DNS (bind) & private addreses (192.168.x.x)

Hello - I have quite big simulated (VMware) network in my lab and I am trying to use new version of SuSE Linux. Now I have SLES 10 and I want to change to Open SuSE 12.1. But I see a problem I cant resolve.
I have in example 2 LANs (one.cz - SUSE 12.1, two.cz - SLES 10) and one single SLES 10 machine with “root” DNS server configured (zone “.” as a master zone serving zones “one.cz” and “two.cz”). Both DNS servers in zones one, two are configured to use my root server (records in root.hint are replaced with only 1 record pointing to my server). All machines uses 192.168. IP addresses (properly configured, traceroute works fine).
Problem:
DNS server from zone one (new SUSE 12.1) holds zones “one.cz” and “1.168.192.in-addr.arpa”. But when its asked for reverse translating 192.168.2.2 (machine in zone “two.cz”), it do not send query to “root” DNS server - no packet captured in wireshark :frowning:
In the same situation from zone “two” - older bind in “two.cz” properly translate 192.168.1.1 as (etc) ns.one.cz.
Is there any option to force bind to re-send queries which it couldnt translate to root DNS server - even if it is private (RFC 1918) addresses ?

P.S.: When I try to ask translation for any public IP address, it will ask (of course with no answer … :slight_smile: )

P.S.2: It is simulated network which should present real working DNS (and other internet services) to students

P.S.3: I know, readdresing to public address space should be a solution, BUT … I would like to know if there is any easier way

I am not sure, but I doubt that your problem is related to the fact that the addresses are in a private address range.
I only make this remark to prevent you from only looking for a solution in this particular direction.

On 2012-05-25 12:36, Lefs wrote:

> Is there any option to force bind to re-send queries which it couldnt
> translate to root DNS server - even if it is private (RFC 1918)
> addresses ?

I don’t think bind will ever send queries for private addresses to the root
servers. You will need bind experts to answer that question conclusively.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Again, I am not sure (long time ago that I managed a DNS server), but the OP’s situation is not that unique. In any case, within a corporate network one can use one or more private address ranges, unique within the company, but split over several subnets and sveral (sub)domains. That would make it not that strange to at least ask a central DNS server for resolving things outside the scope of the local DNS.

On 2012-05-25 18:16, hcvv wrote:
>
> Again, I am not sure (long time ago that I managed a DNS server), but
> the OP’s situation is not that unique. In any case, within a corporate
> network one can use one or more private address ranges, unique within
> the company, but split over several subnets and sveral (sub)domains.
> That would make it not that strange to at least ask a central DNS server
> for resolving things outside the scope of the local DNS.

Oh, that yes, it is in the nature of the name service: you are
authoritative for a zone, and ask the rest. However, I don’t think you can
ask the root servers for private address, they are “special”. But I don’t
know for sure.

Yes, he has the root servers redefined to not be the real root servers, but
other servers acting as the root servers. But they are not being asked,
that’s the problem: bind considers those address as private and does not
ask upstream (to the faked root servers) for private addresses thinking
that the faked root servers are for public addresses. He needs a switch to
change that behaviour - but I think that it is hard coded.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)