-   Linux - Server (
-   -   Bind-DNS: Use a public domain as internal zone, but lookup unknown subdomains on a public dns server (

dr-ing 08-05-2020 09:36 AM

Bind-DNS: Use a public domain as internal zone, but lookup unknown subdomains on a public dns server

as mentioned in the title I use Bind-DNS as my local DNS server.
For this I have two zones, example.local and
The second one is actually my public domain name, but I use it for a few internal subdomains so that my publicly valid wildcard certificate is valid and the internal subdomains thus have an SSL certificate accepted by all devices and browsers (which I need for a few devices that only accept a valid SSL certificate).

The problem is: Since I have the zone, it resolves the registered hosts (,, but not the public hosts that I have registered over my domain name provider, for example: or, because they are probably not included in the zone file. If I add them as well, my bind-dns server can resolve them without problems.

My "goal" is that if bind-dns cannot find the subdomain in the zone files, it will forward the request to a public dns server (which I have configured in the named.conf.options file?)

The zone looks similar to this:

$TTL        86400
@        IN        SOA (
                    2020071401                ; Serial
                        604800                ; Refresh
                          86400                ; Retry
                        2419200                ; Expire
                          86400 )        ; Negative Cache TTL
; name servers
                        IN        NS
; A records        IN        A        IN        A

My named.conf.local:

zone "" {
        type master;
        file "/var/cache/bind/";

And my named.conf.options:

acl "trusted" {;

options {
        directory "/var/cache/bind";
        recursion yes;
        allow-recursion { trusted; };
        listen-on {;; };
        allow-transfer { none; };

        forwarders {

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };


smallpond 08-06-2020 11:20 AM

Generally, there is one authoritative nameserver for a domain. I don't think bind has any option for forwarding requests if it is authoritative for a zone. Simplest is to put all of the internal sites on a separate subdomain, and all of the publicly accessible sites on your ISP nameserver. If you want a separate internal nameserver that knows additional hosts on the public domain, then you will need to manually maintain the two copies and make sure that the internal sites use the internal nameserver. That can get interesting if you are using VPNs or doing updates from DHCP.

All times are GMT -5. The time now is 03:49 AM.