What is the proper way to delegate to a private / hidden sub-domain?
Grant Taylor
gtaylor at tnetconsulting.net
Wed May 6 22:04:31 UTC 2020
On 5/6/20 3:38 PM, John Levine wrote:
> The DNS server sends different answers depending on the client IP,
> so on your internal network it sees the private subdomain,
> everywhere else sees a ENT or NXDOMAIN.
Thank you for confirming. That is indeed what I /thought/ we were
talking about. But given the difference in what you were describing and
what I was thinking, I figured that it was worth confirming.
> If you really have to use physically separate servers for reasons
> that you can't explain,...
There's not anything stopping me from explaining.
The main network I want dig +trace to behave (as) correctly (as
possible) is inside the labs. (Obviously tracing won't work without
some support infrastructure on the disconnected labs.)
The external server is more to make the delegation into the labs look as
clean as possible to the rest of the world. I.e. return NXDOMAIN
instead of timeouts.
In some ways, the external aspect is somewhat optional, save for the
desire to lay nice with others.
I'd like to consistently re-use the same method across all labs,
independent if they are isolated or not, both internally and externally.
> ...I suppose putting the two servers at the same IP addresss facing
> different networks could work,
Hence "anycast".
> although you're asking for trouble with route leaks anytime someone
> adjusts a router anywhere near one or the other.
In general, I agree with you. However, in this particular case, I don't
think it's going to be an issue. The router inside the lab is not using
any routing protocols, only static configs. The router can get the
local traffic to the anycast IP without worrying about anything
escaping. (Be it on the router w/ local DNS server, or directly
attached network, or a host route to another system that is directly
attached.)
I'm taking your warning, processing it, and then deciding that this
particular scenario is not subject to the concerns you rightfully have.
> Remember that with normal anycast all of the mirrors send identical
> or at least equivalent answers so the routes are not a security
> issue.
Agreed.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200506/0ad5d1ea/attachment.bin>
More information about the bind-users
mailing list