Re this setup:
My Public Authoritative DNS Server at <public dns ip>:
example.com. A <public webserver IP>
foo.bar.example.com. TXT "Hello World"
My Private Authoritative DNS Server at 192.168.0.2:
foo.bar.example.com. A "192.168.0.1"
bar.bar.example.com. CNAME "foo.bar.example.com"
So I have two authoritative DNS servers, one in the public domain, one in the private domain. I need the public one to serve some TXT records, but not A records, for a specific subset of domains.
The private one needs to serve A and CNAME records, for internal use only, but will not serve TXT records.
If my clients have their DNS server IPs in the wrong order (public,private), is the public authoritative DNS server response going to prevent the private DNS server from being queried?
Example:
Client has resolv.conf set to:
<public dns ip>
192.168.0.2
If they run nslookup foo.bar.example.com from their console, will it resolve to 192.168.0.1 or will the public DNS server tell them the name doesn't exist and to stop looking?
Best Answer
Resolving does not work like you think it does. When you have multiple lines in your
resolv.confthey are used as a fallback: the system always use the first nameserver and only if it does not reply at all (which is different from replying that a name does not exist) it will then query the second one and so on. This applies per query basically.You should setup things differently: have only one authoritative nameserver and if you use
binduse itsviewsmechanism to reply different things to different clients. Let the normal tree walking of the DNS by the clients to find it.But otherwise in theory you are right: if the "public" server does reply and say NXDOMAIN, search will stop there. Except you are mixing authoritative and recursive (the ones in
resolv.conf) which is a very bad habit. And you still have a setup that is more complicated than needed and it will give you problems later on.