Difference between revisions of "DNS server split howto"
Line 150: | Line 150: | ||
}; | }; | ||
}; | }; | ||
+ | </syntaxhighlight> | ||
Revision as of 14:25, 22 August 2014
Let's use "smartcards.vehco.com" domain as example.
- The DNS will handle both internal and external requests (Intranet / Internet).
- The DNS will have 2 zones: one for the Internal members (LAN, VPN, loopback) and one for the External members.
In the following example I'll be using:
- INTERNAL zone: smartcards.vehco.com ; networks: LAN / VPN / localhost
- EXTERNAL zone: smartcards.vehco.com
- DNS server name: smartcard-gw
- LAN Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
- VPN Network: 172.16.60.0/24
Contents
Technical key points
- No reverse for the external zone
- Do NOT follow external queries to the LAN
- External requests can be forwarded to a 3rd party DNS
- The External zone configuration only contains:
- Domain definition "smartcards.vehco.com"
- Shared resources, if any
Declare the new zones
Here you'll declare both your zones and the reverse zone.
Reset and edit configuration file:
cat /etc/bind/named.conf.default-zones > /etc/bind/named.conf.local
vim /etc/bind/named.conf.local
Here we will create:
- ACL filters => source IP @ filter
- DNS views => actions to perform depending on the ACL results
Uncomment and adjust the file content:
// definition of LAN
acl internal-networks {
localhost; # Allow loopback
localnets; # All networks that are configured on the interfaces
172.16.50.0/24; # LAN
172.16.60.0/24; # VPN LAN
};
// External DNS to use
acl dns-slaves {
};
// INTERNAL zone
view "internal" {
match-clients { internal-networks; }; # Apply settings to LAN only
recursion yes; # Allow recursive queries on LAN
// ---------------------------------------------------
// DNS server defaults
//
// keep these lines from the "default-zones" configuration
//----------------------------------------------------
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// End of "default-zones"
//----------------------------------------------------
// Custom network
//----------------------------------------------------
// DNS main zone (IP to name)
zone "smartcards.vehco.com" IN {
type master;
file "/etc/bind/internal.smartcards.vehco.com";
allow-transfer {
none;
};
allow-update {
none;
};
};
// DNS Reverse (Name to IP)
zone "50.16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.172";
allow-transfer {
none;
};
allow-update {
none;
};
};
};
view "external" {
match-clients {
!localnets; # Do not allow local network ("localnets")
any; # "any" = any other network that is not a view member
};
recursion no; # No recursivity for external clients
zone "smartcards.vehco.com" {
type master;
file "/etc/bind/external.smartcards.vehco.com";
allow-transfer { dns-slaves; };
};
};
Zone configuration (name to IP @)
This is the actual magic of the DNS split horizon!
Create zone files
Create both zones from the local template:
cp /etc/bind/db.local /etc/bind/internal.smartcards.vehco.com
cp /etc/bind/db.local /etc/bind/external.smartcards.vehco.com
Note
You can any name you'd like. However the best practice is to use "internal" and "external", or more generally the "<view> name.<domain>"
Configure INTERNAL zone
Edit INTERNAL configuration file:
vim /etc/bind/internal.smartcards.vehco.com
Adjust the file content
;
; BIND - Configuration for INTERNAL zone: "smartcards.vehco.com"
;
$TTL 604800
@ IN SOA smartcards.vehco.com. root.smartcards.vehco.com. (
20140806
604800
86400
2419200
604800 )
;
;
; Local resolution of the FQDN 'smartcards.vehco.com'
;
smartcards.vehco.com CNAME smartcard-gw
; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@ IN NS smartcard-gw
smartcard-gw IN A 172.16.50.2
;
; Gateway declaration
;
cisco-router IN A 172.16.50.1
;
; Declare your servers and networks hosts
;
smarcartd-prod-00 IN A 172.16.50.50
smarcartd-prod-01 IN A 172.16.50.51
smarcartd-prod-02 IN A 172.16.50.52
smarcartd-prod-03 IN A 172.16.50.53
; Create an alias to an existing record
;wwww IN CNAME smartcard-gw
Configure EXTERNAL zone
Edit EXTERNAL configuration file:
vim /etc/bind/external.smartcards.vehco.com
Adjust the file content
;
; BIND - Configuration for EXTERNAL zone: "smartcards.vehco.com"
;
$TTL 604800
@ IN SOA smartcards.vehco.com. root.smartcards.vehco.com. (
20140604
604800
86400
2419200
604800 )
:
; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@ IN NS smartcard-gw
smartcard-gw IN A 172.16.50.2
As you can see the "external" is rather short ! :-)
Reverse zone (IP @ to name)
Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.
Key points:
- Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
- Name the zone file /etc/bind/db.172 : it should match the first octet of your network.
Configure reverse zone
Now create the /etc/bind/db.172 file:
cp /etc/bind/db.127 /etc/bind/db.172
Edit the new file:
vim /etc/bind/db.172
The content is basically the same as INTERNAL file: /etc/bind/internal.smartcards.vehco.com:
;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL 604800
@ IN SOA smartcard-gw.smartcards.local. root.smartcards.local. (
20140603 ; Serial
; As the serial be changed everytime you edit this file
; it is recommended to use the pattern "yyyyMMdd"
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; Local server
;
@ IN NS smartcard-gw.
2 IN PTR smartcard-gw.smartcards.local.
; Gateway (router)
1 IN PTR cisco-router.smartcards.local
;
; Other components and hosts
;
50 IN PTR smartcard-prod-00.smartcards.local.
51 IN PTR smartcard-prod-01.smartcards.local.
52 IN PTR smartcard-prod-02.smartcards.local.
53 IN PTR smartcard-prod-03.smartcards.local.
Take changes into account
service bind9 restart
Add new hostname
This is how we had a new host-name into the network:
Update LOCAL zone
Edit local zone:
vim /etc/bind/smartcards.local
Add a A or AAAA entry:
my-new-host IN A 172.16.50.60
Update REVERSE zone
Edit local zone:
vim /etc/bind/db.172
Add a A or AAAA entry:
60 IN PTR my-new-host.smartcards.local.
Restart service
service bind9 restart