Friday, October 4, 2019

domain name system - bind9 dns proxy



We are offering multiple SSL-enabled services in our local network.
To avoid certificate-warnings we bought certificates for server.ourdomain.tld and firewall.ourdomain.tld.



We now created a zone in our local DNS-server in which we pointed the hosts to the corresponding private-ips.




Now, each time another record for ourdomain.tld, like for example www.ourdomain.tld or alike are changed, we need to update it on both our public-dns-server AND the local dns-server.



I would like our local bind-dns to serve all the information from our public-dns but serve different information for these 2 hosts.



I know I could possibly have our private-ips in our public-dns but I don't want that for security reasons.



The internet dns-server is being managed by a third party, while we have full control of the intranet one. Because of this I am looking for a solution which lets the intranet retrieve the records from the internet one.


Answer



Use at a Split DNS configuration in bind. You should be using this anyway to prevent the use of your bind server in amplification attacks. Once you have that running you proceed to a split configuration of your zone file.




Create a zone file for intranet (internal) users and another for Internet (external) users. Place only sub-domains that have different IP addresses in each file. Create a third file containing the rest of the IP addresses and include it in the first two zone files. I would place the serial number in the include file.



Using this configuration you will be able to edit in one place and reload. If you need to change the IP address of one of the servers which has different IP addresses for local and Internet users, you will need to increment the serial number in the third file.



The above approach may leak information about servers you don't want reachable from the Internet. You may be better using two zone files, one for intranet users, an the second for the Internet. If you plan your network well, IP addresses should only need to be changed in one file at time.



The zone file for the Internet should only contain information on domains you want to access from the Internet. It should only include Internet routeable IP addresses.



The zone file for the intranet can contain all the servers you want. It can include servers with private IP addresses: 10.0.0.0/8, 172.16.0.0/12, and/or 192.168.0.0/8. If you use a VPN, configure your split DNS to include VPN hosts on the intranet size.




EDIT: Work really hard at stabilizing the IP addresses visible on the Internet. I have yet to work on a project where they were dynamic. You really should have as few domains as possible visible from the Internet. They should all reside within a DMZ. If possible, multi-home IP address for domains that move frequently. If not, consider creating a sub-domain on the internet side where you change the IP addresses and use CNAMES to point to these records from both the Internet and intranet.



Server/services that must be exposed to the Internet include DNS, Web, SMTP (Mail), and VPN. Carefully consider the risk for other servers/services. (Multiple) Web domains are easily handled with CNAMES. In most cases, database servers should not be exposed to the Internet.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...