1

I am setting up a cluster of DNS that are soon going to reply to both LAN clients and public internet queries. On the internet is a special network (XX.YY.ZZ.AA/26) that I need to reply differently when querying the public zone ext.net I tried to follow good practices but am still doubting and confused... I decided to point my LAN clients to the recursor and not to dnsdist to ensure a running LAN DNS system if Dnsdist experiences issue.

Am I using a proper way to resolve names differently between the internet and the specific network XX.YY.ZZ.AA/26 ?

Should the requests from XX.YY.ZZ.AA/26 go from dnsdist to the LAN recursor before hitting the auth servers ? (instead of directly from dnsdist to the auth servers)

This is my priv/pub DNS diagram:

priv/pub DNS diagram

Thanks a lot for your comments

kenlukas
  • 2,886
  • 2
  • 14
  • 25
Tomasito
  • 23
  • 3
  • Few things not clear to me: 1) you trust dnsdist for outside access but not internal ones? This is strange 2) are you absolutely sure you need to have a public open recursive nameserver? You do not explain why 3) if that is really your need I would use separate software and hardware for it, and not have your internal clients use it (directly or indirectly) at all. – Patrick Mevzek Dec 01 '19 at 17:35
  • Hi, thanks for the reply 1) I would rather keep it simple for internal access and only use a recursor. Lan DNS requests are little while outside access on our public domain will be heavy. 2) I don't have public open recursive NS. The only recursors are private and forwarding LAN request to the outside. Nothing public reaches the recursor. 3) can you rephrase please, couldn't understand. – Tomasito Dec 02 '19 at 22:19

0 Answers0