[Dnsmasq-discuss] dnsmasq as a middle man for zone delegation

Petr Menšík pemensik at redhat.com
Mon Oct 12 17:56:51 BST 2020



On 10/11/20 12:44 AM, rst2121211 rst2121211 wrote:
> Hello All,
> We are trying to delegate a subdomain "subdomain.corp.net" to a secondary DNS 
> forwarder from our Active Directory DNS.
> We created a delegation for that in AD but AD will not set the RD (recursion 
> desired) bit and the remote (not authoritative forwarder) will drop the query.
Have you tried setting it as forward zone, instead of pure delegation?

What kind of server is the Forwarder? Is it authoritative for the
"subdomain.corp.net"? It has to respond to:

dig +norec NS subdomain.corp.net. @<forwarder-ip>
> We were wondering if dnsmasq could serve as a middle man (between AD and the 
> Forwarder) and rewrite the RD flag to workaround our issue.
At least with BIND, which I work the most with, RD flag is not enabled
for delegated subdomains. Instead, forward type zone would work.
> Our first test with dnsmasq did not work, with the default/standard setup, AD 
> delegated queries (no RD) were dropped as dnsmasq did forward the requests as 
> is. (If dnsmasq cache had the entry were querying it was working, but that is 
> not really an option.)
> We also tried to play with the auth-zone and auth-server flags but dnsmasq would 
> stop forwarding the request.
auth-zone configures dnsmasq authoritative for that zone. That means,
anything it doesn't know about does not exist and returns NXDOMAIN.

> Before we spend more time trying to achieve this I was wondering if dnsmasq is 
> actually a good candidate to solve this problem.
I would try first attempt to configure authoritative zone on the
Forwarder. If it truly cannot do it, something should configure forward
to it. I think such server would become 'lame server' for that domain,
because no server would return authoritative for it. But it should work
to clients. The best would be using authoritative server for subdomain too.

> Thanks in advance for your help and feedback.
> Regards,
> Boris.
> 

Cheers,
Petr

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20201012/b775dbb2/attachment.sig>


More information about the Dnsmasq-discuss mailing list