Bind9 DNS configuration for a private sub-domain from a public domain name

Question

We currently have a private DNS service that we wish to migrate to Bind9. So I have to migrate the current configuration to Bind9, but I'm having trouble setting it up.

Here is the context.

I have a public domain name "acme.com" managed by a registrar. At this registrar I manage public domain names, such as :

acme.com        IN  A  < Public IP server 1 >
www.acme.com    IN  A  < Public IP server 1 >
*.acme.com      IN  A  < Public IP server 1 >
other.acme.com  IN  A  < Public IP server 2 >

On the company's internal DNS server, we have sub-domain names for "acme.com" such as "application-1.acme.com".

The configuration of Bind9 that I made allows me for the moment to resolve public domain names like "google.com" and also private domain names like "application-1.acme.com".

However, if I try to resolve domain names managed by our registrar, such as "acme.com" or "www.acme.com", the DIG application gives me this answer :

dig @10.0.0.254 acme.com
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @10.0.0.254 acme.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25017
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a231205f94a3ec92010000005fa95de884db288162c0f9b9 (good)
;; QUESTION SECTION:
;acme.com.                      IN      A
;; AUTHORITY SECTION:
acme.com.               600     IN      SOA     ns1.acme.inc. admin. acme.inc. 2020110501 3600 600 86400 600
;; Query time: 2 msec
;; SERVER: 192.168.0.245 #53(10.0.0.254)
;; WHEN: Mon Nov 09 16:19:03 CET 2020
;; MSG SIZE  rcvd: 124

Here is my named.conf file:

acl "trusted" {
        // some ip range
};
options {
        directory "/var/cache/bind";
        listen-on { any; };
        listen-on-v6 { any; };
        allow-query { any; };
        allow-transfer { none; };
        pid-file "/var/run/named/named.pid";
        allow-recursion { trusted; };
        recursion yes;
        forward only;
        forwarders { 8.8.8.8;  8.8.4.4; };
        dnssec-validation auto;
        auth-nxdomain no;
};
view "trusted" {
    match-clients { trusted; };
    recursion yes;
    zone "acme.com" IN {
      type master;
      file "/etc/bind/zones/acme.com.zone";
    };
};

And here the acme.com.zone file:

$TTL    3600;
@       IN      SOA     ns1.acme. admin.acme. (
                     2020110501;
                           3600;
                            600;
                          86400;
                            600 );
        IN      NS     ns1.acme.

ns1.acme.      IN     A            10.0.0.254

application-1  IN     A            10.0.1.1
application-2  IN     A            10.0.1.2
application-3  IN     A            10.0.1.3

I do not understand what’s wrong with my settings.

score 1 · Accepted Answer · answered Nov 10 '20 at 14:58

1

Because the BIND server is authoritative for example.com, it won't perform recursion even in case of a NXDOMAIN for a subdomain. You would either need to use another level of subdomains application.sub.example.com or configure the individual exceptions with Response Policy Zones (RPZ).

answered Nov 10 '20 at 14:58

Esa Jokinen

43,252
2
75
122

You are right. Our DNS structure is small enough to bring about some change. Thank you for your help. – Waldo Nov 12 '20 at 07:33

score 0 · Answer 2 · answered Nov 10 '20 at 15:20

Not very helpful after the fact, but in general you don't want to have an internal/private DNS server with internal only hostnames in the (same) top level domain zone as what you use for your public hostnames.

Because when you do that you get a what you're facing now: some form of shadow bookkeeping to ensure that you internal DNS will return the same results for every public DNS record that exists with your registrar in their DNS.

You are better off designating a subdomain in your domain for internal usage (for example int.example.com with records application-1.int.example.com and application-2.int.example.com , etc.) or, when you own both: use example.net internally and example.com publicly.

One work-around to do as you ask is to copy your public DNS records in your internal DNS and get something along the lines of:

$TTL    3600;
@       IN      SOA     ns1.example. admin.example. (
                     2020110501;
                           3600;
                            600;
                          86400;
                            600 );
        IN      NS     ns1.example.com.

ns1.example.com.             IN  A            10.0.0.254

application-1.example.com.   IN  A            10.0.1.1
application-2.example.com.   IN  A            10.0.1.2
application-3.example.com.   IN  A            10.0.1.3
example.com.                 IN  A  < Public IP server 1 >
www.example.com.             IN  A  < Public IP server 1 >
*.example.com.               IN  A  < Public IP server 1 >
other.example.com.           IN  A  < Public IP server 2 >

You can simply avoid that problem though and simply publish your internal host names along with your public ones in your public DNS zone: Private IP address in public DNS

Bind9 DNS configuration for a private sub-domain from a public domain name

2 Answers2