Re: host your subdomain on your own ?
Grant Taylor via bind-users wrote: > On 11/13/21 7:29 AM, Tony Finch wrote: > > You should make sure that your public nameservers return a definite nodata > > or NXDOMAIN reply for your private names, not REFUSED, nor a referral to an > > RFC 1918 address. The latter two will cause resolvers to retry, and the > > retries can become a large proportion of your total authoritative query > > traffic. > > Please elaborate on the mechanics behind returning a ""private IP > causing resolvers to retry? Is it the resolvers rejecting the ""private > IP and retrying? Yes, because they get a referral to nameservers that don't respond or that respond incorrectly. Tony. -- f.anthony.n.finchhttps://dotat.at/ Forties: East or southeast, veering south later, 4 to 6. Moderate. Fog patches at first. Moderate or good, occasionally very poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
Am 13.11.21 um 17:20 schrieb Grant Taylor via bind-users: On 11/13/21 9:07 AM, Reindl Harald wrote: * he needs the delegation because lack of control Maybe I've lost context, but I thought the overall theme of the thread was delegating to a private IP address "Because I might not be able to control nor have input into local-private bind(s)" is the simple reason for the whole thread otherwise he could make sure they forward the zone over the VPN and case closed now that he can't control the name resolution in the other networks all the delegation stuff will simply fail if they use a ISP or public-nameserver like 8.8.8.8 how are they supposed to use the *split-horizon* setup from the initial post? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 11/13/21 9:07 AM, Reindl Harald wrote: but you have to deal with it And? So? We have to deal with all sorts of things. The need to do our job is not a reason in and of itself a reason to not do it. you missed my second post! No, order of reply vs reading. * he needs the delegation because lack of control Maybe I've lost context, but I thought the overall theme of the thread was delegating to a private IP address. * when the clients network is using a public forwarder the delegation simply can't work My thought was around three DNS servers. 1) Company A's local DNS server. 2) Company B's local DNS server. 3) Public DNS hierarchy which delegates A's domain to a private IP in A's LAN. If there is a VPN between company A and company B, then client's on company B's LAN will use company B's local recursive DNS server. B's recursive DNS server will receive the delegation from 3 to 1, traverse the VPN to talk to A. Thus 2 will be able to resolve something delegated to A's DNS server with private IP. * so the problem is lack of control and can't be solved personally i would simply add additional names point to the LAN addresses in my normal public zone, you don't even need a full subdomain zone for add "something.priv.example.com" poining to 192.168.196.10 and not to forget: most networks are forwarding to some public nameserver which can't reach your private named at all I don't view -- what I consider to be -- questionable practice to be a valid reason to not do something. A *LOT* of people smoked in the mid 19th century, and that's turned out to be not as good as once thought. I would advocate for businesses to have their own LAN based DNS servers that are authoritative for their own zone(s) and recursive for other zones. If people want, they can have their local DNS server forward the recursive responsibility elsewhere. In some ways this thread is a re-hash of the venerable "Why can't Google DNS figure out my private Active Directory? ... But WHY?!?!?!". -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 11/13/21 7:29 AM, Tony Finch wrote: You should make sure that your public nameservers return a definite nodata or NXDOMAIN reply for your private names, not REFUSED, nor a referral to an RFC 1918 address. The latter two will cause resolvers to retry, and the retries can become a large proportion of your total authoritative query traffic. Please elaborate on the mechanics behind returning a ""private IP causing resolvers to retry? Is it the resolvers rejecting the ""private IP and retrying? Or is it the end systems behind the resolvers failing to be able to use the resolved private IP and trying resolution again? How and why does an authoritative server returning authoritative data cause resolvers / clients to send more queries? Note: I'm expanding "private" to be an IP that is not globally accessible, because it's RFC 1918 (et al.), not globally routed, firewalled, etc. If this is not a fair expansion, please enlighten me. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
