Join Log in
Score:-1
user117974 avatar Server

DNS Sub domain delegation

pk flag
user117974

In my test environment I have 4 nameservers. DNS1 nameserver I want to be authoritative for domain.com, and delegate the subdomain sub.domain.com to the other 3 nameservers.

Client device is also connected directly to DNS1.

Here is my zone and config files:

root@DNS1:/etc/bind# more db.domain.com
$TTL    604800
@       IN      SOA     domain.com. admin.domain.com. (
                 75     ; Serial
                900     ; Refresh 15 mins
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
; name servers - NS records
                        IN      NS      ns1.domain.com.
; name servers - A records
ns1.domain.com.         IN      A       192.168.242.200
www.domain.com.         IN      CNAME   www.sub.domain.com.
;sub domain
sub.domain.com.         IN      NS      ns1.sub.domain.com.
sub.domain.com.         IN      NS      ns2.sub.domain.com.
sub.domain.com.         IN      NS      ns3.sub.domain.com.
ns1.sub.domain.com.     IN      A       172.16.14.50
ns2.sub.domain.com.     IN      A       10.10.4.50
ns3.sub.domain.com.     IN      A       192.168.100.50

root@DNS1:/etc/bind# more named.conf.options
options {
        directory "/var/cache/bind";
        recursion yes;                  # enables recursive queries
        listen-on { any; };             # ns1 private IP address - listen on private network only
        allow-transfer { none; };       # disable zone transfers by default
        allow-recursion { any; };
        allow-query { any; };
        allow-query-cache { any; };

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.


        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { any; };
};


root@DNS1:/etc/bind# more named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "domain.com" {
    type primary;
    file "/etc/bind/db.domain.com";
    notify yes;
};

zone "sub.domain.com" {
       type forward;
        forwarders { 172.16.14.50; 10.10.4.50; 192.168.100.50; };
};

I have a client pc which is using DNS1 as a resolver for testing. DNS1 is also authoritative for domain.com. When recursion is enabled, the client asks the NS records this is what is returned:

root@gns3-webterm-1:~# nslookup
> set type=ns
> sub.domain.com
Server:     192.168.242.200
Address:    192.168.242.200#53

Non-authoritative answer:
sub.domain.com  nameserver = ns3.sub.domain.com.
sub.domain.com  nameserver = ns2.sub.domain.com.
sub.domain.com  nameserver = ns1.sub.domain.com.

Authoritative answers can be found from:

On a trace, the DNS1 server asks one of the name servers (in this case 192.168.100.50) an NS record query and gets back the above.

When disabling recursion on DNS1, then I get the following

> set type=ns
> sub.domain.com
Server:     192.168.242.200
Address:    192.168.242.200#53

Non-authoritative answer:
*** Can't find sub.domain.com: No answer

Authoritative answers can be found from:
sub.domain.com  nameserver = ns3.sub.domain.com.
sub.domain.com  nameserver = ns1.sub.domain.com.
sub.domain.com  nameserver = ns2.sub.domain.com.
ns3.sub.domain.com  internet address = 192.168.100.50
ns2.sub.domain.com  internet address = 10.10.4.50
ns1.sub.domain.com  internet address = 172.16.14.50

With recursion disabled on DNS1 the client cannot resolve www.domain.com which points to www.sub.domain.com.

Questions:

1 - If I want DNS1 to have recursion disabled but still resolve sub.domain.com how is this achieved, it seems defining a separate forward zone does not work?

2 - Is there best practice for for sub delegation or are there additional things required on the parent name server?

247
2 + 0
Score:3
avatar Server
cn flag
Håkan Lindqvist

In an attempt to explain the underlying problem so that the situation can actually be properly understood:

The fundamental problem that you encountered when you turned off recursion on "DNS1" is two-fold:

  • "Forwarding" is considered just a variation of recursion. Ie, it is also disabled when recursion is disabled, and is only acted on when a query has RD (recursion desired) set.
  • You broke the expectations of any client machines that have their stub resolvers configured (traditionally through resolv.conf on UNIX-like systems, per interface IP configuration on Windows, etc... configuration which is often provisioned via DHCP) to use "DNS1" as their resolver server.

The stub resolver entirely depends on recursion being provided by its configured resolver server, as the stub itself does not have the capabilities needed to make follow-up queries and combine their results in order to follow delegations, follow CNAME records, etc.

So the most general take on this situation would be that if "DNS1" no longer provides recursion, it should not be configured in stub resolvers on clients (and does not need any forward zones). Rather some resolver server should be configured, and it should find "DNS1" for queries where "DNS1" is the authority, or any other authoritative servers for other names.
(Normally the resolver server would find the authority simply by following the delegations in the global DNS tree, but if this is some form of local out-of-tree zone the resolver server itself would probably need some "forward zone" style configuration to allow it to find such a zone.)

Ie, the general case approach would be more like "so if DNS1 does not provide recursion, what resolver server should be configured on clients instead of it?"
Which may mean setting up a separate resolver server and provisioning this new configuration to all clients. (Which would generally be considered the better approach as this kind of "combined role" is typically seen as a bit messy).

Now, of course, for a given environment it may be that its specific requirements allow for some middle ground (such as what Nikita indicated in their solution, with "some recursion allowed"), but I think it's important to first understand the overall idea of how things are intended to work, before leaping into more clever adaptations tailored to the specifics of this environment.

+ 1
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Yes, I overlooked the root of the problem the topic has. I want to add here that "DNS recursor" and "DNS origin" is quite different kind of server operation, and while BIND has them inside the single server and made it possible to do both at the same time, [PowerDNS](https://doc.powerdns.com/) has them as separate products and they cite the "messiness" of the combined solution as one of their reasons. Unbound is another DNS recursor server without any origin capability (perfect for the advanced local DNS cache).
0
Reply
Score:1
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

You did all the delegation correctly. Since DNS1 is not authoritative for the sub.domain.com, it will never answer queries about it unless recursion is enabled for the particular client.

However, you can add this zone on it as a type forward zone:

zone "sub.domain.com" {
    type forward;
    forward only;
    forwarders { 192.168.100.50; 10.10.4.50; 172.16.14.50; };
};
+ 2
user117974 avatar
pk flag
user117974
Thankyou makes sense now, I added the forward zone and wanted to check if this is optional or if there is a use case where defining this is needed over the NS records in the domain.com zone file e.g. is it faster?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
This is orthogonal to the delegation. You just tell your server to make recursion for certain defined domain, no matter what. This is optional, of course, and usually nobody is doing that, because, I think, nobody needs that. When you delegate, it means you want somebody else to be in charge for the subzone, so why bother about it further? // If you want it to resolve this particular zone faster on the DNS1, add it to the delegation, e.g. make it authoritative for the zone too, then it will store the copy of the zone and answer from that copy rather than forwarding.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.