Re: DNS Zone Forward on AIX

From: Ian Northeast (ian_at_house-from-hell.demon.co.uk)
Date: 04/21/04 

Date: Wed, 21 Apr 2004 22:37:12 +0100

On Wed, 21 Apr 2004 08:31:25 -0700, Dickie Warden wrote:

> I need to set-up an AIX 5.1 server to allow it to use an internal and
> external DNS server.
>
> Simply setting up both DNS servers in the resolv.conf file
>
> nameserver 149.134.252.7 # external service nameserver 10.0.1.86
> # internal service
>
> ...doesn't do the trick. Internal DNS requests are firstly processed by
> the external DNS provider and falls over before attempting to resolve the
> request via the internal server.

Correct. The nameservers you list in resolv.conf are expected to return
the same answers. So if the first says something doesn't exist, it doesn't
try the second. The second is used only if the first fails to respond, the
presumption being that in this case it is down. AFAIK only Windows behaves
differently to this and Windows is basically wrong here. It was a bodge to
get dial up networking to work.

>
> I understand there is a way of creating DNS zones, whereby the server
> becomes a slave to the internal DNS and forwards (by way of zone
> forwarding) any requests that cannot be resolved to the external DNS
> servers.
>
> Has anyone set this up successfully, and if so, how was it achieved?
>
> I'm guessing (as I can't find any documentation to tell me) that it's
> achieved using BIND 8.2.2+ and configuring the resolv.conf, nsvcd.conf

?? what is that file? I've never seen it. Do you mean netsvc.conf? If your
machine is using DNS for name resolution this is probably correct already.
There's also irs.conf. Both have man pages.

> and named.conf files accordingly. Any pointers on how these files should
> be configured and how they interact to achieve the forwarding would be
> very useful indeed.

If I understand you correctly, you want to set up a local nameserver which
is a slave for your internal zones and forwards all Internet queries to
your ISP. This is fairly simple.

In named.conf, create the slave zones:

zone "a.zone" {
        type slave;
        file "db.a.zone";
        masters { internal-server1-ip; internal-server2-ip; };
};

This depends on your internal nameserver(s) permitting you to request zone
transfers. By default bind permits all zone transfers and on an internal
server with a private IP address this wouldn't normally be changed so it
should work. But if it has been changed and the servers aren't under your
control you may have to replace the slaves with zones of type forward, so
each internal query is referred individually to the internal servers
instead of the entire zones being transferred periodically.

and in the options section define forwarders:

        forwarders { external-server1-ip; external-server2-ip; };
        forward only;

The forward only option doesn't do what you might think. It means that the
forwarders will be used exclusively for queries for which the local server
is not authoritative, if they don't respond it will not attempt to resolve
such queries on its own. Queries for zones for which the server is
authoritative will always be answered internally regardless of the
forwarding settings. A slave is authoritative.

You don't have to list multiple IP addresses in the forwarders and masters
lists if only one is available, but you should if there is more than one
which there usually is.

Then in /etc/resolv.conf specify that the nameserver is local, i.e.

nameserver 0.0.0.0

as the only nameserver entry.

IBM continue to ship both bind4 (antediluvean) and bind8 (merely old) and
default to bind4. You need to change that default by removing the symbolic
links /usr/sbin/named and /usr/sbin/named-xfer which point to the bind4
versions and replace them with the bind8 equivalents. My examples will not
work with bind4 which has a completely different configuration. I do not
recommend trying to run bind4 in this century.

Documentation on bind can be found on http://www.isc.org and in the
excellent O'Reilly "DNS and Bind" book (the fourth edition is current).

Regards, Ian