Question About Internal Recursive Resolvers

Bob McDonald bmcdonaldjr at gmail.com
Sat Oct 15 16:03:44 UTC 2022 

>>I'm thinking about redesigning an internal DNS environment. To begin
>>with, all internal DNS zones would reside on non-recursive servers
>>only.

>why?

My understanding has always been that the recommendation is/was to
separate recursive and non-recursive servers. Now I understand I'm
talking about an INTERNAL environment and the rules have over the
years become somewhat lax... In this case I also believe this would
provide a more granular approach to using security features such as
tsig keys to control updates.

>> That said, all clients would connect to recursive resolvers.

>don't they now?

They do. I'm talking about a situation where an edge layer can be
eliminated. Each recursive server would have access out to the
internet. No forwarding would be required.

>>The question is this; do I use an internal root with pointers to the
>>internal zones (as well as the outside DNS world) or do I include stub
>>zones to point at the non-recursive internal servers?

>stub zones, forward zones (forward with recursion bit set) or static-stub
zones (send iterative queries to configured servers)>

Again, my understanding is that forwarding would require recursion.
Thanks for the info about stub zones etc.

>>Access to the internal DNS zones would be controlled by location.

>if you have recursive servers in internal network, you don't need control
>access on auth-only servers

If a non-secure client (read the next sentence...) accesses the same
recursive server as a regular client, it will have access to the
internal zones by default.. Therefore we need to have some sort of
access controls in place.

>>(e.g. guest WiFi devices would NOT have access to internal DNS
>>zones...)
>>
>>Recursive resolvers would allow implementation of features such as RPZ, etc.

>do you need RPZ for internal zones?

Since ALL recursive servers have access out to the internet, yes.

Please forgive me if my post was confusing, arrogant, or naive. I'm
simply trying to seek the wisdom of those on the list that have more
experience or different experience than myself. Hopefully, I can gain
from that wisdom and we can provide a kind environment where those
less educated feel mentored.

Bob

More information about the bind-users mailing list