i need your advices for a DNS architecture.
DNS architecture proposal
In my company, every desktops/laptops are configured with DNS of the LAN (10.1.1.1), which is a Microsoft AD/DNS and i don't have the hand on it.
Others DNS are Bind9 where i am admin.
My purpose is to add other DNS servers for new projects (in a separated network) without change anything on laptops and on the LAN DNS and of course, i want developpers laptops (in LAN) can query and receive answer for fqdn of those new projects.
From DNS (fqdn) point of vue, there is ONE domain (project.com) and MANY sub-domains (subX.project.com). And each sub-domain is in a separated network.
Example: on each vlan, i will have a web server and i want it answers to its DNS sub-domain:
web.project.com for the web server of the project zone.
web.sub1.project.com for the web server of the sub-project zone
web.sub2.project.com ...
So, my understanding of Bind9 let me think that the LAN DNS server (10.1.1.1) can forward requests to the project DNS server (10.100.1.1).
And project DNS can forward requests to sub-project DNS servers (10.200.1.1 / 10.250.1.1).
Endly, all VMs of a network, can resolve public fqdn if the zone DNS forward their requests to the upper level DNS.
I just want to resaid that i don't have the hand on the main DNS (in the LAN).
Bellow, you will find the named.conf.options file which represents the architecture describes in the schema:
DNS project.com (10.100.1.1/10.100.1.2)
{
allow-query { 127.0.0.1; 10.1.1.1; 10.1.1.2; 10.200.1.1; 10.200.1.2; 10.250.1.1; 10.250.1.2; 10.100.1.0/24; };
recursion yes;
notify yes;
allow-transfer { 10.100.1.2; }; # the slave
forwarders {
10.1.1.1;
10.1.1.2;
};
}
DNS sub1.project.com (10.200.1.1/10.200.1.2)
{
allow-query { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.200.1.0/24; }; queries from VMs in this network and DNS from upper zone
recursion yes;
notify yes;
allow-transfer { 10.200.1.2; };
forwarders {
10.100.1.1;
10.100.1.2;
};
}
DNS sub2.project.com (10.250.1.1/10.250.1.2)
{
allow-query { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.250.1.0/24; }; queries from VMs in this network and DNS from upper zone
recursion yes;
notify yes;
allow-transfer { 10.250.1.2; };
forwarders {
10.100.1.1;
10.100.1.2;
};
}
What do you think about this architecture ? Do you see any drawbacks or mistakes or mis-understanding ?
Regards.
You will want to start by taking control of the 'first hop DNS servers'
Create DNS forwarders that you control (bind)
Map out every zone in your environment, and their authoritative nameservers
Create Forwarded zones in Bind, for each zone/subzone and send it to the IP of the authoritative nameserver
Next, make sure all your DNS traffic is directed to your 'first hop DNS servers'.
This means updating any DHCP server options, as well as all statically configured DNS IPs on servers.
Lastly, build a process such that any time a new zone or subzone is added to the environment, that they also get added to your 'first hop servers' as additional forwarded zones.
Note : You can do all of this without making any changes to the Windows DNS servers.
Related
I am trying to set up a basic public DNS server in Azure using Ubuntu and Bind9.
I want it to be accessible over the internet and forward all requests to Cloudflare or Google except one custom zone.
I have two problems currently:
I can get it to work on the local network, setting up a client on the same subnet and doing nslookup to public sites the forwarding works perfectly, but when pointing internet client to the DNS server it times out.
The custom zones don't work, even on the local network. I try to set up not existing domain to point to an IP and set up the separate zone file, but nothing happens. Even on the dns server itself I can't get it to work.
I don't think issue 1 is a firewall issue, for testing I have allowed all ports and IPs to be open and also opened port 53 on the DNS server firewall.
I think both issues are related to the Bind9 configuration and I have little understanding of it. Perhaps you guys can help out.
Here's the config files:
/etc/bind/named.conf.local:
zone "fakehostname.com" {
type master;
file "/etc/bind/zone.fakehostname.com";
};
/etc/bind/named.conf.options:
options {
directory "/var/cache/bind";
forwarders {
1.1.1.1; // Cloudflare
8.8.8.8; // Google
};
allow-query { any; };
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
recursion yes;
querylog yes;
version "not available";
};
/etc/bind/zone.fakehostname.com:
$TTL 604800
# IN SOA fakehostname.com. admin.fakehostname.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
# IN NS localhost.
# IN A 10.10.10.10
mail IN A 10.10.10.10
# IN MX 10 mail.fakehostname.com.
# IN TXT "hello"
Sorry this was a mistake, the config was correct and issue was in Azure NSG firewall config. I thought I had allowed all ports for testing but UDP 53 was not open. After opening it everything works.
I've got a customer where the router needs to be replaced with a Cisco router.
The current router is a linux machine with webmin installed on it.
There's a BIND DNS server with multiple zones.
There's a zone called companyname.be with entries name-ip (address records).
There's also a zone called 192.9.200 (which is the local subnet) with entries address-name (reverse address records).
This configuration can be seen below:
I'm not sure why they need this but someone at the customer's company told me that it's necessary.
In the end the goal is to be able to ping by using a name rather than an IP.
Does someone know how to configure this in Cisco IOS?
I've been searching this for a while now but all I came up with is this link: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/257-cisco-router-dns-server.html
I tried it but this only seems to create a host table on the router itself.
That hosttable is not used by the DNS.
(Can ping to domain name from router CLI but cannot ping to a domain name from a PC with that router as default gateway.)
