RE: How should I configure internal and external DNS servers
you haven’t mentioned your firewall or router config between the private
corporate network and the public internet (or I missed it).
Cisco firewalls and I bet others too, have a very interesting and powerful
capability – to examine and edit/change packet data (payload data) on the fly
in real-time --- that is, when the firewall sees a dns lookup/resolver response
coming in from the outside, and notices the internal dns ‘answer’ is for an IP
address that is mapped/translated in the firewall to a 10. address (just an
example), the firewall will edit that payload and replace the public IP with
the 10. address so the internal PC (or helper/resolver internal server) that
asked for the dns lookup will receive the correct 10. answer – to avoid NAT
hairpinning (?) -- or so I’m told by my co-workers
what this means, if your equipment has this feature, is internal lookups can go
to your public dns server and will receive the appropriate internal answer
while outside lookups for the same entry will receive a public IP answer – thus
you don’t need a duplicate zone internally just to hand out 10. addresses for
internal servers/equipment for use by internal PCs. Did you mention you have
internal entries for internal use that don’t exist in the public zone --- if so
then decide if exposing just the internal name and its matching 10. address to
the public is an issue – note that external users, assuming they can guess that
secret internal name, will only learn the 10. address but hopefully your
routers and firewalls, as well as the outside user’s equipment, will never
allow an outside user to connect into your internal network using a 10. address
for that connection. That is, its possible there is no harm in having your
public zone containing the secret name and its 10. address.
Also bind supports ACLs on many items (I forget which one for resolution
exactly) so if you want, you can have your public dns servers be used as
resolvers by all your internal 10. PCs while not allowing resolution by any
outside aka public connections (that is, only serving its authoritative zones
to public queries). Not sure if your optional goal was to eliminate any
internal dns server of any type. And as others have said I believe, if you do
wish to use bind internally as just a resolver, that’s very easy to set up –
plus it lets you not have to learn and manage two different dns packages.
Verne Britton
From: bind-users On Behalf Of Nick Howitt
via bind-users [*]
Sent: Saturday, November 4, 2023 3:42 PM
To: bind-users@lists.isc.org
Subject: Re: How should I configure internal and external DNS servers
Thanks for the reply. Interesting.
Option A - It works but I would like to stop maintaining two different servers
with the same data.
Option B - I have no chance of getting the company to agree to IPv6.
Option C - From your summary, does not appear to remove the requirement to
maintain the data twice
Option D - No chance of re-zoning internally. It would be a long term project
like IPv6.
Option E - Agreed. Does not appear to simplify anything
Option F - Looks really interesting. I'll investigate further
Option G - Yes it would be trivial with DNSMasq internally. I don't think I
have any chance of pushing this through. Also DNSMasq does not support
replication (but it could be scripted). I could look for other solutions but I
doubt I would get anywhere in the company.
I'll spend some time investigating option F, thanks.
Nick
On 04/11/2023 02:03, Nick Tait via bind-users wrote:
Hi Nick.
Your current set-up sounds like a fairly common configuration. And depending on
your requirements there are a number of options that you might consider.
But let's start with requirements: I've made some assumptions - please advise
if I've got any of this wrong?:
* You have two distinct sets of authoritative servers, which don't overlap
in any way currently. E.g. Servers A (primary/master), B & C
(secondaries/slaves) are authoritative for internal zone ("Bind-internal");
Servers C (primary), D & E (secondaries) are authoritative for external zone
("Bind-external").
* The records in Bind-external are a subset of those in Bind-internal. In
other words, for every resource record (not including SOA & NS records) in
Bind-external, there is an identical record in Bind-internal.
* Do you have another set of servers that act as recursive resolvers in
your network currently, or do A, B and/or C fulfil that role currently? (I'm
going to assume that A, B & C are used as recursive resolvers on your internal
network for now. It probably doesn't make a huge difference either way but it
is just an extra factor that needs to be taken into account.)
* You are not using DNSSEC to sign your zones.
* Your zone structure is more-or-less flat currently. i.e. You don't have
any delegations to sub-zones.
