Re: DNS passthrough on no explicit result?
On Fri, Jan 31, 2014 at 11:10 AM, Steve Presser st...@pressers.name wrote: Hey all, Please forgive me if any of my terminology is off - I have not spent as much time in the documentation as I'd like. I have an odd situation that I would like to know if it is possible and would much appreciate a pointer to any relevant documentation or write-ups. I manage a domain name which, for reasons of reliability, uses an externally managed DNS server (zoneedit). We're looking to add private network DNS for internal machines. I've got BIND up and running on an internal machine. However, we have public records that need to be accessible internally (SPF, DKMS, jabber servers, MXs, etc). Additionally, using an internal-only namespace is not an option, due to laptops which go in and out of the network and need to be able to connect without settings modification. I'm trying to figure out how to do some sort of pass through arrangement, where the internal BIND server will first attempt to do the lookup with local records. If it has no local record, it will then fall back to the answer returned by the external (zoneedit) server. I know that if there was only one server, this would simply be split horizon. However, I don't know what to call this setup, and am having a hard time searching for it because of that. (So I apologize if this is then a dumb question). Any help you can offer is much appreciated. Thanks! Steve Hi Steve, I'm afraid I'm not following you here. You have records which absolutely need to be public: SPF, MXs--mail won't work otherwise. Do you want your DKMS and jabber records to be internal-only, or can they be public as well? If everything can be public, why the question? If you want internal-only records, why not just do split horizon of some sort where you use zoneedit as a slave and your local BIND view as a master? That way you have two views, one for internal IPs, and one for external IPs. John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS passthrough on no explicit result?
Steve, If you must use the same domain for internal names as external, here is one way to do that. On the recursive resolving name server that you use inside your network, also make that server authoritative for the domain name in question. You’ll need to do double-entry for every externally accessible resource record that you also want to access from inside the network. So, for example: External: SOA record example.com. IN NS ns1.example.com. example.com. IN NS ns2.example.com. ns1 IN A external.ip.address ns2 IN A external.ip.address www IN A external.ip.address mailIN A external.ip.address example.com. 10 IN MX mail.example.com. Internal: SOA record example.com. IN NS ns3.example.com. example.com. IN NS ns4.example.com. ns3 IN A internal.ip.address ns4 IN A internal.ip.address www IN A external.ip.address mail IN A external.ip.address server1 IN A internal.ip.address example.com. 10 IN MX mail.example.com. Obviously, if you move your web site to a different server, you’ll need to change the IP on both the external and internal name servers. This configuration can cause confusion (you can’t resolve name.example.com? what resolver are you using?), but it does have some advantages, like you can specify jabber.example.com in the external version of the zone to resolve to 12.34.56.78, and have jabber.example.com in the internal version of the zone resolve to 10.11.12.13, but it depends on everyone inside the company using your supplied recursive resolvers. You can also keep recursive and authoritative separate by doing approximately this same thing but dedicating a server to your internal zone(s), then on your recursive resolvers using a forward statement or stub zones to short circuit recursion for that/those particular domain name(s). Is this the right way to manage your name space? I don’t know, but that’s a whole other argument. Some people will tell you that you should absolutely use a different name internally than you do out on the Internet. Some companies use example.com outside and example.corp inside (this is what my current company does), but when the .corp TLD gets approved sometime in the indefinite and unknowable future, all of a sudden there are big problems (or a big migration). Good luck, -Rich On Jan 31, 2014, at 10:10 AM, Steve Presser st...