Zone hints for VPN environments

Andreas Meile mailingliste at andreas-meile.ch
Mon Feb 15 08:35:55 UTC 2016 

Hello BIND users

Assume the following situation: Pure IPv4 environment, my own network 
running behind a NAT uses the zone "intra.example.com" and has a Linux box 
with 192.168.6.2 running named for that zone as well as 
6.168.192.in-addr.arpa.

Assume a second completely separate corporate network also behind a NAT 
where a ActiveDirectory DNS server for the zone "intra.example.net" is 
running on a server 10.55.2.3 (this server also provides 
2.55.10.in-addr.arpa, of course).

Let's connect both these networks over a VPN tunnel, i.e. 192.168.6.0/24 is 
routed to 10.55.2.0/24 and vice versa.

The basic problem: In a standard bind setup, my DNS server is not able to 
resolve resources from "intra.example.net" since it's not allowed to put

$ORIGIN example.net.

intra    IN    NS    adpdc1.intra.example.net.
adpdc1.intra    IN    A    10.55.2.3

on the public (reachable worldwide) example.net DNS zone.

The question is: How can I place the ActiveDirectory DNS as forwarder DNS 
server in such a way that it is responsible for a specific DNS zone only? I 
need something like

zone "intra.example.com" in {
        type master;
        file "intra.example.con.zone";
};

zone "2.168.192.in-addr.arpa" in {
        type master;
        file "192.168.2.zone";
};

; VPN to corporate #1's LAN
forwarders (filter = intra.example.net|2.55.10.in-addr.arpa) {
  10.55.2.3;
}

; VPN to corporate #2's LAN
forwarders (filter = intra.example.org|55.77.10.in-addr.arpa) {
  10.77.55.4;
}

; Default forwarders (my ISP's DNS servers) for all other queries
forwarders {
    192.0.2.44; 198.51.100.2;
}

Or do I have to use

; Zone hints to corporate #1's intranet
zone "intra.example.net." {
        type hint;
        file "corporate1_dns.subroot";
};

zone "2.55.10.in-addr.arpa." {
        type hint;
        file "corporate1_dns.subroot";
};

; Zone hints to corporate #2's intranet
zone "intra.example.org." {
        type hint;
        file "corporate2_dns.subroot";
};

zone "55.77.10.in-addr.arpa." {
        type hint;
        file "corporate2_dns.subroot";
};

; Default public hints as usual from 
ftp://ftp.internic.net/domain/named.cache
zone "." {
        type hint;
        file "named.cache";
};

$ cat corporate1_dns.subroot
adpdc1.intra.example.net.    3600000    IN    A    10.55.2.3
$ cat corporate2_dns.subroot
pdc1.intra.example.org.    3600000    IN    A    10.77.55.4

for exact that scenario?

Thanks in advance for answers.

          Andreas
-- 
"127.0.0.1 was ist das? Ich kenne nur ::1!" - www.swissipv6council.ch

More information about the bind-users mailing list