and buried. What happens if a page includes some content from an allowed subdomain, and some from one that isn't? Not being able to load certain pictures might be just what you're after, but what if the allowed functions depend on the ones that aren't allowed? That is a dangerous path that I would avoid at all costs.

Third, I've asked several times what you're trying to accomplish, and you're speaking in generalities. I am willing to help you, but I have no interest in donating my time and effort when you can't even tell me straight what you're trying to do. I've told you multiple times what you're trying to do doesn't sound right, and you dismiss my criticism. That's your right, but its also my right to not share knowledge with you that I feel will be used badly.

Peace,
JimBass

Hi Jim,

Peace dude and apologies, no ill intentions just a new venture I am part off that I am wary of putting on such a public forum. Would it be possible to provide more info on a slightly more private channel?
I am at gilad dot gruber at gmail dot com

BR,

Gilad

If the help you need has to happen off a public forum, then I'm not interested in doing it.

You dug up a 3 year old dead thread because it had info similar to what you were looking for. Imagine the next person in your shoes. They see their problem potentially solved, but instead of having the answer here where it belongs, it would be solved in a location that isn't accessible to them. That undermines this website's credibility, and I don't want to do that.

I'm not saying we'd need to see all the DNS records involved with their real names (though that is the best way to solve DNS problems, the BIND email list will only help if the real domain name is used), but you could easily use example.yoursite.com and yoursub.theirsite.com and such.

If you need it solved privately and fast, there are tons of BIND consultants who will gladly accept money to solve this for you.

Peace,
JimBass