What is the proper way to delegate to a private / hidden sub-domain?

Grant Taylor gtaylor at tnetconsulting.net
Wed May 6 22:04:31 UTC 2020

On 5/6/20 3:38 PM, John Levine wrote:
> The DNS server sends different answers depending on the client IP,
> so on your internal network it sees the private subdomain,
> everywhere else sees a ENT or NXDOMAIN.

Thank you for confirming.  That is indeed what I /thought/ we were 
talking about.  But given the difference in what you were describing and 
what I was thinking, I figured that it was worth confirming.

> If you really have to use physically separate servers for reasons 
> that you can't explain,...

There's not anything stopping me from explaining.

The main network I want dig +trace to behave (as) correctly (as 
possible) is inside the labs.  (Obviously tracing won't work without 
some support infrastructure on the disconnected labs.)

The external server is more to make the delegation into the labs look as 
clean as possible to the rest of the world.  I.e. return NXDOMAIN 
instead of timeouts.

In some ways, the external aspect is somewhat optional, save for the 
desire to lay nice with others.

I'd like to consistently re-use the same method across all labs, 
independent if they are isolated or not, both internally and externally.

> ...I suppose putting the two servers at the same IP addresss facing 
> different networks could work,

Hence "anycast".

> although you're asking for trouble with route leaks anytime someone 
> adjusts a router anywhere near one or the other.

In general, I agree with you.  However, in this particular case, I don't 
think it's going to be an issue.  The router inside the lab is not using 
any routing protocols, only static configs.  The router can get the 
local traffic to the anycast IP without worrying about anything 
escaping.  (Be it on the router w/ local DNS server, or directly 
attached network, or a host route to another system that is directly 

I'm taking your warning, processing it, and then deciding that this 
particular scenario is not subject to the concerns you rightfully have.

> Remember that with normal anycast all of the mirrors send identical 
> or at least equivalent answers so the routes are not a security 
> issue.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200506/0ad5d1ea/attachment.bin>

More information about the bind-users mailing list