HPE Community
Operating System - Linux
1832244 Members
3492 Online
110041 Solutions
New Discussion

Re: DNS Sub delagation

 
SOLVED
Go to solution
Andrew medhurst1
Frequent Advisor

‎10-06-2009 12:12 AM

‎10-06-2009 12:12 AM

DNS Sub delagation

I have a problem, we have set up a new dns enviroment and i need to have sub domain delegation in the our other domain to redirect any requests recieved to this new domain.
i have added the following line into the main DNS enviroment in an attempt to forward requests about server in the new domain to the new DNS servers for that domain.

ABCD IN NS ns1.ABCD.company.net

glue record

NS1.ABCD IN A 12.123.123.456

but it does not resolve back to new domain.
i have checked that the new domain resolves ok and the old domain resolves everything correctly except this.
any help greatly rewarded.
regards
andrew
0 Kudos
Reply
4 REPLIES 4
Matti_Kurkela
Honored Contributor

‎10-06-2009 03:33 AM

‎10-06-2009 03:33 AM

Solution

Re: DNS Sub delagation

If you have the "dig" utility installed, use a command like

dig NS ABCD.company.net

to verify the NS record.

The domain name ns1.ABCD.company.net should have a period at the end when it appears on the Right-Hand Side of a DNS record. Otherwise the server will append the domain suffix to it, and the NS record will actually point to ns1.ABCD.company.net.company.net.

i.e. the record should be EXACTLY

ABCD IN NS ns1.ABCD.company.net.

(note the trailing ".")

Does your main DNS server give the correct IP address if you run "nslookup ns1.ABCD.company.net"? That will verify the validity of the glue A record.

Did you update the serial number of the DNS zone when you made the change? It is surprisingly common to forget to do this.

MK
MK
Reply
Andrew medhurst1
Frequent Advisor

‎10-06-2009 04:55 AM

‎10-06-2009 04:55 AM

Re: DNS Sub delagation

found it i needed to turn on recursion.
now it works
regards
andrew
0 Kudos
Reply
Andrew medhurst1
Frequent Advisor

‎10-06-2009 05:09 AM

‎10-06-2009 05:09 AM

Re: DNS Sub delagation

but one finale point has anyone got a better way of doing this as i would like to keep recursion on,
# I tried to create a seperate domain with just the ns records in it but that did not seem to work, i don't like leaving recursion on.
regards
andrew
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎10-06-2009 10:41 AM

‎10-06-2009 10:41 AM

Re: DNS Sub delagation

Recursion is a normal and necessary part of DNS name resolution.

How DNS works 101:

A DNS client host (= any computer that does not have local DNS server running on it) will make queries only to those name servers that are listed in the DNS configuration of the host. A client host will never contact any other DNS servers on its own.

A DNS server that receives queries from DNS clients generally *must* have recursion enabled, so that the server can contact any DNS server necessary to find the data needed by the client. It uses the data it finds to build a cache, so that the number of external queries can be minimized.

If a DNS server that works in this role (a "resolving" DNS server) is exposed to the Internet, it may be vulnerable to cache poisoning attacks. Those attacks may be used to trick your clients to connect to wrong (potentially hostile) hosts. This is probably why you say you "don't like having recursion enabled". But there is no reason to make your resolving DNS servers accessible from Internet, unless you also use them in another role.

The other role for a DNS server is being an authoritative source (master or slave) of information about a particular domain (or domains) for other DNS servers. A server in this role must be accessible by all the resolving DNS servers that are expected to use this information. If the domain data is supposed to be public, this server must be reachable by any DNS server in the world.

However, a DNS server that is exclusively in an "authoritative" role does not need to handle recursive requests: the resolving DNS servers are expected to be smart enough to ask only about the domains this server is authoritative for, as indicated by the NS and glue records in the higher-level nameservers. Therefore, the recursion support can be disabled.

When recursion is disabled, all the data that the server ever sends out comes from the zone files on the server. It never builds any cache, so it will be immune to cache poisoning attacks. (It will also be useless in the resolving role if someone tries to query any information the server is not authoritative for.)

The problem is in trying to make one DNS server fill both "resolving" and "authoritative" roles: the current recommendation is to make them separate servers, and only allow access from Internet to those authoritative servers that hold data for public domains.

If you cannot rearrange your DNS servers to this configuration and really want to disable recursion in your DNS server, there is a way: make your main DNS server be a slave for the sub-domain zone, so that it automatically gets a complete, up-to-date copy of the sub-domain's data and can be authoritative for it too. (An authoritative server can easily be master for some zones and a slave for others.)

There is no need to use NS records to indicate *every* authoritative source of a particular zone, only those that are supposed to be receiving requests from the world. This may be called a "stealth slave".

As the presence of a stealth slave for a particular zone is not indicated in the NS records of that zone, the master server of a zone must be explicitly configured to send DNS change notifications to any stealth slaves and to accept zone transfer requests from them. See BIND documentation for "allow-transfer" and "also-notify" options for a particular zone.

MK
MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.