02-04-2016 02:51 AM
I have just encountered a problem within our infoblox dns infrastructure.
A customer was connected to our infrastructure and used a proxy script in order to connect to the internet. We have their internal DNS zone configured on our infoblox, but their external webpage is hosted at a different provider. The domains are the same. The customer is now connected directly to the internet and is not using the proxyscript anymore. But via VPN tunnel the customer is accessing server on our infrastructure and also using the DNS service.
So when the customer tries to access his external website, e.g. "test.com", he gets a timeout. The reason is that we don't have an internal DNS entry pointing to the internet IP of the external website.
Is it possible to define the internal zone "test.com" to look up unknown entries at a different nameserver? The zone is an authoritative zone and contains internal DNS entries, which can not be moved/deleted.
Any idea on this?
02-05-2016 05:09 AM - edited 02-05-2016 05:10 AM
Nice one !
I think something like this would work :
Set up a wildcard foward zone inside the main one. Each existing records should be served by your appliances while non existing ones should match the wildcard and be forwarded to the other name server.
I can't test it on our lab but theoreticaly, it should do the job.
02-08-2016 11:21 PM
thanks for your response. It sounds easy and perfect, but unfortunately I receive the error "Cannot create a wildcard subzone." when I try to set up a forwarding subzone within the zone.
Did I miss anything? Any other idea?
02-10-2016 10:04 AM
you're basicly stuck.
Your customer is using your internal DNS and you are authoritative for the namespace (*.test.com) so the buck stops with you. You can't redirect wildqueries to another domain with the same name, since you're already the authoritative source.
if you use a wildcard ( *.test.com ) it only works for A records, so all unknown queries would get the same set of records/IP addresses.
if you use a DNAME, you are rewriting the namespace, so queries for 'unknown.test.com' would get re-written as 'unknown.elsewhwere.org' which won't help either.
If you use a delegaton, that you have the same kind of problem, it only works for names that match the delegation.
you need to fix things to either block the VPN clients from using your DNS and giving them different resolvers, or try very ugly hacks.
(one awful opton that somes to mind is another view where you can overlap the namespace, and unwinds the DNAME rewrite :
*.test.com -> DNAME -> elsewhwere.org
elsewhwere.org -> FORWARD -> view2/elsewhere.org
view2/elsewhere.org -> DNAME -> test.com
view2 -> FORWARD -> <internet>
but I would never suggest that IRL )