0

I want to run a DNS setup where the zones are managed on an internal Active Directory DNS server. There is a slave DNS server on the edge on the network which runs BIND (I am open to switching this, I read that Unbound may be better?). What I want to do is to run the DNS server on the edge in split-DNS; towards the internal network it should be a slave to the AD DNS, towards the internet it should act as being master and make some changes to the zone (namely removal of A records pointing to RFC1918 IPs).

I made a diagram to illustrate. IP addresses and names are fictive. 10/8 is local, 192.168/16 and 172.16/12 are publicly routable for the sake of this example. EXAMPLE.COM and EXAMPLE.ORG represent two different organisations:

              LOCAL NETWORK      PUBLIC INTERNET

           +------------------+
           |                  |
           |     10.0.0.1     |
           |  AD.EXAMPLE.COM  |
           |                  |
           |   EXAMPLE.COM    |
           |     (master)     |
           |                  |
           +------------------+
                    |
+--------+ +------------------+------------------+
| CLIENT |-|                  |                  |
+--------+ |     10.0.0.2     |  192.168.200.1   |
+--------+ | BIND.EXAMPLE.COM | NS1.EXAMPLE.COM  |
| CLIENT |-|                  |                  |
+--------+ |   EXAMPLE.COM    |   EXAMPLE.COM    |
+--------+ |     (slave)      |     (master)     |
| CLIENT |-|    (resolver)    |                  |
+--------+ +------------------+------------------+
                                        |
                              +------------------+
                              |                  |
                              |   172.16.100.1   |
                              | NS1.EXAMPLE.ORG  |
                              |                  |
                              |   EXAMPLE.COM    |
                              |     (slave)      |
                              |                  |
                              +------------------+

Some key points:

  • I do not want to keep zones on the BIND server updated by hand; zones should be transferred from the AD server and modified/rewritten automatically.
  • From the public internet, AD.EXAMPLE.COM is not mentioned in SOA or NS records. As far as the internet is concerned, it is not a DNS server. NS1.EXAMPLE.COM is the only master towards the internet.
  • Other internet-facing servers can be slave for NS1.EXAMPLE.COM, so zone transfers from BIND must be possible (I don't expect any problems here).
  • The BIND server is authoritative-only towards the internet, but an open resolver towards the local network.
  • DNSSec (if applicable) is terminated on the BIND server.
jornane
  • 1,096
  • 1
  • 8
  • 25
  • For an authoritative server I would rather consider [nsd](http://www.nlnetlabs.nl/projects/nsd/) as the alternative, not [unbound](http://unbound.net/). Unbound is primarily a caching resolver server with some capability of having authoritative data mostly as a mechanism to override things. That said I don't think replacing bind with nsd will really get you closer to a solution, either. – Håkan Lindqvist May 18 '14 at 11:23
  • I think there is some mixed up terminology. Where you say _authoritative_ I suspect that you really mean _master_. Both _master_ and _slave_ zones are in fact authoritative. – Håkan Lindqvist May 18 '14 at 11:32
  • Håkan, you are right, I will update the question. I will also look into nsd, to see what the possibilities are. – jornane May 18 '14 at 11:48
  • Why do people persist in naming their Active Directory domains the same as their Internet-facing domains and creating these ugly make-work scenarios? I will never understand it. – Evan Anderson Jun 20 '14 at 15:28
  • Evan, even if the AD domain would be called `.example.local`, then I would still need to keep it in sync with `.example.com`, so it wouldn't make much of a difference. – jornane Jun 21 '14 at 13:22

1 Answers1

0

One solution is to set up BIND with Split-DNS, one view as slave and one view master, and run a cron job on the BIND server. The cron job takes the slave zone (from the internal view), edits it and writes it as another zone file (for the external view).

However, this feels pretty hacky and I don't think this is the best solution.

jornane
  • 1,096
  • 1
  • 8
  • 25