Re: Split zone DNS?

[flipchan]

Yupp use unbound it's great

On July 28, 2017 4:47:53 PM GMT+02:00, Liviu Daia <liviu.d...@gmail.com> wrote:
>On 28 July 2017, Steve Williams <st...@williamsitconsulting.com> wrote:
>> Hi,
>> 
>> I recently upgraded to 6.1 and am trying to (finally, after many
>OpenBSD
>> versions over 10 years) fine tune my home network.
>> 
>> I would like to run a local resolver on my internal network that will
>> resolve all my hosts on my local network to IP addresses on my local
>> network(s) rather than resolving to their public IP addresses.
>> 
>> I believe it's called a "split zone" DNS, where my domain is resolved
>> locally, but everyone else is resolved using normal resolution
>processes.
>> 
>> I set this up at one of my previous jobs using BIND, but that was 7
>years
>> ago.  I've never gone to the trouble of doing it at home, but I would
>like
>> to exercise my brain a bit as well as having my home network set up
>> "better".
>> 
>> What is the best tool to accomplish this these days?  Is NSD the
>"modern"
>> tool to be using on OpenBSD?
>> 
>> Are there any hooks for dhcpd to update records?
>> 
>> I've read the NSD(8), nsd.conf(5) man pages and that seems to be the
>way to
>> go, but I thought I'd check the wisdom here to see if there is a
>better
>> approach.
>
>unbound(8) probably does exactly what you want.  It's mainly a
>recursive resoler, but it can also answer authoritatively for "local"
>zones, or simply override addresses for given hosts (think anti-spam).
>Unless you also want to answer queries for your domain comming from the
>Internet, you don't need a separate authoritative server.
>
>Regards,
>
>Liviu Daia

-- 
Take Care Sincerely flipchan layerprox dev

Re: Split zone DNS?

[Stuart Henderson]

On 2017-07-31, Kenneth Gober  wrote:
> It's not totally clear whether
> it's even possible using nsd/unbound and the base dhcpd, but what I've
> seen indicates that it is not.

It could be done with some helper software to read the lease db
and convert to a zone file, or by reading logs and constructing
unbound-control commands to add/remove entries.

There's nothing pre-written afaik.

> So, what I am doing instead is I'm using isc-dhcp-server and isc-bind
> (from packages).

dnsmasq would be another option here.

Re: Split zone DNS?

[Kenneth Gober]

On Fri, Jul 28, 2017 at 9:58 AM, Steve Williams
 wrote:
> I would like to run a local resolver on my internal network that will
> resolve all my hosts on my local network to IP addresses on my local
> network(s) rather than resolving to their public IP addresses.
>
> What is the best tool to accomplish this these days?  Is NSD the "modern"
> tool to be using on OpenBSD?
>
> Are there any hooks for dhcpd to update records?

I have found the readily available documentation unclear on how to
handle dynamic DNS updates when DHCP is in use.  The advice I've seen
has basically been either to not bother, or to have DHCP assign fixed
addresses (i.e. don't do dynamic DNS).  It's not totally clear whether
it's even possible using nsd/unbound and the base dhcpd, but what I've
seen indicates that it is not.

So, what I am doing instead is I'm using isc-dhcp-server and isc-bind
(from packages).  Note that I provide DNS/DHCP service on my internal
network only (I do not provide any DNS name resolution of any kind on
my Internet-facing interfaces) so it's not really "split-horizon".  If
I were to provide split-horizon DNS I would probably use two separate
machines, one providing internal service (using isc-dhcp-server and
isc-bind) and another providing external service (using nsd).

-ken

Re: Split zone DNS?

[Etienne]

On 29/07/17 12:04, Craig Skinner wrote:



What is the best tool to accomplish this these days?  Is NSD the
"modern" tool to be using on OpenBSD?


When OpenBSD changed from BIND to NSD & Unbound, I found it simpler to
serve the private domain '.internal' on the LAN;-

An alternative is to use a subdomain (like "internal.example.org") for 
your LAN, and let the authoritative nameserver delegate the authority on 
that subdomain to your local nameserver.


--
Étienne

Re: Split zone DNS?

[Craig Skinner]

On Fri, 28 Jul 2017 07:58:25 -0600 Steve Williams wrote:
> 
> I would like to run a local resolver on my internal network that will 
> resolve all my hosts on my local network to IP addresses on my local 
> network(s) rather than resolving to their public IP addresses.
> 
> I believe it's called a "split zone" DNS, where my domain is resolved 
> locally, but everyone else is resolved using normal resolution
> processes.
> 

Yes Steve.