I've already found the answer here: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-sy/dns-15-sy-book/Configuring-DNS.html#GUID-E4A67061-354E-4847-8F56-9A88446C7D30
R1#conf t
R1(config)#ip domain companyname.be
R1(config)#ip name-server 8.8.8.8
R1(config)#ip dns server
R1(config)#ip host computername1.companyname.be
And for the DHCP server to send the DNS server to DHCP clients:
R1(config)#ip dhcp pool pool_name
R1(dhcp-config)#dns-server ip_address_of_router
Now any host can ping computername1.companyname.be.
In the last month, my site no longer works on my computer or any computer connected to the same network that I use at home and I have tried other internet networks and the site doesn't work too, but strangely it works in some other networks!
The error message in the browser is : ERR_NAME_RESOLUTION_FAILED
I did not know the problem but when I looked at the site intoDNS I found 3 problems :
WARNING: One or more of your nameservers did not return any of your NS records.
------
You should already know that your NS records at your nameservers are missing, so here it is again:
ns77.domaincontrol.com.
ns78.domaincontrol.com.
-------
ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
208.109.255.49 216.69.185.49
Also, two months ago I moved my domain from Godaddy to Namecheap.
Please can you help me?
The domain's name servers are pointed to the servers of Godaddy, but there is no DNS zone for the domain there. You need to check what are the name servers of Namecheap (or another DNS hosting service) and point the name servers of the domain to these servers. Also you will have to create a DNS zone for the domain at the new DNS host (Namecheap or other of your choice) and create DNS records pointed to your web host's IP address.
If you only have a web site and no other services, like mail server you can only create two A records, like this:
Type: A
Host: # (or empty, it means the same)
Target (or Value, or Points to): ip.of.web.site
Type: A
Host: www
Target: ip.of.web.site
In our company network we have the following setup:
a Debian server with a DHCP server (isc-dhcp-server 4.3.1, backported on Debian 7.8)
which serves client requests from an IP pool
two Windows DCs for DNS (Windows Server 2008 R2)
The DHCP server is configured to register client address records dynamically to the DNS server. Our config:
ddns-updates on;
ddns-update-style standard;
update-conflict-detection false;
allow client-updates;
ddns-domainname "local.domain.com";
ddns-rev-domainname "in-addr.arpa.";
update-static-leases true;
default-lease-time 7200;
max-lease-time 7200;
authoritative;
[...]
Whenever a client gets a new IP from the DHCP, the DNS registration works perfectly.
However, these "dynamic" DNS records expire after some time (a few weeks)...
How can the DHCP be configured to refresh the DNS records after a given time interval?
Currently, the DNS is only updated once when a client gets a new
IP address (or after a DHCP RELEASE/DHCP REQUEST).
I believe you may need to disable update-optimization i.e. by including a line of the form:
update-optimization false;
That will cause the server to do DDNS updates on every renewal, rather than the default of when something changes.
Hopefully someone can help clarify this.
I have a domain ie example.com registered with Go Daddy. I host the website with TSOHost so in my domain configuration, I have set the following NS records.
Nameserver 1: ns1.tsohost.co.uk
Nameserver 2: ns2.tsohost.co.uk
I am now able to serve the website both www and non www from this hosting package. I simply have an A record for example.com and a CNAME for www.example.com to point to example.com (this is being configured in the cpanel Advanced DNS Zone Editor). So now we have the website showing as expected and required.
I would also like to setup a kind of DDNS service using a different server entirely, (this will hold DNS records that I will create on the fly using a Radius database).
So I want to use the subdomain ddns.example.com for this DDNS service, ie bob.ddns.example.com for Bob (so that when I ping bob.ddn.example.com, I can alter the IP to 8.8.8. say). In Cpanel I have an A record for ddns.example.com and an A record for *.ddns.example.com to point to my server that will manage this, for example 85.214.214.214.
I have installed Bind on the server (currently using a digital ocean server for this, to which I have added ddns.exmaple.com as an A record to the droplet and *.ddns.example.com also), I have created a zone for ddns.example.com, within this I have set the ns record as the digital ocean details.
I have then added the following to my file /var/named/ddns.example.com.hosts
$ttl 38400
ddns.example.com. IN SOA ns1.digitalocean.com. jon#example.com. (
1414575123
10800
3600
604800
38400 )
ddns.example.com. IN NS ns1.digitalocean.com.
bob.ddns.example.com. IN A 8.8.8.8
When I ping bob.ddns.example.com on the server with bind installed I get 8.8.8.8, but when pinging for anywhere else I get the bind server IP.
Can I ask if what I am doing is possible ie, going from godaddy to tso, to another server and if so what NS records should I specify for bind? or is there something in the named config I need to change, I have set the following options in named.conf in an attempt to solve this issue.
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query { any; };
recursion yes;
I am aware that recursion may leave me open to DOS attacks and I intend to turn this to no eventually, but for the moment during testing I have left this to yes.
Any help or information would be greatly appreciated, I have been trying different variations of zone files etc without success, I am really though unsure as to if I am going in the right direction.
Hopefully I have made sense, but any further info I can provide, please let me know.
My first question would be - Are you sure you've updated the Registrar with this server as the DNS nameserver for this domain?
Use nslookup to find out:
# nslookup
> set querytype=NS
> server 4.2.2.1 (a DNS server on the Internet)
> ddns.example.com. (a closing dot helps avoid lookups using preferred search domains.)
and confirm that the Internet knows who to communicate with, and that your NS host is authoritative for the domain.
Next would be - Do you have any other nameservers up to "answer" for that subdomain, causing other problems?
BTW - glad to hear you fixed this issue!