Join Log in
Score:0
avatar Server

DNS delegation with BIND and Cloudflare

it flag
TheClockTwister

probably just an ordinary question, but I've been wasting hours on this for months. If you need other logs/output/explanation/etc. just ask :)

Thanks in advance!

What I need

  • The zone local.example.com shall be managed by a local server 10.20.0.9
  • The local servers (10.20.0.0/24) are only accessible from within the network but
  • Their hostnames xxx.local.example.com are resolvable world-wide from the internet

What I have so far

I am using CloudFlare as DNS provider, following this guide, I have set-up the following:

  • Records at CloudFlare: 
    ns.example.com   A   10.20.0.9       (local DNS server)
loc.example.com  NS  ns.example.com  (delegation to local DNS)
  • Records file at my local DNS server (10.20.0.9 using bind9) 
    loc.example.com. IN SOA ns.example.com. hostmaster.example.com. (
    1628517915
    3600
    600
    24H
    3600 )
s1.loc.example.com.  IN A 10.20.0.9

My Problem

CloudFlare does not answer my NS lookup request for loc.example.com with ns.example.com as expected. Instead, the request just failes with "server failure" (see last CLI log)...

CLI output

  • dig ns.example.com

    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> ns.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10036
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns.example.com.         IN      A

;; ANSWER SECTION:
ns.example.com.  300     IN      A       10.20.0.9

;; Query time: 111 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Aug 09 16:42:06 CEST 2021
;; MSG SIZE  rcvd: 66

    So the name server resolves to our local IP, nice!

  • dig @10.20.0.9 NS loc.example.com

    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @10.20.0.9 NS loc.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47653
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7fa7e218d1c20f1e113b236e61113fb96c1b101d374cbde7 (good)
;; QUESTION SECTION:
;loc.example.com.                IN      NS

;; ANSWER SECTION:
loc.example.com. 3600    IN      NS      ns.example.com.

;; Query time: 1 msec
;; SERVER: 10.20.0.9#53(10.20.0.9)
;; WHEN: Mon Aug 09 16:46:17 CEST 2021
;; MSG SIZE  rcvd: 96

    Our local DNS server knows that it's responsible for the sub domain

  • dig @10.20.0.9 s1.loc.example.com

    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @10.20.0.9 s1.loc.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38039
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7790b2d359140e5f04be8596611140927c7321fefc1fbbe9 (good)
;; QUESTION SECTION:
;s1.loc.example.com. IN      A

;; ANSWER SECTION:
s1.loc.example.com. 3600 IN  A       10.20.0.1

;; AUTHORITY SECTION:
loc.example.com. 3600    IN      NS      ns.example.com.

;; Query time: 1 msec
;; SERVER: 10.20.0.9#53(10.20.0.9)
;; WHEN: Mon Aug 09 16:49:54 CEST 2021
;; MSG SIZE  rcvd: 119

    So the local DNS can resolve our local hosts

  • dig @1.1.1.1 NS loc.example.com

    ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @1.1.1.1 NS loc.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33748
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;loc.example.com.                IN      NS

;; Query time: 12 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Aug 09 16:51:45 CEST 2021
;; MSG SIZE  rcvd: 57

    Here lies the problem: CloudFlare does NOT answer to our NS record request. Why :o ?

130
0 + 4
cn flag
Håkan Lindqvist
Is it a connectivity problem? Is there any way for "1.1.1.1" to reach your nameserver? (Firewall?)
0
Reply
fr flag
Tomek
You cannot have publicly resolvable names where nameservers responsible for these names are on RFC1918 address ranges.
0
Reply
it flag
TheClockTwister
@Tomek but how do the big guys handle these tasks? I mean, I could just push my VPN clients the local DNS server, but this will override their DNS settings for all other domains as well...
0
Reply
fr flag
Tomek
That's exactly what my employer's VPN does when I use it. Additionaly it replaces default route which invalidates any other nameservers anyway.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.