How should I configure internal and external DNS servers
Nick Howitt
nick at howitts.co.uk
Fri Nov 3 16:32:35 UTC 2023
Hmm, I'll admit to only skim reading it but is seems quite complicated
for what I was hoping for. It would be trivial if I could change the
bind-internal machine to using dnsmasq (ugh!). Then the bind-internal
machine would serve up anything it explicitly knew about to the internal
clients, and anything that it didn't know about, it would automatically
request from the internet, which would include the bind-external
machine. Then, if I configured external IP's on bind-external only, they
would still be returned by by bind-internal to the machines using
bind-internal as their resolver. I was hoping I could set something like
recursion=true in bind-internal and recursion=false on bind-external,
only in my configs for BIND 9.9.6-P1, it is not set at all so I am not
sure how it is configured as authoritative.
Nick
On 2023-11-03 16:01, Andrew Latham wrote:
> * That sounds like a sadly normal implementation but yes you can do
> better* Views is a good place to look https://kb.isc.org/docs/aa-00851
> * Make sure to investigate how the company VPN services handle DNS as
> it may surprise you
>
> On Fri, Nov 3, 2023 at 9:52 AM Nick Howitt via bind-users
> <bind-users at lists.isc.org> wrote:
>
>> Hi,
>>
>> I am fairly new to bind but I am thinking my company's use of it is
>> sub-optimal. We have two bind masters (and a few slaves), one for
>> internal use so all our internal servers point to it or its slaves
>> as
>> their DNS resolvers. I will call the internal one bind-internal and
>> the
>> external one bind-external.
>>
>> Bind-internal is set up as authoritative for the domain example.com
>> [1].
>> Bind-external is also set up as authoritative for example.com [1].
>>
>> Bind-internal has all sorts of entries resolving in the 10.30, 10.40
>> and
>> other private ranges, but it also has entries resolving to our
>> public
>> IP's e.g. demo.example.com [2] resolves to 1.2.3.4 (terminated by an
>> F5),
>> which is one of our public ips (munged). As this site is externally
>> accessible as well, we also have to put an identical entry in
>> bind-external so we end up having many identical entries in
>> bind-internal and bind-external. We also have some other domains
>> covered
>> by bind-internal with external IPs, but externally they are covered
>> by
>> the domain host's DNS and they have the same issue where in
>> bind-internal we have some public IP's which are also in the domain
>> host's DNS for external access.
>>
>> I have a feeling this is a sub-optimal setup, having to maintain
>> external IPs in both bind-internal and bind-external. Does it make
>> sense
>> to stop bind-internal from being authoritative and make it a
>> resolver/caching name server? This way, if it does not find an entry
>> in
>> bind-internal it will then go out to either bind-external or the
>> domain
>> host's DNS to get the answer from the authoritative servers and then
>>
>> there is no need to maintain external IPs in bind internal.
>>
>> TIA,
>>
>> Nick
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
>
> - Andrew "lathama" Latham -
>
> Links:
> ------
> [1] http://example.com
> [2] http://demo.example.com
More information about the bind-users
mailing list