When dealing with hybrid DNS environments where you need to forward specific subdomains from an external-facing DNS server to internal authoritative servers, proper BIND configuration becomes critical. The scenario presents three key components:
- Internal authoritative server (ns1.internal at 192.168.0.4)
- External-facing BIND server (mydns.example.com at 192.168.0.5)
- Subdomain delegation (subzone.mydns.example.com)
The NXDOMAIN response suggests the forwarding isn't working as intended. Let's examine the critical elements:
// Current problematic forward zone configuration
zone "subzone.mydns.example.com" {
type forward;
forwarders { 192.168.0.4; };
};1. Forward Zone Definition
The forward zone needs proper delegation records in the parent zone:
// Updated mydns.example.com.zone file
$TTL 3600
@ IN SOA mydns.example.com. hostmaster.mydns.example.com. (
2023080801 ; serial
3600 ; refresh
900 ; retry
604800 ; expire
3600 ; minimum
)
; Base domain records
@ IN NS mydns.example.com.
mydns.example.com. IN A 192.168.0.5
; Subzone delegation
subzone IN NS ns1.internal.
ns1.internal IN A 192.168.0.42. Forward Zone Configuration
The forward zone should be enhanced with additional parameters:
zone "subzone.mydns.example.com" {
type forward;
forwarders { 192.168.0.4; };
forward only;
// For better troubleshooting
querylog yes;
};Essential diagnostic commands to verify the configuration:
# Check zone transfer
dig @192.168.0.5 subzone.mydns.example.com AXFR
# Verify delegation
dig @192.168.0.5 subzone.mydns.example.com NS +trace
# Test forwarding
dig @192.168.0.5 host.subzone.mydns.example.com A| Issue | Solution |
|---|---|
| NXDOMAIN responses | Verify parent zone delegation records exist |
| Timeout errors | Check firewall rules between DNS servers |
| Missing glue records | Ensure NS records have corresponding A records |
| Forwarding loops | Use 'forward only' to prevent fallback recursion |
For production environments, consider these enhancements:
options {
// Rate limiting to prevent abuse
rate-limit {
responses-per-second 10;
window 5;
};
// Disable version queries
version "not disclosed";
// Restrict zone transfers
allow-transfer { none; };
};
zone "subzone.mydns.example.com" {
type forward;
forwarders {
192.168.0.4;
// Secondary internal DNS if available
192.168.0.6;
};
forward only;
// Cache forwarding results
forwarders-port 53;
forwarders-timeout 2;
};When setting up DNS infrastructure with both internal and external servers, proper forward zone configuration in BIND becomes crucial. The core issue emerges when an external DNS server needs to delegate authority for a subdomain to an internal nameserver while maintaining proper resolution.
The existing setup shows several potential issues in the forward zone implementation:
// Problematic forward zone configuration
zone "subzone.mydns.example.com" {
type forward;
forwarders { 192.168.0.4; };
};
The current configuration lacks critical components for proper DNS delegation:
- No NS records in the parent zone (mydns.example.com) pointing to the internal server
- Missing glue records for the internal nameserver
- Incomplete zone file configuration
Here's the corrected configuration for both the main zone and forward zone:
Updated named.conf
zone "mydns.example.com" {
type master;
file "mydns.example.com.zone";
allow-update { none; };
allow-transfer { none; };
};
zone "subzone.mydns.example.com" {
type forward;
forward only;
forwarders { 192.168.0.4; };
};
Corrected Zone File
$TTL 3600
$ORIGIN mydns.example.com.
@ IN SOA mydns.example.com. admin.mydns.example.com. (
2023080101 ; Serial
3600 ; Refresh
900 ; Retry
604800 ; Expire
3600 ; Minimum TTL
)
; Name servers
@ IN NS mydns.example.com.
@ IN A 192.168.0.5
; Subzone delegation
subzone IN NS ns1.internal.
ns1.internal IN A 192.168.0.4
After implementing these changes, verify the configuration:
# Check zone transfer
dig @192.168.0.5 mydns.example.com AXFR
# Verify delegation
dig +trace subzone.mydns.example.com NS
# Test resolution
dig @192.168.0.5 host.subzone.mydns.example.com
DNS forwarding issues often stem from these overlooked aspects:
- Missing forward only directive: Without this, BIND may attempt iterative resolution
- Incorrect NS records: Ensure parent zone properly delegates to child
- Firewall restrictions: Verify UDP/TCP port 53 access between servers
- TSIG keys: Required if using secure zone transfers
For optimal performance in a forwarding setup:
options {
forwarders { 192.168.0.4; };
forward only;
max-cache-size 256M;
max-cache-ttl 3600;
min-cache-ttl 300;
};
These settings help balance caching efficiency with forwarding reliability while preventing stale records.