Design Question

Carsten Strotmann carsten at strotmann.de
Tue Mar 26 11:00:14 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Konstantin,

Konstantin Agouros wrote:
> Hi,
> 
> since Resolver and Auth server are no longer destined to run on the 
> same box or as one process for that matter how is one supposed to
> set up a Nameserver in a typical enterprise environment where I have
> a split DNS setting with zone for the LAN only visible on the inside 
> and normally that nameserver that all the clients get pointed to
> also does recursive resolving at least in part (yes it might make
> sense from a security point of view not to allow this to the clients
> but the sad truth is, that in 90% of the companies I see this is the 
> case).

It is always desired to separate resolving/caching and authoritative DNS
Servers.

In case of "internal only" names, my recommendation is to have a
stub-zone configuration in the resolver DNS that permits proper DNS
delegation to an internal authoritative DNS. Such a design is clean, it
uses standard DNS delegation and has no need to forwarding. It is also
more easy to troubleshoot (for example using query-logging).


Internet
   ^
   |
   |
Caching-DNS --> Auth-DNS: Zone internal-only.example.com.
   ^
   |
   |
 Client

> So using DHCP I can point the clients either to the resolver or the
> auth server assigning both would lead to connection timeouts 
> depending on the client implementation if they ask the wrong one for 
> the address to resolve.

the DHCP DNS-Information should always point to a resolving/caching DNS
server, never to an authoritative DNS. Using a hybrid
caching/authoritative server works, but often generates hard-to-find
issues and non-experienced DNS admins tend to build over-complex DNS
designs with forwarding that are quite brittle.

In networks where DNSSEC validation is used, separation of caching DNS
and authoritative DNS is mandatory for clients to get an AD flag
(Authenticated Data). In some configurations (Windows 7/8 as DNSSEC
aware-non-validating-stub-resolver) it is required for the client to see
the AD flag in answers from DNSSEC signed zones.

> If the resolver is queried it only know servers on the outside where
> the local zones are not known and are not supposed to be known.
> 
> How do I set this up with just bind10?

My understanding is that the BIND10 resolver is experimental and not
complete. It does not do stub-zones that are required for a proper
enterprise network DNS configuration you are asking for.

The required functionality is currently not available in BIND 10 1.0.0,
it will be implemented in future versions.

Best regards

- -- Carsten



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlFRf74ACgkQiDbv+TR5q6I2MQCghSrWMl9Nbpp5lwz5aOdC8rq/
3Z0AnjYv3FHDdCGTwsgBDDEbrNy8kUca
=uqGh
-----END PGP SIGNATURE-----

More information about the bind10-users mailing list