Question about dns domain and sub-domain on different DNS server

speed12sil · 04-29-2013, 02:56 PM

Okay, my first post, and it's a long one...

Our company needs to set up two DNS servers such that one would deal with the main domain DNS resolves, and the other deal with the sub-domain resolves.

The main domain is:

acme.com

and the sub-domain

lab.acme.com

The main domain DNS server runs Microsoft server with DNS service enabled, and the sub-domain DNS server is a Redhat Linux. The main domain DNS server seems to be able to delegate searches for "lab" to the sub-domain server correctly, such that all searches for servers that reside in the sub-domain, e.g. server-1.lab.acme.com, can be resolved via this hand-off.

The two problems I have right now are that

1) The linux DNS server does not seem to be able to forward main domain queries received from users in "lab" to the MS DNS server.

Edit: named.conf with correct forwarding configured fixes this issue.

2) Searches for the devices in the main domain must be typed out in full.

So for example, if I want to resolve a server called "dragon" in the main domain:

dragon.acme.com

I cannot just type "dragon" and have DNS resolve it to dragon.acme.com. I must type in the full name to get it to resolve.

Is it even possible to have DNS fallback to main domain and append the path once the sub-domain search comes up empty, or it is not intelligent enough to do this kind of search?

Edit: Problem two revised to reflect current situation, simplified by having only one DNS specified in dhcpd.conf.

Below is the name.conf:

Code:

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };
        recursion yes;
//      forward only;
//      forwarders { 10.1.10.30;};
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "acme.com" {
        type forward;
        forward only;
        forwarders { 10.1.1.2; };
//main domain DNS server IP
};

zone "lab.acme.com" {
        type master;
        allow-query {any; };
        file "lab.acme.com.zone";
        };

and this is the zone file for lab.acme.com:

Code:

$TTL 1D
$ORIGIN lab.acme.com.
@               IN      SOA     ns1.lab.acme.com. admin.lab.acme.com. (
                                        0       ; serial
                                        2h      ; refresh
                                        15m    ; retry
                                        604800  ; expire
                                        86400   ; minimum
                                        )
                IN      NS      ns1
                IN      NS      dc1
;NS specifically reserved for name-server use, points to the name-server IP address, in this case it points to the pointer, which is ns1
ns1             IN      A       10.1.5.2
dc1             IN      A       10.1.1.2

server-1        IN      A       10.1.5.1
server-2        IN      A       10.1.5.2
;server for testing DNS

Thanks to all for answering this. I am pulling my hair out, and I've searched google and linux questions already so...

jpollard · 04-29-2013, 03:49 PM

I think this goes back to the /etc/resolv.conf file.

Unless you provide a FQDN for query, DNS will default to the "search" entry in the resolv.conf. This allows default short names to use the "domain" entry, but the search entry extends this search to other domains. Note, this does mean that lookups for a "xyz" host will occur in the local domain (such as xyz.local.org.domain), but will not find xyz in a higher level domain (such as xyz.org.domain) because that would be a secondary lookup- and it isn't done as soon as the name is resolved.

So I think your resolv.conf file should have something like:

Code:

domain lab.acme.com
search lab.acme.com acme.com
server ....
...

speed12sil · 04-29-2013, 04:00 PM

Okay the FQDN part makes sense. I know if that I manually change the resolv.conf file to include the main domain, then the search for dragon does work.

However, I thought that the resolv.conf file is cannot be modified by the dhcp server when it's handing out IP address and giving dns/ntp/default domain info? I know I can specify the domain for the dhcp client when handing out IP address, but I don't believe I can specify which domain the client should search in (thus modifying the client's resolv.conf file) when it wants to do DNS resolve.

jpollard · 04-29-2013, 04:45 PM

It can be modified by dhclient when getting/configuring an interface. How much can be controlled by a dhclient.conf file.

speed12sil · 04-29-2013, 04:53 PM

I'm getting confused here so...Is the dhclient.conf file used by the dhcp server to control the dhcp client, or is it changed locally on the client itself?

speed12sil · 04-29-2013, 05:44 PM

I got my first question solved, got the forward option in named.conf working. And it would seem that if I use a Linux client to do search for "dragon", it can append acme.com in addition to lab.acme.com, as I want it. However, Windows client cannot do this multiple domain auto append, and must have the full domain name spelled out to properly resolve.

Interesting...