Sunday, September 27, 2015

bind - Spoofing DNS for another domain within a DMZ



I am setting up a DMZ disconnected from our corporate LAN. I've moved DNS services for the DMZ hosts into the DMZ with a stripped down set of zone info containing only what the DMZ hosts need to know. Some connections need to come back into the LAN from the DMZ. I know it's not ideal but it's still an improvement over how the infrastructure is now (basically, people are running services off their desktops).




Anyways, I need to connect to an LDAP server on the LAN, from the DMZ, over port 636. I have the connections working with the IP address, however the LDAP server is at another branch office, over a VPN, and the admin uses round-robin DNS so the IP isn't consistent everytime.



Currently, there are 6 IP addresses associated with the LDAP service (ldap.office.org). I could just add those 6 IP addresses to the /etc/hosts file in each DMZ host, but I would rather have them in DNS but they are not under the same domain for which my DNS is authoritative (hosts in DMZ are in "foo.dmz" domain where LDAP is "ldap.office.org")



How can I get my BIND server to serve the 6 IPs for ldap.office.org instead of forwarding the DNS request off to the internet root servers?


Answer



That sounds fairly straightforward. Create a zone on your bind server for ldap.office.org and add the 6 IPs as @ records.



If you can get the cooperation of the other admin, they could create an ldap.office.org zone and allow you to zone-transfer from their authoritative server (so that you don't have to keep your copy of the zone manually synchronized).


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...