Am 13.11.21 um 17:00 schrieb Grant Taylor via bind-users: On 11/13/21 12:59 AM, Reindl Harald wrote: i doubt that any ISP out there would delegate to a private address and when your bind is asked over it's public IP a view won't work ISP's willingness to do something is a policy decision and that's completely different than their capability to do something which is a technology decision. but you have to deal with it I see zero reason that a parent zone operator can't delegate something to a private / non-globally-routed IP. chicken / egg Not necessarily. Just because the Internet at large can't access the IP that the child zone is delegated to doesn't mean that business partner's can't access it. -- I believe that I saw in one of the messages that there was a VPN between the sites / business partners which did support / provide routing to the private IP. In some ways, this is similar to making something resolve to 127.0.0.1 and / or ::1. That information can be published in globally accessible DNS, but it will likely be of very limited value. you missed my second post! * he needs the delegation because lack of control * when the clients network is using a public forwarder the delegation simply can't work * so the problem is lack of control and can't be solved personally i would simply add additional names point to the LAN addresses in my normal public zone, you don't even need a full subdomain zone for add "something.priv.example.com" poining to 192.168.196.10 and not to forget: most networks are forwarding to some public nameserver which can't reach your private named at all 8.8.8.8 (google) can't hit your internal view when you can't control something it's exactly that ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 11/13/21 12:59 AM, Reindl Harald wrote: i doubt that any ISP out there would delegate to a private address and when your bind is asked over it's public IP a view won't work ISP's willingness to do something is a policy decision and that's completely different than their capability to do something which is a technology decision. I see zero reason that a parent zone operator can't delegate something to a private / non-globally-routed IP. chicken / egg Not necessarily. Just because the Internet at large can't access the IP that the child zone is delegated to doesn't mean that business partner's can't access it. -- I believe that I saw in one of the messages that there was a VPN between the sites / business partners which did support / provide routing to the private IP. In some ways, this is similar to making something resolve to 127.0.0.1 and / or ::1. That information can be published in globally accessible DNS, but it will likely be of very limited value. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
A couple of generaal points about private names and addresses: If you have a private subdomain, e.g. private.cam.ac.uk, and a non-negligible number of users, the names *will* leak into the outside world and your public nameservers will get queries for them. You should make sure that your public nameservers return a definite nodata or NXDOMAIN reply for your private names, not REFUSED, nor a referral to an RFC 1918 address. The latter two will cause resolvers to retry, and the retries can become a large proportion of your total authoritative query traffic. I have some vague unease about the interaction between the web security model and names that resolve to RFC 1918 addresses outside their home network. And some more specific unease about risks of ssh, if you are ever careless about accepting ssh unknown host warnings. So I guess if you are careful and you know what you are doing (and by implication, if you don't have many users) you can put RFC 1918 addresses in public zones, but I wouldn't recommend it. Assign yourself an IPv6 ULA prefix and use that instead :-) Tony. -- f.anthony.n.finchhttps://dotat.at/ Plymouth, Biscay: Northwest veering north or northeast, 3 to 5. Moderate or rough. Occasional drizzle or showers later. Moderate or good, occasionally poor later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 13/11/2021 07:16, Erich Eckner wrote: On Sat, 13 Nov 2021, Reindl Harald wrote: > Am 12.11.21 um 18:55 schrieb lejeczek via bind-users: >> On 12/11/2021 17:14, Reindl Harald wrote: >>> wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else >>> >>> i mean when it's private and not www why does the world need to know about the subdomain? >>> >> Because I might not be able to control nor have input into local-private bind(s) and thus... >> clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. >> - here is where 'views' come to mind, on my binds... > don't get me wrong but when you a) control a local bind where b) a public resolver delegates a subzone you should also be able to control that clients in this network use your named via dhcp The problem arises, as soon as you have some clients *outside* of this local net (inside some other local net), which should also resolve the internal ips - this is, what I have, and why I use a public zone for my private addresses: Most hosts are within my lan behind my own dns server, but some are "outside", but reachable via vpn - but I do not want to route all dns traffic for those through vpn, neither do I want to deploy dns servers for each of those machines. @Erich So that's allowed (& will work?) by bind protocols? On my own bind facing www & serving my subdomain (delegated from public registrar) I resolve to & serve private IPs? That's the easiest way out I was hoping for, in my tricky situation (being a part of large org it's often bureaucracy which defeats everybody) I too employ vpn and for similar reasons I'd prefer my www-facing bind to resolve my private IPs for... who should give a toss but me only? To me it's very basic logic - if a user cannot get to a site - URLs of which only informed regular users should know in the first place - that is my business, right? (and precisely what I want) many thanks, L ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
