04-10-2017 02:09 PM
I am trying to prevent our DMZ Infoblox forwarders from resolving our internal DNS domain. We have split DNS and the forwarders are part of the grid but are not listed as nameservers for our internal domain but they are still resolving this domain internally. I want the forwarders to only forward requests for all zones not resolve our internal zone. I thought by not having them configured as nameservers for this internal zone it would prevent it from resolving for this zone and use its forwarders. Is there a way to configure these forwarders to not resolve our internal DNS domain?
04-11-2017 10:01 AM
If the forwarders aren't authoritative for the internal domain (which seems to be the case), they will use their normal resolution path (presumably to the ISP/root servers) to resolve that domain and that should be resulting in an NXDOMAIN.
if you point a 'dig +trace <internaldomain>' at one of the forwarders, look at the result. That should show you how and where it finds an authoritative answer.
Also, when you say 'split DNS' does that mean you have multiple DNS views? It would be worth checking the view ordering on these forwarders and how their match lists are configured to again verify the resolution path for the internal domain.