@pressers.name wrote: Hey all, Please forgive me if any of my terminology is off - I have not spent as much time in the documentation as I'd like. I have an odd situation that I would like to know if it is possible and would much appreciate a pointer to any relevant documentation or write-ups. I manage a domain name which, for reasons of reliability, uses an externally managed DNS server (zoneedit). We're looking to add private network DNS for internal machines. I've got BIND up and running on an internal machine. However, we have public records that need to be accessible internally (SPF, DKMS, jabber servers, MXs, etc). Additionally, using an internal-only namespace is not an option, due to laptops which go in and out of the network and need to be able to connect without settings modification. I'm trying to figure out how to do some sort of pass through arrangement, where the internal BIND server will first attempt to do the lookup with local records. If it has no local record, it will then fall back to the answer returned by the external (zoneedit) server. I know that if there was only one server, this would simply be split horizon. However, I don't know what to call this setup, and am having a hard time searching for it because of that. (So I apologize if this is then a dumb question). Any help you can offer is much appreciated. Thanks! Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS passthrough on no explicit result?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 2014-01-31 at 11:10 -0500, Steve Presser wrote: I'm trying to figure out how to do some sort of pass through arrangement, where the internal BIND server will first attempt to do the lookup with local records. If it has no local record, it will then fall back to the answer returned by the external (zoneedit) server. You can do this by (ab)using the RPZ functionality. Assuming your internal bind server is only used/accessible by your internal machines, and that all of those internal machines only use your internal BIND server(s), you can: in named.conf: response-policy { zone rpz.example.com; }; zone rpz.example.com {type master; file named.rpz.example.com;}; in named.rpz.example.com: internalhost1.example.com A 10.11.12.13 Names like mail.example.com get resolved via your external public name server. However, internalhost1.example.com, which would return nxdomain from the external name server, now returns 10.11.12.13 from your internal server. The advantage here is that you only need to maintain the public data in one place, and the internal overrides in one place. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlLr2GYACgkQL6j7milTFsHF4wCfTv2raVzz0rXTuqgCFKS+qigA 0z4Anjvo52lGLo0Do6sasQAdm+PSR9sn =NWZn -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS passthrough on no explicit result?
Carl, Sten, Thanks! That's exactly what I was looking for. Steve On Jan 31, 2014 12:10 PM, Sten Carlsen st...@s-carlsen.dk wrote: I can add that this is what I do to solve the same problem. I have one difference that you may consider: I am a stealth master for my external zone, so all changes to IPs will be controlled from my side and slaved on the public facing servers. On 31/01/14 17:44, Rich Goodson wrote: Steve, If you must use the same domain for internal names as external, here is one way to do that. On the recursive resolving name server that you use inside your network, also make that server authoritative for the domain name in question. You'll need to do double-entry for every externally accessible resource record that you also want to access from inside the network. So, for example: External: SOA record example.com http://example.com. IN NS ns1.example.com http://ns1.example.com. example.com http://example.com. IN NS ns2.example.com http://ns2.example.com. ns1 IN A external.ip.address ns2 IN A external.ip.address www IN A external.ip.address mailIN A external.ip.address example.com http://example.com. 10 IN MX mail.example.com http://mail.example.com. Internal: SOA record example.com http://example.com. IN NS ns3.example.com http://ns3.example.com. example.com http://example.com. IN NS ns4.example.com http://ns4.example.com. ns3 IN A internal.ip.address ns4 IN A internal.ip.address www IN A external.ip.address mail IN A external.ip.address server1 IN A internal.ip.address example.com http://example.com. 10 IN MX mail.example.com http://mail.example.com. Obviously, if you move your web site to a different server, you'll need to change the IP on both the external and internal name servers. This configuration can cause confusion (you can't resolve name.example.com http://name.example.com? what resolver are you using?), but it does have some advantages, like you can specify jabber.example.com http://jabber.example.com in the external version of the zone to resolve to 12.34.56.78, and have jabber.example.com http://jabber.example.com in the internal version of the zone resolve to 10.11.12.13, but it depends on everyone inside the company using your supplied recursive resolvers. You can also keep recursive and authoritative separate by doing approximately this same thing but dedicating a server to your internal zone(s), then on your recursive resolvers using a forward statement or stub zones to short circuit recursion for that/those particular domain name(s). Is this the right way to manage your name space? I don't know, but that's a whole other argument. Some people will tell you that you should absolutely use a different name internally than you do out on the Internet. Some companies use example.com http://example.com outside and example.corp inside (this is what my current company does), but when the .corp TLD gets approved sometime in the indefinite and unknowable future, all of a sudden there are big problems (or a big migration). Good luck, -Rich On Jan 31, 2014, at 10:10 AM, Steve Presser st...