Split DNS or sometime named dual home DNS is a DNS server, connected to two or more networks and serve different information, depend of the network from where request is initiated. This is very helpful when you want to have different view, different IP addreses for the same server. For example your mail server will have one address when you access it from internal network and totally different when you access it from internet.
In this article I will use 10.1.0 and 10.0.1 networks as example
23. Define access control lists in bind configuration
Add in named.conf the lines
acl net1 { 10.1.0.0/24;};
acl net2 { 10.0.1.0/24;};
24. Redefine example.net zone to ne int.example.net
this
zone "example.net" in{
type master;
file "master.example.net";
allow-transfer {11.1.0.10;};
};
become
zone "int.example.net" in{
type master;
file "master.example.net";
allow-transfer {11.1.0.10;};
allow-query { net1; };
};
This should be done because is not possible to set one domain to be defined twice
25. And the same for IP network
this
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
};
become
zone "0.1.10.IN-ADDR.ARPA" in{
type master;
file "10.1.0.rev";
allow-transfer {10.1.0.10;};
allow-query { net1; };
};
26. Lets add new sections for external view of domain and IP addresses
zone "example.net.ext" in{
type master;
file "master.example.net.ext";
allow-query { net1; net2; };
};
zone "1.0.10.IN-ADDR.ARPA" in{
type master;
file "10.0.1.rev";
allow-query { net1;net2; };
};
27. And create the appropriate files
[root@nsd named]# cat master.example.net.ext
@ IN SOA ns.example.net. root@ns.example.net. (
2010081501 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS ns.example.net.
ns IN A 10.0.1.5
[root@nsd named]# cat 10.0.1.rev
@ IN SOA ns.example.net. root@ns.example.net. (
2010008151 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
@ IN NS ns.example.net
5 IN PTR ns.example.net.
Of course on my old files I replace records *.example.net with *.int.example.net
28. And tell name server to reload configuration
[root@nsd named]# rndc reload
server reload successful
29. And of course make some tests
29.1. First from network 10.1.0
[root@nsd named]# nslookup
> nsd
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: nsd.int.example.net
Address: 10.1.0.5
> set q=ns
> int.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
example.net nameserver = nsd.int.example.net.
example.net nameserver = centos.int.example.net.
> ns.example.net
Server: 10.1.0.5
Address: 10.1.0.5#53
Name: ns.example.net
Address: 10.0.1.5
> 10.0.1.5
Server: 10.1.0.5
Address: 10.1.0.5#53
5.1.0.10.in-addr.arpa name = ns.example.net.
29.2. And from network 10.1.0
[root@c01-n1 ~]# ifconfig|grep -E "Ethernet|inet addr"
eth0 Link encap:Ethernet HWaddr 00:0C:29:E1:57:32
inet addr:10.0.1.101 Bcast:10.0.1.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
[root@c01-n1 ~]# nslookup
> ns
Server: 10.0.1.5
Address: 10.0.1.5#53
Name: ns.example.net
Address: 10.0.1.5
> 10.0.1.5
Server: 10.0.1.5
Address: 10.0.1.5#53
5.1.0.10.in-addr.arpa name = ns.example.net.
> nsd
Server: 10.0.1.5
Address: 10.0.1.5#53
** server can't find nsd: NXDOMAIN
> nsd.int.example.net
Server: 10.0.1.5
Address: 10.0.1.5#53
** server can't find nsd.int.example.net: NXDOMAIN
So if I name my mail server just mail and add in search domains int.example.net and example.net I will have access to the same server independently of the network I am attached. And I will give no access to the people outside to information about my internal network
No comments:
Post a Comment