A split horizon DNS zone is where different data is served for the same
zone above & below the horizon (a gateway between the Internet & LAN).

So hosts like printer.example.not.uk resolve internally only. In the
dark, below the public light of the sun's horizon.

Also hosts like mail.example.not.uk have a private LAN IP address
internally, and have a pubic IP address when queried from the Internet.
(which is like poisoning the internal edition of the zone.)


> I set this up at one of my previous jobs using BIND, but that was 7 
> years ago. I've never gone to the trouble of doing it at home, but I 
> would like to exercise my brain a bit as well as having my home
> network set up "better".
> 

Yes, I used to operate BIND as a split horizon server on OpenBSD too.


> What is the best tool to accomplish this these days?  Is NSD the 
> "modern" tool to be using on OpenBSD?
> 

When OpenBSD changed from BIND to NSD & Unbound, I found it simpler to
serve the private domain '.internal' on the LAN;-

To serve a split horizon zone, there needs to be 2 NSD daemons, serving
different zone files. Either on different machines, or different ports.

Or,... Unbound can serve data for simple private zones,
while leaving NSD to serve public zones.

Unbound can stub (i.e. proxy) zones from NSD served zone files.

This thread is a couple of years old, but could help you get going:
http://marc.info/?l=openbsd-misc=141113669300630=2


A master NSD server can notify a slave NSD server, which will auto
transfer the zone & serve new data when the zone is updated.

So I have 2 NSD servers on my LAN, which 2 Unbound resolvers stub
their .internal domain from. (No need to cron rdist unbound.conf files
between servers & restart unbound.) I can shutdown & upgrade 1 gateway
machine, while everything on the LAN keeps working as normal.


For internal domain name thoughts, see:
http://marc.info/?l=openbsd-misc=145639578710637=2

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: Split zone DNS?

[Steve Williams]

Hi,

Thanks for the feedback everyone!

I'll be looking at unbound and seeing if I need nsd or not.

Have a great weekend!

Cheers,
Steve

On 28/07/2017 7:58 AM, Steve Williams wrote:

Hi,

I recently upgraded to 6.1 and am trying to (finally, after many 
OpenBSD versions over 10 years) fine tune my home network.


I would like to run a local resolver on my internal network that will 
resolve all my hosts on my local network to IP addresses on my local 
network(s) rather than resolving to their public IP addresses.


I believe it's called a "split zone" DNS, where my domain is resolved 
locally, but everyone else is resolved using normal resolution processes.


I set this up at one of my previous jobs using BIND, but that was 7 
years ago.  I've never gone to the trouble of doing it at home, but I 
would like to exercise my brain a bit as well as having my home 
network set up "better".


What is the best tool to accomplish this these days?  Is NSD the 
"modern" tool to be using on OpenBSD?


Are there any hooks for dhcpd to update records?

I've read the NSD(8), nsd.conf(5) man pages and that seems to be the 
way to go, but I thought I'd check the wisdom here to see if there is 
a better approach.


Thanks,
Steve Williams

Re: Split zone DNS?

[Liviu Daia]

On 28 July 2017, Steve Williams <st...@williamsitconsulting.com> wrote:
> Hi,
> 
> I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD
> versions over 10 years) fine tune my home network.
> 
> I would like to run a local resolver on my internal network that will
> resolve all my hosts on my local network to IP addresses on my local
> network(s) rather than resolving to their public IP addresses.
> 
> I believe it's called a "split zone" DNS, where my domain is resolved
> locally, but everyone else is resolved using normal resolution processes.
> 
> I set this up at one of my previous jobs using BIND, but that was 7 years
> ago.  I've never gone to the trouble of doing it at home, but I would like
> to exercise my brain a bit as well as having my home network set up
> "better".
> 
> What is the best tool to accomplish this these days?  Is NSD the "modern"
> tool to be using on OpenBSD?
> 
> Are there any hooks for dhcpd to update records?
> 
> I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to
> go, but I thought I'd check the wisdom here to see if there is a better
> approach.

unbound(8) probably does exactly what you want.  It's mainly a
recursive resoler, but it can also answer authoritatively for "local"
zones, or simply override addresses for given hosts (think anti-spam).
Unless you also want to answer queries for your domain comming from the
Internet, you don't need a separate authoritative server.

Regards,

Liviu Daia

Re: Split zone DNS?