@pressers.name mailto:st...@pressers.name wrote: Hey all, Please forgive me if any of my terminology is off - I have not spent as much time in the documentation as I'd like. I have an odd situation that I would like to know if it is possible and would much appreciate a pointer to any relevant documentation or write-ups. I manage a domain name which, for reasons of reliability, uses an externally managed DNS server (zoneedit). We're looking to add private network DNS for internal machines. I've got BIND up and running on an internal machine. However, we have public records that need to be accessible internally (SPF, DKMS, jabber servers, MXs, etc). Additionally, using an internal-only namespace is not an option, due to laptops which go in and out of the network and need to be able to connect without settings modification. I'm trying to figure out how to do some sort of pass through arrangement, where the internal BIND server will first attempt to do the lookup with local records. If it has no local record, it will then fall back to the answer returned by the external (zoneedit) server. I know that if there was only one server, this would simply be split horizon. However, I don't know what to call this setup, and am having a hard time searching for it because of that. (So I apologize if this is then a dumb question). Any help you can offer is much appreciated. Thanks! Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org
Re: DNS passthrough on no explicit result?
You have records which absolutely need to be public: SPF, MXs--mail won't work otherwise. I hope I misunderstood the intended meaning or context of those words, because their literal, context free meaning that SPF and MX records are required by SMTP is wrong. SPF might be considered required by unsolicited or semi-solicited bulk mail senders to help large scale free mailbox providers gauge the legitimacy of mail advertisements. Otherwise SPF is *not* required. As proof consider both this message and the DCC mailing lists (i.e. old school solicited bulk mail.) In some cases SPF harms SMTP delivery, especially when combined with DMARC. Because I'm in neither the email advertising business nor the large scale free mailbox businesses, the only unambiguous use I've found for SPF records is to try to prevent mail. I publish SPF RRs for some domains that send no mail in order to reduce NDRs or bounces of forged mail from bad SMTP servers (mail receivers) that fail to validate SMTP Rcpt_To values during the SMTP transaction. The case for MX records being required for SMTP is clear. In the absense of an explicit MX record, the standards require SMTP clients (mail senders) to infer an implicit MX from derived A or records. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS passthrough on no explicit result?
On Fri, Jan 31, 2014 at 12:41 PM, Vernon Schryver v...@rhyolite.com wrote: You have records which absolutely need to be public: SPF, MXs--mail won't work otherwise. I hope I misunderstood the intended meaning or context of those words, because their literal, context free meaning that SPF and MX records are required by SMTP is wrong. SPF might be considered required by unsolicited or semi-solicited bulk mail senders to help large scale free mailbox providers gauge the legitimacy of mail advertisements. Otherwise SPF is *not* required. As proof consider both this message and the DCC mailing lists (i.e. old school solicited bulk mail.) In some cases SPF harms SMTP delivery, especially when combined with DMARC. Because I'm in neither the email advertising business nor the large scale free mailbox businesses, the only unambiguous use I've found for SPF records is to try to prevent mail. I publish SPF RRs for some domains that send no mail in order to reduce NDRs or bounces of forged mail from bad SMTP servers (mail receivers) that fail to validate SMTP Rcpt_To values during the SMTP transaction. The case for MX records being required for SMTP is clear. In the absense of an explicit MX record, the standards require SMTP clients (mail senders) to infer an implicit MX from derived A or records. Vernon Schryverv...@rhyolite.com Indeed, the intent of my words was that SPF only makes sense if it's public--presumably you set up trust between your internal mail servers in other ways. It's not required for SMTP to work--plenty of domains don't use it. Thank you for the correction, Vernon. John -- John Miller Systems Engineer Brandeis University johnm...@brandeis.edu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users