Hello everybody,

I'm trying to configure a couple of OpenBSD servers in a local network which is connected to the internet via an extrernal gateway (which is not part of my network). All servers should belong to an internal zone "domain.swi". I set up BIND 9.4.2 master and slave servers on machines A and B for the domain and set them as nameservers on every computer in the network. Up to now, everything works perfect, I was able to resolve all hostnames.

Now I'm trying to set up a forwarding nameserver on machine D which would forward all requests concerning the internal "domain.swi" to the nameservers on machines A and B and all other request to a nameserver running on external gateway which connects the network to the internet. I want to all servers in the network to use this forwarding nameserver. The problem is that after I start it I can resolve both internal and external hostnames on the machine D where it's running, but when I try to use it as a nameserver for machine A, I can't resolve any hostname either inside or outside the network. Log on machine D indicates that named daemon denies all requests made by machine A, even though I've set allow-query option to any.

This is how configuration files look like,
machine A (master nameserver) has address 192.168.56.67
machine B (slave nameserver) has address 192.168.26.32
machine D (forwarding nameserver) has address 192.168.26.34
external gateway (external nameserver) to the internet has address 192.168.56.2:

named.conf file on machine D ( i tried to put A and B to forwarders list in options as well, but it didn't help):

...

options {
...

   allow-query { any; };

   forward only;
   forwarders { 192.168.56.2; };
};

...

zone "swi" {
   type forward;
   forwarders { 192.168.56.67; 192.168.26.32; };
};

internal request on machine D:

ping a.domain.swi
PING a.domain.swi (192.168.56.67): 56 data bytes
...

external request on machine D:

ping www.google.com
PING www.l.google.com (74.125.87.103): 56 data bytes
...

internal request on machine A:

ping d.domain.swi
ping: unknown host: d.domain.swi

external request on machine A:

ping www.google.com
ping: unknown host: www.google.com

/var/log/daemon file on machine D:

d named[15789]: client 192.168.56.67#43919: query (cache) 'd.domain.swi/A/IN' denied
d named[15789]: client 192.168.56.67#32746: query (cache) 'www.google.com/A/IN' denied

I'm not sure about forwarding configuration in named.conf, but I can't see why should be queries denied. I would appreciate any help, comments or hints very much! Thanks!

You probably need to specify the allowed hosts for recursion.

allow-recursion { 192.168.56.0/24; }

You should be able to do this globally in the bind configuration, or you can set it per specific zone.

Thanks Kevin, you're right of course.

Thanks Kevin, you're right of course.

Who is Kevin?