I'm setting up new server environment consist of 70+ servers all running Linux (Redhat/CentOS mixed.) I want to setup a couple of DNS server (primary/secondary) to be used/configured on all servers which should able to take care for following things mainly.
1. Authoritative DNS for resolving local server entries.
I want to assign simple domain names to servers (mostly A records) like db1.example.int
or app1.example.int Basic idea is servers should able to reach each other via there
(internal) dns names.
2. Recursive / Cached DNS resolution for public domains (like google.com).
For resolving any DNS entries other than local domain (example.int) quries should be sent
to upstream DNS servers configured as forwarders.
Currently I'm exploring BIND & dnsmasq for this purpose . Should I go with BIND or should try dnsmasq (with dhcp-disabled - since all my servers will be using static IPs.) please share your thoughts and experiences if worked on similar setup.
Answer
In general this is called "split DNS". You create a system where the DNS records seen outside the company are different than the DNS records seen inside the company. In particular, outsiders see www.example.com and other externally-visible hosts. Inside the company all machines have DNS records... these records are not seen outside.
- Pick an internal domain.
Typically machines inside the company are on a subdomain of the company's domain. For example if your company is example.com, all machines inside are MACHINENAME.corp.example.com. The problem with this is that you can never use "corp.example.com" as an external DNS name.
Warning: I once saw a company use "inside" instead of "corp". When marketing wanted to make an external website called "inside.example.com" (an "insider's guide" to using their product) it became a political nightmare.
Warning: I highly recommend an additional level of hierarchy. MACHINENAME.LOCATION.corp.example.com. "location" can be "hq" for the headquarters, "nyc" for the NYC sales office, etc. Most organizations use 3-letter codes, often the nearest airport code.
When i was at one company we had every machine be "MACHINENAME.corp.example.com" in the headquarters because we didn't think we'd ever have local offices. When we opened large offices elsewhere, they were "MACHINENAME.SITE.corp.example.com". Every tool we wrote had to "special case" the fact that HQ was different. Eventually we had to change HQ to be just like all the other sites. It was a painful transition. Yet, I see companies make this mistake over and over again. Therefore, even if you have no plans for growth beyond one building, I still recommend MACHINENAME.LOCATION.corp.example.com.
- Configure "split DNS" or DNS "views" on your DNS servers.
BIND and other DNS systems can be configured to provide different answers based on the source of the DNS request, or the interface that the DNS request came on.
For example, if you have a DNS server with 1 NIC inside the company and 1 NIC outside the company:
Inside NIC:
- LOCATION.corp.example.com (for each location)
- corp.example.com
- example.com.
- All other domains use the DNS "forwarders"
Outside NIC:
- example.com (SAME zonefile as the inside nic uses)
- Any "recursive" or forwarding disabled.
You can also have 2 different machines, each with a different configuration.
SOFTWARE:
Note: I don't think dnsmasq can do split DNS. BIND can, as can most other "enterprise" products. Look for "views" or "Split DNS" in the manual.
No comments:
Post a Comment