Home / server / Questions / 596791
In Process
jornane
Asked: 2014-05-19 02:52:13 +0800 CST

Split-DNS with a zone being generated automatically

  • 772

I want to run a DNS setup where the zones are managed on an internal Active Directory DNS server. There is a slave DNS server on the edge on the network which runs BIND (I am open to switching this, I read that Unbound may be better?). What I want to do is to run the DNS server on the edge in split-DNS; towards the internal network it should be a slave to the AD DNS, towards the internet it should act as being master and make some changes to the zone (namely removal of A records pointing to RFC1918 IPs).

I made a diagram to illustrate. IP addresses and names are fictive. 10/8 is local, 192.168/16 and 172.16/12 are publicly routable for the sake of this example. EXAMPLE.COM and EXAMPLE.ORG represent two different organisations:

              LOCAL NETWORK      PUBLIC INTERNET

           +------------------+
           |                  |
           |     10.0.0.1     |
           |  AD.EXAMPLE.COM  |
           |                  |
           |   EXAMPLE.COM    |
           |     (master)     |
           |                  |
           +------------------+
                    |
+--------+ +------------------+------------------+
| CLIENT |-|                  |                  |
+--------+ |     10.0.0.2     |  192.168.200.1   |
+--------+ | BIND.EXAMPLE.COM | NS1.EXAMPLE.COM  |
| CLIENT |-|                  |                  |
+--------+ |   EXAMPLE.COM    |   EXAMPLE.COM    |
+--------+ |     (slave)      |     (master)     |
| CLIENT |-|    (resolver)    |                  |
+--------+ +------------------+------------------+
                                        |
                              +------------------+
                              |                  |
                              |   172.16.100.1   |
                              | NS1.EXAMPLE.ORG  |
                              |                  |
                              |   EXAMPLE.COM    |
                              |     (slave)      |
                              |                  |
                              +------------------+

Some key points:

  • I do not want to keep zones on the BIND server updated by hand; zones should be transferred from the AD server and modified/rewritten automatically.
  • From the public internet, AD.EXAMPLE.COM is not mentioned in SOA or NS records. As far as the internet is concerned, it is not a DNS server. NS1.EXAMPLE.COM is the only master towards the internet.
  • Other internet-facing servers can be slave for NS1.EXAMPLE.COM, so zone transfers from BIND must be possible (I don't expect any problems here).
  • The BIND server is authoritative-only towards the internet, but an open resolver towards the local network.
  • DNSSec (if applicable) is terminated on the BIND server.
domain-name-system

1 Answers

  1. One solution is to set up BIND with Split-DNS, one view as slave and one view master, and run a cron job on the BIND server. The cron job takes the slave zone (from the internal view), edits it and writes it as another zone file (for the external view).

    However, this feels pretty hacky and I don't think this is the best solution.

    • 0