My company has been acquired by another company that we used to do a lot of
business with. Due to the shared history, we have an internal "fake" DNS
zone of theirs with around 900 DNS entries, let's call it newparentco.com.
I am now in the situation where I need to be able to resolve the REAL
newparentco.com (which has 10s of thousands of records, far more than the
900 I have), but I can't just redirect to their DNS servers as our 900 fake
DNS records contain quite a few NAT IPs, and I have to work with the
networks teams over several months to back out these NAT entries on the
firewall.

What I want to be able to do is configure dnsmasq with 2 servers for
newparentco.com, so that it attempts our internal fake server first, and if
it gets NXDOMAIN, it then attempts the real newparentco.com servers. This
way, I can gradually decommission my fake DNS server by deleting records in
batches, and as these records with NAT IPs are deleted from my fake DNS
server, they will then be forwarded to the real newparentco.com servers,
giving the client the real IP. Once I have deleted the final fake record, I
can decommission both the fake DNS server and the dnsmasq server, and just
forward newparentco.com to the real DNS servers.

Is this possible? I thought this would work:

/usr/sbin/dnsmasq -q --server=/newparentco.com/1.1.1.1 --server=/
newparentco.com/2.2.2.2-d -R

(where 1.1.1.1 is my fake DNS server and 2.2.2.2 is the real
newparentco.com server),
but if I query for a record that is not on 1.1.1.1, it returns (correctly)
NXDOMAIN, the NXDOMAIN is returned straight back to the client, and 2.2.2.2
is never queried.

So my summary question: Can I ask dnsmasq to query 2.2.2.2 if 1.1.1.1
returns NXDOMAIN?

Thanks!


--John