DNS server split howto


Let's use "smartcards.vehco.com" domain as example.

  • The DNS will handle both internal and external requests (Intranet / Internet).
  • The DNS will have 2 zones: one for the Internal members (LAN, VPN, loopback) and one for the External members.


In the following example I'll be using:

  • INTERNAL zone: smartcards.vehco.com ; networks: LAN / VPN / localhost
  • EXTERNAL zone: smartcards.vehco.com
  • DNS server name: smartcard-gw
  • LAN Network: 172.16.50.0/24 ; router: 172.16.50.1 ; DNS server IP: 172.16.50.2
  • VPN Network: 172.16.60.0/24



Technical key points

  • No reverse for the external zone


  • Do NOT follow external queries to the LAN


  • External requests can be forwarded to a 3rd party DNS


  • The External zone configuration only contains:
    • Domain definition "smartcards.vehco.com"
    • Shared resources, if any



Declare the new zones

Here you'll declare both your zones and the reverse zone.


Reset and edit configuration file:

cat /etc/bind/named.conf.default-zones > /etc/bind/named.conf.local
vim /etc/bind/named.conf.local


Here we will create:

  • ACL filters => source IP @ filter
  • DNS views => actions to perform depending on the ACL results


Uncomment and adjust the file content:

// definition of LAN
acl internal-networks {
  localhost;			# Allow loopback
  localnets;			# All networks that are configured on the interfaces
  172.16.50.0/24;		# LAN
  172.16.60.0/24;		# VPN LAN
};

// External DNS to use
acl dns-slaves {
};


// INTERNAL zone
view "internal" {
  match-clients { internal-networks; };		# Apply settings to LAN only
  recursion yes;				# Allow recursive queries on LAN

  // ---------------------------------------------------
  // DNS server defaults 
  //
  // keep these lines from the "default-zones" configuration
  //----------------------------------------------------
  // prime the server with knowledge of the root servers
  zone "." {
 	type hint;
	file "/etc/bind/db.root";
  };
  // be authoritative for the localhost forward and reverse zones, and for broadcast zones as per RFC 1912
  zone "localhost" {
	type master;
	file "/etc/bind/db.local";
  };
  zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
  };
  zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
  };
  zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
  };

  // End of "default-zones"
  //----------------------------------------------------


  // Custom network
  //----------------------------------------------------
  // DNS main zone (IP to name)
  zone "smartcards.vehco.com" IN {
          type master;
 	  file "/etc/bind/internal.smartcards.vehco.com";
          allow-transfer {
                  none;
          };
          allow-update {
                  none;
          };
  };
 
  // DNS Reverse (Name to IP)
  zone "50.16.172.in-addr.arpa" {
	type master;
	file "/etc/bind/db.172";
        allow-transfer {
               none;
        };
        allow-update {
                none;
        };
  };
};


view "external" {
  match-clients { 
    !localnets;				# Do not allow local network ("localnets")
    any;				# "any" = any other network that is not a view member
  };
  recursion no;				# No recursivity for external clients

  zone "smartcards.vehco.com" {
    type master;
    file "/etc/bind/external.smartcards.vehco.com";
    allow-transfer { dns-slaves; };
  };
};



Zone configuration (name to IP @)

This is the actual magic of the DNS split horizon!


Create zone files

Create both zones from the local template:

cp /etc/bind/db.local /etc/bind/internal.smartcards.vehco.com
cp /etc/bind/db.local /etc/bind/external.smartcards.vehco.com


Note

You can any name you'd like. However the best practice is to use "internal" and "external", or more generally the "<view> name.<domain>"


Configure INTERNAL zone

Edit INTERNAL configuration file:

vim /etc/bind/internal.smartcards.vehco.com


Adjust the file content

;
; BIND - Configuration for INTERNAL zone: "smartcards.vehco.com"
;
$TTL	604800
@	IN	SOA	smartcards.vehco.com. root.smartcards.vehco.com. (
			20140806
			604800
			86400
			2419200
			604800 )
;

; 
; Local resolution of the FQDN 'smartcards.vehco.com'
;
smartcards.vehco.com  CNAME smartcard-gw

; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@	              IN     NS	    smartcard-gw
smartcard-gw          IN     A      172.16.50.2

;
; Gateway declaration
;
cisco-router         IN     A       172.16.50.1

;
; Declare your servers and networks hosts 
;
smarcartd-prod-00 IN      A       172.16.50.50
smarcartd-prod-01 IN      A       172.16.50.51
smarcartd-prod-02 IN      A       172.16.50.52
smarcartd-prod-03 IN      A       172.16.50.53

; Create an alias to an existing record
;wwww             IN      CNAME   smartcard-gw


Configure EXTERNAL zone

Edit EXTERNAL configuration file:

vim /etc/bind/external.smartcards.vehco.com


Adjust the file content

;
; BIND - Configuration for EXTERNAL zone: "smartcards.vehco.com"
;
$TTL	604800
@	IN	SOA	smartcards.vehco.com. root.smartcards.vehco.com. (
			20140604
			604800
			86400
			2419200
			604800 )
:

; DNS server declaration
; Each NS must point to an A record, not a CNAME.
; This is where the Primary and Secondary DNS servers are defined
;
@	              IN     NS	    smartcard-gw
smartcard-gw          IN     A      172.16.50.2


As you can see the "external" is rather short ! :-)



Reverse zone (IP @ to name)

Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A Reverse zone allows DNS to resolve an address to a name.



Key points:

  • Replace 50.16.172 with the first three octets of whatever network you are using - in reverse order!
  • Name the zone file /etc/bind/db.172 : it should match the first octet of your network.



Create the /etc/bind/db.172 file:

cp /etc/bind/db.127 /etc/bind/db.172


Edit the new file:

vim /etc/bind/db.172


The content is basically the same as INTERNAL file: /etc/bind/internal.smartcards.vehco.com:

;
; BIND reverse data file for local 172.16.50.XXX net
;
$TTL    604800
@       IN      SOA     smartcard-gw.smartcards.local. root.smartcards.local. (
                       20140603         ; Serial
                                        ; As the serial be changed everytime you edit this file
                                        ; it is recommended to use the pattern "yyyyMMdd"
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; Local server
;
@       IN      NS      smartcard-gw.
2       IN      PTR     smartcard-gw.smartcards.local.

; Gateway (router)
1       IN      PTR     cisco-router.smartcards.local

;
; Other components and hosts
;
50       IN      PTR     smartcard-prod-00.smartcards.local.
51       IN      PTR     smartcard-prod-01.smartcards.local.
52       IN      PTR     smartcard-prod-02.smartcards.local.
53       IN      PTR     smartcard-prod-03.smartcards.local.


Take changes into account

service bind9 restart



Add new hostname

Same as "simple zone", see DNS server unique zone#Add new hostname