1

i need your advices for a DNS architecture.

DNS architecture proposal

In my company, every desktops/laptops are configured with DNS of the LAN (10.1.1.1), which is a Microsoft AD/DNS and i don't have the hand on it. Others DNS are Bind9 where i am admin. My purpose is to add other DNS servers for new projects (in a separated network) without change anything on laptops and on the LAN DNS and of course, i want developpers laptops (in LAN) can query and receive answer for fqdn of those new projects.

From DNS (fqdn) point of vue, there is ONE domain (project.com) and MANY sub-domains (subX.project.com). And each sub-domain is in a separated network. Example: on each vlan, i will have a web server and i want it answers to its DNS sub-domain:

  • web.project.com for the web server of the project zone.
  • web.sub1.project.com for the web server of the sub-project zone
  • web.sub2.project.com ...

So, my understanding of Bind9 let me think that the LAN DNS server (10.1.1.1) can forward requests to the project DNS server (10.100.1.1). And project DNS can forward requests to sub-project DNS servers (10.200.1.1 / 10.250.1.1).

Endly, all VMs of a network, can resolve public fqdn if the zone DNS forward their requests to the upper level DNS. I just want to resaid that i don't have the hand on the main DNS (in the LAN).

Bellow, you will find the named.conf.options file which represents the architecture describes in the schema:

  • DNS project.com (10.100.1.1/10.100.1.2)
{
    allow-query     { 127.0.0.1; 10.1.1.1; 10.1.1.2; 10.200.1.1; 10.200.1.2; 10.250.1.1; 10.250.1.2; 10.100.1.0/24; };
    recursion yes;
    notify yes;
    allow-transfer { 10.100.1.2; }; # the slave
    forwarders {
        10.1.1.1;
        10.1.1.2;
    };
}
  • DNS sub1.project.com (10.200.1.1/10.200.1.2)
{
    allow-query     { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.200.1.0/24; }; queries from VMs in this network and DNS from upper zone
    recursion yes;
    notify yes;
    allow-transfer { 10.200.1.2; };
    forwarders {
        10.100.1.1;
        10.100.1.2;
    };
}
  • DNS sub2.project.com (10.250.1.1/10.250.1.2)
{
    allow-query     { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.250.1.0/24; }; queries from VMs in this network and DNS from upper zone
    recursion yes;
    notify yes;
    allow-transfer { 10.250.1.2; };
    forwarders {
        10.100.1.1;
        10.100.1.2;
    };
}

What do you think about this architecture ? Do you see any drawbacks or mistakes or mis-understanding ?

Regards.

mixgal
  • 11
  • 2
  • "i need your advices for a DNS architecture." You are in the wrong place as this site is devoted to programming questions, so yours is offtopic. Have a look at [sf] instead. – Patrick Mevzek Jan 14 '22 at 14:44
  • PS: if you are at the "architecture/design" level you shouldn't already have chosen necessarily the software to use. There are other nameservers than `bind` out there, and depending on your needs and constraints some other choices may make more sense. – Patrick Mevzek Jan 14 '22 at 14:45
  • You seem also to completely confuse authoritative and recursive nameserver functions, so you may want to make sure this part is clear, as it is important. And do note that the core principle of the DNS is delegation through `NS` records. – Patrick Mevzek Jan 14 '22 at 14:46
  • @PatrickMevzek i confirm that i don't really understanding the use case when we need authoritative and recursive nameserver. But i my case, each NS needs to answer for its domain and forward queries for other domains. So i though that we are all time in recursive mode. – mixgal Jan 14 '22 at 15:05
  • "But i my case, each NS needs to answer for its domain and forward queries for other domains." That is the problem indeed. The DNS does NOT work like that. Again, you need to start by making sure you fully understand the difference between authoritative and recursive. "So i though that we are all time in recursive mode." If so, the nameserver can not "answer for its domain" as it has no domain but does recursive queries to get the data from elsewhere. For such needs, you may want to look more as `dnsmasq` but this is probably not for big production setups. – Patrick Mevzek Jan 14 '22 at 16:05

1 Answers1

0

You will want to start by taking control of the 'first hop DNS servers'

  • Create DNS forwarders that you control (bind)
  • Map out every zone in your environment, and their authoritative nameservers
  • Create Forwarded zones in Bind, for each zone/subzone and send it to the IP of the authoritative nameserver

Next, make sure all your DNS traffic is directed to your 'first hop DNS servers'.

This means updating any DHCP server options, as well as all statically configured DNS IPs on servers.

Lastly, build a process such that any time a new zone or subzone is added to the environment, that they also get added to your 'first hop servers' as additional forwarded zones.

Note : You can do all of this without making any changes to the Windows DNS servers.

madacoda
  • 363
  • 4
  • 11