08-29-2017 09:16 AM
So I am in the process of migrating to InfoBlox. I have several domains which will all be pointing to the IB appliance for DNS. We have migrated one zone successfully so far.
However, I have a problem. I have several domains that do not have a top-level domain suffix, and so are a private-only domains. So in order to access some of these servers externally, we have a forward lookup zone for the public domain, and publish A records that point to an F5 on AWS. Internally, we create CNAME records that point to the internal domain A records in that forward lookup zone.
In another domain, we don't currently do this at all, we don't have the forward lookup zone. There are very likely references to the external domain configured into various application configurations, etc. However, this domain does not have a forward lookup zone, so it goes to AWS for DNS for that zone, and we don't know which records are being used.
I am wondering if there is a way to configure a forward lookup zone in InfoBlox, for which IB is authoritative such that if a record does not exist, that request can be forwarded to another DNS source. Is this possible?
Solved! Go to Solution.
08-31-2017 02:11 PM
There might be a couple of different ways of accomplishing what you are looking for here. To add a forward zone, navigate to Data Management -> DNS -> Zones and in the Add menu, select Zone -> Forward Zone. This will allow you to set the name of the zone (with or without a label (e.g. zonename or zonename.com)), the name servers that you want to forward queries to (such as your AWS F5's) and the Infoblox servers in your Grid which you want to serve this forward zone from.
If there is a subdomain, you can also leverage a delegated zone for this.
08-31-2017 02:16 PM
To be frank, the question is a bit confusing. However looking into the last portion "I am wondering if there is a way to configure a forward lookup zone in Infoblox, for which IB is authoritative such that if a record does not exist, that request can be forwarded to another DNS source. Is this possible?"
This is not possible, the DNS server always looks for the closest matching authoritative zone and to get out of that you need to have a referral(subzones) or CNMAE/DNAME. So for a record that does not exist, we provide a NXDOMAIN response. You may check if NXDOAMIN redirection can be of help to you.
Let us know more about your environment to help you in a better way.
09-01-2017 05:13 AM
To try and simplify my question, lets say I have a domain xyz.com.
In my current AD DNS, I have several CNAME records for xyz.com that point to the internal domain abc.local.
srv1.xyz.com -> srv1.abc.local. This must be internal traffic so traffic is not routed to the edge firewall.
I am merging the DNS with another domain that may also reference resources in xyz.com, but they are not pointing at internal resources, so going to the edge firewall is necessary.
So I would like InfoBlox to respond with srv1.xyz.com with the CNAME data for srv1.abc.local as it does currently in my AD DNS. But, if a different record is requested that InfoBlox does not have on record, myexternalapp.xyz.com, I would like the request forwarded to AWS. Alternatively, the response for forwarding to AWS could also be done via networking/subnets if that is possible. I just would like to have it respond differently to a particular set of servers, and not need to import the AWS DNS records into InfoBlox.
09-01-2017 06:10 AM
Thanks for your response.
I tried this, but I can't create a Forward Zone while a delegate zone exists (Our InfoBlox admin created all zones as delegate zones initially, something we're correcting before we migrate over, as we ran into issues on our first zone migration - it didn't create the SRV/_msdcs records for the domain because it was a delegate zone).
"Duplicate object 'myzone.com' of type zone exists in the database"
Would I need to create the Forward Zone first, and then create the zone after? This is not a subdomain, so the delegated zone idea wouldn't apply.
09-01-2017 06:20 AM
No, unfortunately, if a name server is authoritative for the zone xyz.com, it will always consider itself as 100% authoritative for all domain names that end in xyz.com.
The exception to this rule is if you delegate, or forward, a subdomain of xyz.com to some other set of name servers. However, it does not look like this is the behavior you want. When delegating or fowarding you must specify the specific sub domain you want to delegate/forward. It looks you would like the name server to respond with RRs you have specifically configured in xyz.com and forward all other queries to a different name server (which is not possbile).
09-01-2017 06:25 AM
Although, a work around is to create zones for every RR in xyz.com that you want to serve. The manageability of this approach depends on the number of RRs in xyz.com (is it practicle to manage 100's or 1000's of zones, one for each RR in xyz.com?). Also, if xyz.com takes ddns updates, this approach becomes almost impossible to manage. Also, if you create a zone for each RR, you will not be able to use a cname to alias it to another place, due to the cname and other data rule...
09-01-2017 08:37 AM
Thank you, that all makes sense. At least now I know.
it looks like I'll just need to maintain these in both places - though I'm not responsible for the external zone for the records that I didn't want to manage in InfoBlox. I'll just write a script to alert me when records become out of sync, or to just keep them in sync, and compile a list of records that I need to import from AWS. That second part is the tough part, as keeping them up-to-date should actually be fairly simple.
Thank you for your help.