Short version
How do I tell BIND to be authoritative for a zone that it is a secondary master for?
I think I understand the meaning of authoritative but … maybe not. I want it to be a secondary to a DNS zone hosted on a Windows Server 2012 Essentials DC.
I'm no DNS expert but I guess our Windows server is acting both as a caching DNS server for general outbound queries and also as a primary master for several domains but only for internal users. These domains also have external DNS servers out on the internet. We have a few web sites on our LAN that are accessed from the outside world (via a NAT port forwarding) but we access it internally with an internal private IP address. We have those domains mostly duplicated on the internal DNS but with the A records for the web servers changed to internal IP addresses (maybe there's a better way of doing that). Our Windows DNS / AD server is not visible to the outside world. We use root hints, no DNS forwarders.
The only hassle is the single DNS server. If the Windows server is down for any reason, we can't resolve anything either internally or externally. It's mostly a hassle for me if I need on shutdown the Windows server for support. That leaves me with no internal or external resolution.
I thought the obvious and hopefully easy thing to do would be to setup BIND as a secondary server on one of the Linux machines.
I've setup a secondary master by following this but when I go to Windows and try to tell it to "Allow zone transfers", "Only to the following servers" it tells me that "The server with this IP address is not authoritative for the required zone".
What am I missing?
Maybe I could do something with the DNS forwarder in pfSense but I still need to have the internal host names defined somewhere. The clients' DNS settings point directly to the Windows server.
Best Answer
There are very good reasons to have recursive lookups go through BIND, notably the ability to filter and rate limit external queries. In the current age where the favorite DOS attack seems to be DNS amplification, this is critical. Also, you might be justifiably concerned about having your AD domain controllers relatively open in the Internet.
You can set up zone transfers to only be allowed to your secondary. That should make you feel better about the xfer.
You still should have at least two domain controllers! But not so one is available for external lookups.
See this thread too How can I get BIND and Microsoft DNS to work together well?