How should I configure internal and external DNS servers

Nick Howitt nick at howitts.co.uk
Fri Nov 3 16:32:35 UTC 2023 

Hmm, I'll admit to only skim reading it but is seems quite complicated 
for what I was hoping for. It would be trivial if I could change the 
bind-internal machine to using dnsmasq (ugh!). Then the bind-internal 
machine would serve up anything it explicitly knew about to the internal 
clients, and anything that it didn't know about, it would automatically 
request from the internet, which would include the bind-external 
machine. Then, if I configured external IP's on bind-external only, they 
would still be returned by by bind-internal to the machines using 
bind-internal as their resolver. I was hoping I could set something like 
recursion=true in bind-internal and recursion=false on bind-external, 
only in my configs for BIND 9.9.6-P1, it is not set at all so I am not 
sure how it is configured as authoritative.

Nick

On 2023-11-03 16:01, Andrew Latham wrote:
> * That sounds like a sadly normal implementation but yes you can do
> better* Views is a good place to look https://kb.isc.org/docs/aa-00851
> * Make sure to investigate how the company VPN services handle DNS as
> it may surprise you
> 
> On Fri, Nov 3, 2023 at 9:52 AM Nick Howitt via bind-users
> <bind-users at lists.isc.org> wrote:
> 
>> Hi,
>> 
>> I am fairly new to bind but I am thinking my company's use of it is
>> sub-optimal. We have two bind masters (and a few slaves), one for
>> internal use so all our internal servers point to it or its slaves
>> as
>> their DNS resolvers. I will call the internal one bind-internal and
>> the
>> external one bind-external.
>> 
>> Bind-internal is set up as authoritative for the domain example.com
>> [1].
>> Bind-external is also set up as authoritative for example.com [1].
>> 
>> Bind-internal has all sorts of entries resolving in the 10.30, 10.40
>> and
>> other private ranges, but it also has entries resolving to our
>> public
>> IP's e.g. demo.example.com [2] resolves to 1.2.3.4 (terminated by an
>> F5),
>> which is one of our public ips (munged). As this site is externally
>> accessible as well, we also have to put an identical entry in
>> bind-external so we end up having many identical entries in
>> bind-internal and bind-external. We also have some other domains
>> covered
>> by bind-internal with external IPs, but externally they are covered
>> by
>> the domain host's DNS and they have the same issue where in
>> bind-internal we have some public IP's which are also in the domain
>> host's DNS for external access.
>> 
>> I have a feeling this is a sub-optimal setup, having to maintain
>> external IPs in both bind-internal and bind-external. Does it make
>> sense
>> to stop bind-internal from being authoritative and make it a
>> resolver/caching name server? This way, if it does not find an entry
>> in
>> bind-internal it will then go out to either bind-external or the
>> domain
>> host's DNS to get the answer from the authoritative servers and then
>> 
>> there is no need to maintain external IPs in bind internal.
>> 
>> TIA,
>> 
>> Nick
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> --
> 
> - Andrew "lathama" Latham -
> 
> Links:
> ------
> [1] http://example.com
> [2] http://demo.example.com

More information about the bind-users mailing list