* Your primary reason for having separate authoritative
Re: different TTLs for multiple TXT records
Thank you to Mark Andrews and Matus Uhlar for your quick responses ... I see now how my thought process is fundamentally flawed :-) Sorry for the silly question !! Verne Verne Britton, Lead Systems Programmer voice: (304) 293-5192 x230 Systems Support Group(in WV, call 1-800-253-1558) West Virginia Network forFAX: (304) 293-5540 Educational Telecomputing vbrit...@staff.wvnet.edu 837 Chestnut Ridge Road http://www.wvnet.edu Morgantown, WV 26505 On 9/26/2020 1:56 PM, Matus UHLAR - fantomas via lists.isc.org wrote: On 26.09.20 09:58, Verne Britton wrote: I see that RFC2181, written I think 20+ years ago, says in part 5.2. TTLs of RRs in an RRSet Resource Records also have a time to live (TTL). It is possible for the RRs in an RRSet to have different TTLs. No uses for this have been found that cannot be better accomplished in other ways. This can, however, cause partial replies (not marked "truncated") from a caching server, where the TTLs for some but not all the RRs in the RRSet have expired. Consequently the use of differing TTLs in an RRSet is hereby deprecated, the TTLs of all RRs in an RRSet must be the same. [...] but in the last few years, perhaps even a decade, TXT record usage has expanded to be used for many different and unique purposes, such as domain ownership verification and SPF data. unfortunately, TXT is overloaded with multiple uses. SPF record was deprecated ... What is the proper avenue to request an enhancement so each TXT record can have its own unique TTL value? not possible. IF you ask for a TXT, you must get all TXTs, the same for A, NS, MX and all other records of the same type. if you don't get something, it means it's not there. This is not just documented standard - doing it differently would make DNS unreliable. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
different TTLs for multiple TXT records
I see that RFC2181, written I think 20+ years ago, says in part 5.2. TTLs of RRs in an RRSet Resource Records also have a time to live (TTL). It is possible for the RRs in an RRSet to have different TTLs. No uses for this have been found that cannot be better accomplished in other ways. This can, however, cause partial replies (not marked "truncated") from a caching server, where the TTLs for some but not all the RRs in the RRSet have expired. Consequently the use of differing TTLs in an RRSet is hereby deprecated, the TTLs of all RRs in an RRSet must be the same. [...] but in the last few years, perhaps even a decade, TXT record usage has expanded to be used for many different and unique purposes, such as domain ownership verification and SPF data. What is the proper avenue to request an enhancement so each TXT record can have its own unique TTL value? Can bind be changed to do this, or must the RFC be changed first? Or, please give advice on how to do this today :-) a live example for a client dig TXT newriver.edu ;; ANSWER SECTION: newriver.edu. 3590IN TXT "docusign=b8923ecb-9c2e-4ead-ac43-17c3d522fd49" newriver.edu. 3590IN TXT "MS=ms76391508" I desire to have the MS= record have a TTL of say 3600, but want the docusign record to have a TTL of 86400 ... I put 3590 in there to make it easier to find it when looking at the zone file ... Verne -------- Verne Britton, Lead Systems Programmer voice: (304) 293-5192 x230 Systems Support Group(in WV, call 1-800-253-1558) West Virginia Network forFAX: (304) 293-5540 Educational Telecomputing vbrit...@staff.wvnet.edu 837 Chestnut Ridge Road http://www.wvnet.edu Morgantown, WV 26505 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: isc-bind-esv Repository - "yum update" doing undesirable things!
I believe SCL allows multiple versions of the same package ... will ISC be using SCL in this manner? Verne -- Verne Britton, Lead Systems Programmervoice: (304) 293-5192 x230 Systems Support Group (in WV, call 1-800-253-1558) West Virginia Network for FAX: (304) 293-5540 Educational Telecomputingve...@wvnet.edu 837 Chestnut Ridge Road http://www.wvnet.edu Morgantown, WV 26505 On 5/10/2019 4:30 AM, Michał Kępień wrote: >> If the old XPG4 and POSIX rules are to be at least paid some attention >> then the config data should be under /etc/opt/isc/named and the software >> binaries and libs stay in /opt/isc/named with logs going to the correct >> /var/opt/isc/named. > > This is a good point, thanks for raising it. Software Collections allow > this kind of approach, we just initially rejected it as it makes other > things more complicated and one of our primary goals for these packages > is simplicity. We will run some further experiments to see whether this > route is feasible. One downside of moving to this approach is that it > would be another breaking change, though obviously if this would result > in a cleaner long-term solution, then now is the time to bite the > bullet. > > I will report back to announce what we are going to do. Thanks again > for the feedback. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
3rd party CNAMEs and open recursion
I have been testing and testing and either just don't see what I'm doing wrong, or have a learning block :-) current thinking is that a open recursion DNS server is bad, so we want to implement an allow-recursion clause; perhaps even make some views so our local users still recurse while the general public cannot ... but I am running into a roadblock with our Google Apps cname: gmail.wvstateu.edu is a cname to ghs.google.com and bind wants recursion turned on in order to translate it. (actually we have a number of 3rd party CNAMEs; Google Apps have the most widespread usage) I thought additional-from-auth would fix it up in a view, but either I do not understand additional-from-auth, or it does not work. I also played around with a 2nd local server, testing with a forwarding zone as well as a stub zone ... no luck my most recent testing is with bind 9.8.2 on Oracle Linux 6.3 64bit ... installed via yum from the Oracle Linux repositories (Oracle Linux is very very close if not a duplication, of the Red Hat distribution) I am starting to read up on RPZ but don't know if that will help any ... thoughts anyone? Verne Verne Britton, Lead Systems Programmer voice: (304) 293-5192 x230 Systems Support Group(in WV, call 1-800-253-1558) West Virginia Network forFAX: (304) 293-5540 Educational Telecomputing ve...@wvnet.edu 837 Chestnut Ridge Road http://myweb.wvnet.edu/~verne Morgantown, WV 26505http://www.wvnet.edu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
