Difference between revisions of "DNS server split principle"
(Created page with "Category:Linux DNS split is required when the internal domain name matches an external name.") |
|||
(7 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Linux]] | [[Category:Linux]] | ||
− | DNS split is required when the internal domain name | + | DNS split is required when you need to provide some resources both internal (intranet) and external (internet) using the same name. |
+ | |||
+ | |||
+ | =Simple DNS zone= | ||
+ | |||
+ | Let's start with a simple reminder. | ||
+ | |||
+ | A standard DNS zone is only internal = '''no one access any internal resources from the outside'''. If you want to do so, you have to use a VPN connection. | ||
+ | |||
+ | |||
+ | [[File:DNS 01 simple.png|none|Simple DNS]] | ||
+ | |||
+ | |||
+ | The Internet connection is just OUT. | ||
+ | |||
+ | |||
+ | |||
+ | =Limitations of simple DNS zone= | ||
+ | |||
+ | ==Shared name== | ||
+ | |||
+ | Sometimes you can use the '''same name on 2 different locations'''. Therefore, some ''resources are only accessible when you are inside or outside''. | ||
+ | |||
+ | |||
+ | [[File:DNS 01 shared name issue.png|1024px|caption|DNS 01 shared name issue]] | ||
+ | |||
+ | In that example the web server "''www''" is not reachable from the private zone because the authoritative DNS for the domain doesn't know it! | ||
+ | |||
+ | * The desktop is only using the DNS in the private area (blue zone) | ||
+ | * The DNS server in that area doesn't know any "''www''" server... So the request will be rejected. | ||
+ | |||
+ | |||
+ | |||
+ | ==Shared internal resources== | ||
+ | |||
+ | Another problem might occurred when you want to '''make an internal resource available from both the inside AND the outside'''. | ||
+ | |||
+ | |||
+ | [[File:DNS 02 split horizon issue.png|none|DNS 02 split horizon issue]] | ||
+ | |||
+ | |||
+ | '''Problem description''' | ||
+ | |||
+ | From the outside: | ||
+ | * Smartcards.vehco.com == web-server ... Thanks to the port forwarding TCP 80. | ||
+ | |||
+ | |||
+ | From the inside: | ||
+ | * Smartcards.vehco.com == domain root !! By default the domain root = DNS server @, not ''www'' | ||
+ | |||
+ | |||
+ | As you can see, from the inside you cannot reach "smartcards.vehco.com" website! You need to use "http://www.smartcards.vehco.com" or "http://www" | ||
+ | |||
+ | |||
+ | '''Example''' | ||
+ | |||
+ | Think of a mobile user... | ||
+ | * When using WIFI he'll be in the blue area ; when using 4G he'll be in the Internet. | ||
+ | * But he only has 1 bookmark to reach the website! And that's ''smartcards.vehco.com'' | ||
+ | |||
+ | |||
+ | |||
+ | =Solutions= | ||
+ | |||
+ | ==Shared name fix== | ||
+ | |||
+ | That issue is very simple to fix: you just need to add a new entry (type A or AAA) for the remote server into the private's zone DNS. | ||
+ | |||
+ | |||
+ | [[File:DNS 03 shared name fix.png|1024px|caption|DNS 03 shared name fix]] | ||
+ | |||
+ | |||
+ | Now, "''www''" will be redirect to the remote IP @. | ||
+ | |||
+ | |||
+ | |||
+ | ==Share resource fix== | ||
+ | |||
+ | That is a tricky issue! | ||
+ | |||
+ | To resolve that situation you must use a "'''DNS split'''" = "'''Split horizon'''" = "'''brain split'''". | ||
+ | |||
+ | [[File:DNS 04 split horizon fix.png|none|DNS 04 split horizon fix]] | ||
+ | |||
+ | |||
+ | '''Solution principle''' | ||
+ | |||
+ | Depending on where the request comes from (using source IP @ filter) the DNS will use the "internal" or "external" zone description. | ||
+ | |||
+ | |||
+ | * Local network + VPN network + loopback => INTERNAL zone | ||
+ | |||
+ | * Everything else => EXTERNAL zone | ||
+ | |||
+ | |||
+ | |||
+ | >> To access "''smartcards.vehco.com''" from the INTERNAL zone, you must create a link (CNAME) that point to the web server. | ||
+ | |||
+ | Technical note: | ||
+ | the link is using the FQDN "smartcards.vehco.com" while the domain is using the "@" notation. | ||
+ | |||
+ | |||
+ | |||
+ | >> The EXTERNAL zone has only access to a limited set of resources. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | =References= | ||
+ | |||
+ | * Nice description of the problem from a technical point of view: http://www.isaserver.org/articles-tutorials/installation-planning/You_Need_to_Create_a_Split_DNS.html | ||
+ | |||
+ | * YouTube full explanation: https://www.youtube.com/watch?v=55YONDU22qc | ||
+ | |||
+ | * Nice YouTube video (a bit technical): https://www.youtube.com/watch?v=yPH02ZcfFtc |
Latest revision as of 12:54, 22 August 2014
DNS split is required when you need to provide some resources both internal (intranet) and external (internet) using the same name.
Contents
Simple DNS zone
Let's start with a simple reminder.
A standard DNS zone is only internal = no one access any internal resources from the outside. If you want to do so, you have to use a VPN connection.
The Internet connection is just OUT.
Limitations of simple DNS zone
Sometimes you can use the same name on 2 different locations. Therefore, some resources are only accessible when you are inside or outside.
In that example the web server "www" is not reachable from the private zone because the authoritative DNS for the domain doesn't know it!
- The desktop is only using the DNS in the private area (blue zone)
- The DNS server in that area doesn't know any "www" server... So the request will be rejected.
Another problem might occurred when you want to make an internal resource available from both the inside AND the outside.
Problem description
From the outside:
- Smartcards.vehco.com == web-server ... Thanks to the port forwarding TCP 80.
From the inside:
- Smartcards.vehco.com == domain root !! By default the domain root = DNS server @, not www
As you can see, from the inside you cannot reach "smartcards.vehco.com" website! You need to use "http://www.smartcards.vehco.com" or "http://www"
Example
Think of a mobile user...
- When using WIFI he'll be in the blue area ; when using 4G he'll be in the Internet.
- But he only has 1 bookmark to reach the website! And that's smartcards.vehco.com
Solutions
That issue is very simple to fix: you just need to add a new entry (type A or AAA) for the remote server into the private's zone DNS.
Now, "www" will be redirect to the remote IP @.
That is a tricky issue!
To resolve that situation you must use a "DNS split" = "Split horizon" = "brain split".
Solution principle
Depending on where the request comes from (using source IP @ filter) the DNS will use the "internal" or "external" zone description.
- Local network + VPN network + loopback => INTERNAL zone
- Everything else => EXTERNAL zone
>> To access "smartcards.vehco.com" from the INTERNAL zone, you must create a link (CNAME) that point to the web server.
Technical note: the link is using the FQDN "smartcards.vehco.com" while the domain is using the "@" notation.
>> The EXTERNAL zone has only access to a limited set of resources.
References
- Nice description of the problem from a technical point of view: http://www.isaserver.org/articles-tutorials/installation-planning/You_Need_to_Create_a_Split_DNS.html
- YouTube full explanation: https://www.youtube.com/watch?v=55YONDU22qc
- Nice YouTube video (a bit technical): https://www.youtube.com/watch?v=yPH02ZcfFtc