Reply

DNS: Forwarding to internet within Authoritative Zone for unknown records

DSchmalen
Techie
Posts: 8
3470     0

Hey guys,

 

I have just encountered a problem within our infoblox dns infrastructure.

 

Problem:

A customer was connected to our infrastructure and used a proxy script in order to connect to the internet. We have their internal DNS zone configured on our infoblox, but their external webpage is hosted at a different provider. The domains are the same. The customer is now connected directly to the internet and is not using the proxyscript anymore. But via VPN tunnel the customer is accessing server on our infrastructure and also using the DNS service.

 

So when the customer tries to access his external website, e.g. "test.com", he gets a timeout. The reason is that we don't have an internal DNS entry pointing to the internet IP of the external website.

 

Is it possible to define the internal zone "test.com" to look up unknown entries at a different nameserver? The zone is an authoritative zone and contains internal DNS entries, which can not be moved/deleted.

 

Any idea on this?

 

Kind regards,

Daniel

Re: DNS: Forwarding to internet within Authoritative Zone for unknown records

[ Edited ]
Adviser
Posts: 63
3470     0

Nice one !

 

I think something like this would work :

 

Set up a wildcard foward zone inside the main one. Each existing records should be served by your appliances while non existing ones should match the wildcard and be forwarded to the other name server.

 

I can't test it on our lab but theoreticaly, it should do the job.

Highlighted

Re: DNS: Forwarding to internet within Authoritative Zone for unknown records

DSchmalen
Techie
Posts: 8
3470     0

Hey,

 

thanks for your response. It sounds easy and perfect, but unfortunately I receive the error "Cannot create a wildcard subzone." when I try to set up a forwarding subzone within the zone.

 

Did I miss anything? Any other idea?

 

Kind regards,

Daniel

Re: DNS: Forwarding to internet within Authoritative Zone for unknown records

GHorne Community Manager
Community Manager
Posts: 248
3471     0

you're basicly stuck.

 

Your customer is using your internal DNS and you are authoritative for the namespace (*.test.com) so the buck stops with you. You can't redirect wildqueries to another domain with the same name, since you're already the authoritative source.

 

if you use a wildcard ( *.test.com ) it only works for A records, so all unknown queries would get the same set of records/IP addresses.

 

if you use a DNAME, you are rewriting the namespace, so queries for 'unknown.test.com' would get re-written as 'unknown.elsewhwere.org' which won't help either.

 

If you use a delegaton, that you have the same kind of problem, it only works for names that match the delegation.

 

you need to fix things to either block the VPN clients from using your DNS and giving them different resolvers, or try very ugly hacks.

 

(one awful opton that somes to mind is another view where you can overlap the namespace, and unwinds the DNAME rewrite :

  *.test.com -> DNAME -> elsewhwere.org

  elsewhwere.org -> FORWARD -> view2/elsewhere.org

  view2/elsewhere.org -> DNAME -> test.com

  view2  -> FORWARD -> <internet>

 

but I would never suggest that IRL )

Showing results for 
Search instead for 
Do you mean 

Recommended for You