[Rui Ribeiro]

Hi,

In large scenarios, they might have an advantage in having the same domain
inside and outside, which is when accessing services behind NAT addresses,
you can serve the private address internally. In that way, you do not need
to go to firewall and back to the private network to translate that NAT.

Regards

On 28 July 2017 at 15:23, Claer <cl...@claer.hammock.fr> wrote:

> On Fri, Jul 28 2017 at 58:07, Steve Williams wrote:
> > Hi,
> Hello,
>
> > I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD
> > versions over 10 years) fine tune my home network.
> >
> > I would like to run a local resolver on my internal network that will
> > resolve all my hosts on my local network to IP addresses on my local
> > network(s) rather than resolving to their public IP addresses.
> >
> > I believe it's called a "split zone" DNS, where my domain is resolved
> > locally, but everyone else is resolved using normal resolution processes.
> >
> > I set this up at one of my previous jobs using BIND, but that was 7 years
> > ago.  I've never gone to the trouble of doing it at home, but I would
> like
> > to exercise my brain a bit as well as having my home network set up
> > "better".
> >
> > What is the best tool to accomplish this these days?  Is NSD the "modern"
> > tool to be using on OpenBSD?
> I went for nsd for external domain informations and Unbound for local
> cache and local resolutions override.
>
> bind was a DNS resolver and a forwarder at the same time. If you want
> both options, you need to setup NSD and Unbound.
>
> Unbound alone can do the trick for few records, but I found it easier to
> have a dedicated resolver in case I wanted to sync zones with a slave.
>
> > Are there any hooks for dhcpd to update records?
> Dunno, I use static MAC - IP mapping.
>
> > I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way
> to
> > go, but I thought I'd check the wisdom here to see if there is a better
> > approach.
> As said, just pay attention that nsd is a resolver only.
>
> > Thanks,
> > Steve Williams
>
> Nowadays, I try to avoid using the same domain for internal and
> external. From my ops point of view, having a domain.local and a
> domain.ext is easier to maintain.
>
>
> Regards,
>
> Claer
>
>


-- 
Regards,

--
Rui Ribeiro
Senior Linux Architect and Network Administrator
ISCTE-IUL
https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434

Re: Split zone DNS?

[Claer]

On Fri, Jul 28 2017 at 58:07, Steve Williams wrote:
> Hi,
Hello,

> I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD
> versions over 10 years) fine tune my home network.
> 
> I would like to run a local resolver on my internal network that will
> resolve all my hosts on my local network to IP addresses on my local
> network(s) rather than resolving to their public IP addresses.
> 
> I believe it's called a "split zone" DNS, where my domain is resolved
> locally, but everyone else is resolved using normal resolution processes.
> 
> I set this up at one of my previous jobs using BIND, but that was 7 years
> ago.  I've never gone to the trouble of doing it at home, but I would like
> to exercise my brain a bit as well as having my home network set up
> "better".
> 
> What is the best tool to accomplish this these days?  Is NSD the "modern"
> tool to be using on OpenBSD?
I went for nsd for external domain informations and Unbound for local
cache and local resolutions override.

bind was a DNS resolver and a forwarder at the same time. If you want
both options, you need to setup NSD and Unbound.

Unbound alone can do the trick for few records, but I found it easier to
have a dedicated resolver in case I wanted to sync zones with a slave.

> Are there any hooks for dhcpd to update records?
Dunno, I use static MAC - IP mapping.

> I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to
> go, but I thought I'd check the wisdom here to see if there is a better
> approach.
As said, just pay attention that nsd is a resolver only.

> Thanks,
> Steve Williams

Nowadays, I try to avoid using the same domain for internal and
external. From my ops point of view, having a domain.local and a
domain.ext is easier to maintain.


Regards,

Claer

Split zone DNS?

[Steve Williams]

Hi,

I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD 
versions over 10 years) fine tune my home network.


I would like to run a local resolver on my internal network that will 
resolve all my hosts on my local network to IP addresses on my local 
network(s) rather than resolving to their public IP addresses.


I believe it's called a "split zone" DNS, where my domain is resolved 
locally, but everyone else is resolved using normal resolution processes.


I set this up at one of my previous jobs using BIND, but that was 7 
years ago.  I've never gone to the trouble of doing it at home, but I 
would like to exercise my brain a bit as well as having my home network 
set up "better".


What is the best tool to accomplish this these days?  Is NSD the 
"modern" tool to be using on OpenBSD?


Are there any hooks for dhcpd to update records?

I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way 
to go, but I thought I'd check the wisdom here to see if there is a 
better approach.


Thanks,
Steve Williams