From: Peter Valian (valianp@southwestern.edu)
Date: Sun Aug 01 2004 - 17:50:08 CDT
maybe its just my box...tried on a different provider and all works!
-p
Peter Valian wrote:
> Jeff...I don't think this quite solves it...but its 99% there.
>
> what happens when you query "foo.edu" (or whatever TLD your nameserver
> is in). I get:
>
> ** server can't find foo.edu: NXDOMAIN
>
> Jeff A. Earickson wrote:
>
>> Hi,
>>
>> After helpful hints from Robert Lowe yesterday and a lot of head
>> banging today, I think I have (mostly) figured out the issue of
>> selective DNS forwarding. Attached are the bootfile and the primary file
>> for my netreg bind (v 9.2.3). In my case 137.146.214.50 is my testbed
>> netreg box, running the bogus DNS service and 137.146.210.51 is my
>> site's real forwarder DNS. My sole "selfhelp" site for this test
>> is "sophos.com". Obviously, my example is not as elaborate as Jason
>> Azze's (and may not work as well either).
>>
>> Here are the ankle biters that kept me from getting this to work
>> right the first time:
>>
>> * I had "recursion no" as an option in my bootfile. This prevented
>> the forwarding lookups from recursing to my real DNS server to get
>> an answer for my selfhelp site. Your stub DNS setup needs to use
>> recursion. Alas, you cannot turn recursion on/off on a zone-by-zone
>> basis, like you can with queries and updates.
>>
>> * Per Robert Lowe's helpful hint, I needed to add an NS record for
>> my selfhelp site in the primary file. I couldn't get things to work
>> without it.
>>
>> To test things, I used "dig @137.146.214.50 remote.site.whatever" to
>> do lookups on my netreg server.
>>
>> I will note that some remote sites resolve to my netreg server's number,
>> via dig, while others give back only SOA information for my netreg
>> server, eg "dig @137.146.214.50 www.microsoft.com" gives back:
>>
>> ; <<>> DiG 9.2.3 <<>> @137.146.214.50 www.microsoft.com
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49752
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.microsoft.com. IN A
>>
>> ;; AUTHORITY SECTION:
>> . 3600 IN SOA netreg.colby.edu.
>> name-master.colby.edu. 2004071500 3600 600 604800 3600
>>
>> ;; Query time: 8 msec
>> ;; SERVER: 137.146.214.50#53(137.146.214.50)
>> ;; WHEN: Thu Jul 15 13:26:50 2004
>> ;; MSG SIZE rcvd: 98
>>
>> Curious. Webpages for an unregistered machine attempting to connect
>> to www.microsoft.com still end up at my netreg registration webpage,
>> which is good.
>>
>> Jeff Earickson
>> Colby College
>>
>>
>> ------------------------------------------------------------------------
>>
>> #---------------------------------------------------
>> #---boot file for COLBY bind 9.2.3 netreg
>> #---------------------------------------------------
>>
>> #---logging options
>> logging {
>> #---the channel definition for syslogging
>> channel my_syslog {
>> syslog daemon;
>> severity info;
>> };
>>
>> #---the channel definition for debugging output
>> channel my_debug {
>> file "/etc/named.COLBY/0";
>> severity info;
>> print-category yes;
>> print-severity yes;
>> print-time yes;
>> };
>>
>> #---for version 9.2.3 of BIND
>> category client { my_syslog; };
>> category config { my_syslog; };
>> category database { my_syslog; };
>> category default { my_syslog; };
>> category delegation-only { my_syslog; };
>> category dispatch { my_syslog; };
>> category dnssec { my_syslog; };
>> category general { my_syslog; };
>> category lame-servers { my_syslog; };
>> category network { my_syslog; };
>> category notify { my_syslog; };
>> category queries { my_syslog; };
>> category resolver { my_syslog; };
>> category security { my_syslog; };
>> category unmatched { my_syslog; };
>> category update { my_syslog; };
>> category xfer-in { my_syslog; };
>> category xfer-out { my_syslog; };
>> };
>>
>> #---the global options settings
>> #---in alphabetical order by name
>> #---note: we must allow recursion or the selfhelp zones like
>> #---sophos.com below won't work.
>> options {
>> #---directory where all the data files are stored
>> directory "/etc/named.COLBY";
>> };
>>
>> zone "sophos.com"
>> {
>> type forward;
>> forwarders { 137.146.210.51; };
>> forward only;
>> };
>>
>> #---the root of this domain is our bogus netreg info
>> zone "." {
>> type master;
>> file "primary/fake-root-for-netreg";
>> };
>>
>>
>> ------------------------------------------------------------------------
>>
>> $TTL 3600
>>
>> . IN SOA netreg.colby.edu. name-master.colby.edu. (
>> 2004071500 ; serial
>> ; YYYYMMDDNN
>> 1h ;refresh
>> 10m ;retry
>> 1w ;expire
>> 1h ;negative caching TTL
>> )
>>
>> IN NS netreg.colby.edu.
>>
>>
>> ; we want every IP on the planet to resolve to this
>> ; except specific domains listed below
>> netreg IN A 137.146.214.50
>> *. IN A 137.146.214.50
>>
>> ; allow ungreistered machines to get to sophos
>> sophos.com. IN NS netreg.colby.edu.
>
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:47 CDT