Bind9 Zone File for Single Machine?

Question

Setup is two Active Directory servers with DNS replication across two sites. For 'legacy' purposes, I need to redirect queries for the previously lone file server to each site's respective copy. Eg, 'BIGBOX' -> 192.168.100.2 for site A; 'BIGBOX' -> 192.168.200.2 for site B. Setting a CNAME record works, but only until DNS replication kicks in...

Both AD DC's use a site-specific bind9 installation either as forwarder (Windows Server 2008r2 @ site A) or bind_dlz component (Samba4 @ site B).

I believe it should be possible to rig up a 'BIGBOX.subnet.domain.com' zone on either BIND9 machine pointing to the respective file server copy. Kind of a 'split-horizon' scenario, but without views and only for one address.

If this makes sense, how would such a zone file look like (NS, A record)?

Any pointers [sic] greatly appreciated!

score 1 · Answer 1 · answered Jul 30 '18 at 07:54

I'm not sure if I understood your setup right. If I understood you right, you have your main DNS in AD and just want to serve one record (bigbox) differently depending on the subnet.

You can solve this like the following. In active directory create a delegation (i.e. a NS entry) pointing to your bind server for bigbox.domain.com.

On the bind server you have to create a view based setup. See https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html for details. I guess this slightly modified example should get you going:

# named.example02.conf

acl subnetA { 192.168.7.0/24; localhost; };
acl subnetB   { 192.168.8.0/24; };

view subnetA {
    match-clients { subnetA; };

    allow-recursion { any; };

    zone "bigbox.example.com" {
        type master;
        file "subnetA/db.bigbox.example.com";
    };
};

view subnetB {
    match-clients { subnetB; };

    allow-recursion { any; };

    zone "bigbox.example.com" {
        type master;
        file "subnetB/db.bigbox.example.com";
    };
};

Then just create two zones consisting only of SOA, NS and one A record. The only difference between them should be the A record! Store as subnetA/db.bigbox.example.com and subnetB/db.bigbox.example.com.

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     bind.example.com. root.bigbox.example.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      bind.example.com.

;change this IP depending on view
bigbox     IN      A       192.168.1.21

Yes, in a nutshell, I need to redirect requests for a fileserver _alias_ to the respective physical machine by subnet. Where there used to be one SMB fileserver for two locations, we now have replicas at each location. Unfortunately, desktops are littered with Windows shortcuts to the single-serve box, so I have to find a way to 'CNAME' my way through this mess while by-passing domain DNS replication between the two DC's. — canut, Jul 31 '18 at 23:18
As a quick fix, I made my BIND9 implementations authoritative for a 'BIGBOX.ad-domain.domain.com' zone, with an empty A record pointing to the respective physical fileserver. Appears to be working, although BIND yells at me about a 'record with inherited owner'. I'll give your approach a shot this weekend. Thanks again for your help! — canut, Jul 31 '18 at 23:19
Sidenode: if you're using Kerberos on this box, it most likely will not like the CNAME approach. You could also try to solve it at the application level by using DFS namespaces. Won't help with the cluttered desktop though. But sometimes it better to rethink old habits. — Jonathan, Aug 01 '18 at 11:55
Still working on it. The migration, that is. Looks like a server zone file on each Bind9 implementation, plus delegation on the Windows box, is doing the trick. I'll update my initial post once I have a stable environment with reliable test results. — canut, Aug 12 '18 at 19:05
You can also check this answer: https://serverfault.com/questions/925056/how-to-override-one-entry-in-a-bind9-view/927477#927477 — Tommiie, Sep 12 '18 at 11:37

canut · Answer 2 · 2018-09-19T21:16:56.653

Ok. I've had some time to play around with this in a production environment, and this is what works: authoritative bind9 zone file for 'BIGBOX.ad-Domain.domain.com' at either subnet with an empty A record for the respective file server address.

With server NS1 at 192.168.100.0/24, this would point to fileserver FS1 @ 192.168.100.2; server NS2 at 192.168.200.0/24 points to FS2 @ 192.168.200.2. Basically, an additional A record for an imaginary server to the ones that already exist for my actual file servers.

One of my DCs is a Windows Server box that delegates authority for BIGBOX to NS1 (bind9 on Debian); the other one runs off of Debian 9, with the bind9_dlz backend handling DNS. Again, the Windows Server/bind9 environment needs a delegation in Windows DNS, but it looks like this doesn't get replicated between my DCs, so all is well.

Bind9 Zone File for Single Machine?

2 Answers2