On 12/27/24 15:40, Roberto Braga wrote:
For this, I must use 2 servers:

I agree that you should use two servers. But I also believe you could do what you're doing with one server, one OS image, and maybe even one instance of BIND.

The first, like Recursive DNS itself, is what clients will use to configure DNS.

The second, as a copy of root, must be consulted to the first if it does not have a cache.

Forming a hyperlocal recursive DNS composed of 1 computer with the address that clients will use as DNS and 1 computer with the root copy (slave of the root servers).

Why not have a copy of the root zone on the same recursive server that clients use?

You can easily include secondary copies of the root zone in the recursive DNS server itself.

There may be some room for discussion on if this should be done or not. But I've not had any problems including root on my personal recursive servers for years.

If you do want to have some separation, you can use separate views in the same daemon.

If you want more separation, you can have separate daemons on the same system.

The scheme below is working, but I would like someone more experienced who can review and identify if I'm doing it correctly, if there are flaws or how I can improve this structure... Thank you.

The biggest thing that I see is that you have two cascaded single points of failure. If either of them goes offline, say for patching, your entire user base is without recursive DNS service.

I would suggest configuring both servers identically; zones, same mirror copy of root, same named.conf values.

I would also encourage you to explore VRRP (likely via keepalived) to have the two IPs that clients are configured to use be able to float back and forth between the two identical systems. Each IP should have an affinity to one system but also be able to be hosted by the other system.

Yes, clients should fall back to the secondary DNS server if the primary is unreachable. However I've seen some really bad failure modes with this. And all of these failure modes can be avoided if the surviving / online server simply adds the down / offline server's service (virtual) IP (VIP) to it. That way clients still see both IPs as online and usable.

To use the VRRP technique properly you will need a management IP for each server and a service / virtual IP (VIP) for each server, so a total of four IPs.

With this technique, either server can be offline for maintenance and clients will have full functionality using either IP.

As Greg suggested, explore "mirror" zones instead of a secondary zone transfer of the root zone.

I would also encourage you to read about and consider a local instance of the AS112 Project wherein you also have mirror copies of some infrastructure zones to help keep DNS internet background radiation contained in your environment.

Link - AS112 Project
 - https://www.as112.net/

Note, just because you have a local copy of the root zone doesn't mean that you will be able to resolve names without an Internet connection. The root zone is just a very small subset of the names on the internet.

Some additional comments on your config:

- Why are you disabling query name minimization? That has privacy implications? Is that an optimization for your configuration?

 - You may want allow-query-cache { ... };

- You might want to define an ACL and place your IP networks therein. That way you can reference that ACL name in your allow-* statements. This helps ensure that you don't miss and update to the duplicated data in the future.

 - Check out empty-zones-enable, empty-server, and empty-contact.

 - Checkout server-id, version, and minimal-responses.

- Seeing as how you're not showing any authoritative zones, it might not matter. But it's really nice to have rndc capability to have BIND / named alter / reload some things on the fly.



--
Grant. . . .
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to