Tuesday, May 28, 2019

domain name system - Intranet BIND server fallback to internet DNS servers?



On our local small business network, we have a need to run a intranet-only BIND (named) DNS server for only local, intranet-only addresses. For example, we do a lot of web development on the network, so having a DNS server to manage local addresses (example: testsite3.local) is beneficial.



One aspect of this we are unsure of is, currently all the business desktops have their DNS servers set to 75.75.75.75 and 75.75.76.76, which are Comcast internet DNS servers (Comcast is our business ISP). So if we change the computer's DNS to point instead to our local DNS server, how do you setup bind to "forward" all failed requests out to the Comcast DNS servers?



For example, if someone on the network trys to visit www.google.com, their computer will first check with our local DNS server, which obviously doesn't have internet DNS records in it like google.com. So then, either the computer needs to know to check with the secondary or tertiary DNS servers OR can the local DNS server somehow request the info from 75.75.75.75 or 75.75.76.76? Is this something called zone transfers?



I know that on each individual computer (OSX in this case) that I can manually set the primary DNS to be the local server, and then secondary and tertiary servers to be the Comcast DNS servers. But I wanted to see if there was a better, more manageable way on the server side to do this.


Answer




DNS clients do not work like this, they do not "fall back" to the other records. A properly-functioning DNS client should choose a server at random from its configured list to spread the query load evenly, and have alternate servers in case one should go offline.



If you need to serve both internal and external DNS records then you should have your client machines configured to only use the internal DNS servers, and configure your internal server to attempt to resolve any non-locally defined DNS records from the external server.



The beginning of this would be the allow-recursion directive in BIND. Just be sure that you do not allow recursive lookups from machines not on your network as that is how DNS Amplification Attacks happen.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...