> On 13. 11. 2021, at 8:16, Erich Eckner wrote: > > The problem arises, as soon as you have some clients *outside* of this > local net (inside some other local net), which should also resolve the > internal ips - this is, what I have, and why I use a public zone for my > private addresses: Most hosts are within my lan behind my own dns server, > but some are "outside", but reachable via vpn - but I do not want to route > all dns traffic for those through vpn, neither do I want to deploy dns > servers for each of those machines. What Erich said… I have ProxMox (PVE) at home and bunch of operating systems for testing and the .home.sury.org are just listed in the public zone. There’s not much anybody can do with the information that I am using 10.10.10.0/24 for my home network. So, instead of describing what and how you want to do , maybe you might describe why you want to do ? Ondrej -- Ondřej Surý (He/Him) ond...@isc.org signature.asc Description: Message signed with OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
Am 13.11.21 um 08:59 schrieb Reindl Harald: Am 13.11.21 um 08:16 schrieb Erich Eckner: On Sat, 13 Nov 2021, Reindl Harald wrote: i mean when it's private and not www why does the world need to know about the subdomain? Because I might not be able to control nor have input into local-private bind(s) and thus... clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. - here is where 'views' come to mind, on my binds... i doubt that any ISP out there would delegate to a private address and when your bind is asked over it's public IP a view won't work chicken / egg and not to forget: most networks are forwarding to some public nameserver which can't reach your private named at all 8.8.8.8 (google) can't hit your internal view when you can't control something it's exactly that ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
Am 13.11.21 um 08:16 schrieb Erich Eckner: On Sat, 13 Nov 2021, Reindl Harald wrote: i mean when it's private and not www why does the world need to know about the subdomain? Because I might not be able to control nor have input into local-private bind(s) and thus... clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. - here is where 'views' come to mind, on my binds... i doubt that any ISP out there would delegate to a private address and when your bind is asked over it's public IP a view won't work chicken / egg ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, 13 Nov 2021, Reindl Harald wrote: Am 12.11.21 um 18:55 schrieb lejeczek via bind-users: On 12/11/2021 17:14, Reindl Harald wrote: wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else i mean when it's private and not www why does the world need to know about the subdomain? Because I might not be able to control nor have input into local-private bind(s) and thus... clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. - here is where 'views' come to mind, on my binds... don't get me wrong but when you a) control a local bind where b) a public resolver delegates a subzone you should also be able to control that clients in this network use your named via dhcp The problem arises, as soon as you have some clients *outside* of this local net (inside some other local net), which should also resolve the internal ips - this is, what I have, and why I use a public zone for my private addresses: Most hosts are within my lan behind my own dns server, but some are "outside", but reachable via vpn - but I do not want to route all dns traffic for those through vpn, neither do I want to deploy dns servers for each of those machines. regards, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmGPZj8ACgkQCu7JB1Xa e1rJdg/+P+7n1FXtDvqSS1upOYL4mAuHATSbaXnYM8bg8mrcpFOPkZ8bIIj4Srsy 89YzSR/xp9ySKp+OfzHe0LpwqAgVMhagcrQtUcc3WUIK5xHG9nYOgmZFuR5PSzWX kh+mDRLkCu81/MmVoKsCDrYrxHAv5gMHK82M0S6pt+bMLwOQl5xddYF9whCC9tvu HFx3Dd1ZGZdnr2cBH4oQ+od8fVeN0HW7Ve+XfupQbbj2vx9yZ8fT/BhidwycGOSw 9GvtQhnSr4vj1+UpWMGI+IkcIXjipWTAQ/e5Cy7ix4ai2w6NsDAdXdXpWy3Aym39 OVipulxjsMtAKY+/RfAF7MTAUtPRSWmbyiXIjc+PQ066M8pNpEgDbbJQDD9WcNMi wHAFmSSLOECqaHw7UFxGMZArW2pu+vdBmIEGxEzPGgFIkfQSaRfnEgNSDEd3pFoc HN+ieTTYwJLwvluUc9X7Wj3XzOihnQarZKQf/QDpGh9BQO+jdR2HD1xPtobbWSWw c8tmMcqWr3Xsxu51j+YmnuLtXoEd8UCINXMAZl7/t3JE+xz6huBBe8niATrO7f2f mgEZWILyMVfNN6pATYRDqDndkRUT3v9AlpGtHGrGAtCdD7gghMQlzaDN95Q7ZBk1 ybIZFyN6/IPCU5IOXFtPCeRpkjTj2zfavJk+wFlqFwpf/54O56I= =MkWj -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
Am 12.11.21 um 18:55 schrieb lejeczek via bind-users: On 12/11/2021 17:14, Reindl Harald wrote: wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else i mean when it's private and not www why does the world need to know about the subdomain? Because I might not be able to control nor have input into local-private bind(s) and thus... clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. - here is where 'views' come to mind, on my binds... don't get me wrong but when you a) control a local bind where b) a public resolver delegates a subzone you should also be able to control that clients in this network use your named via dhcp ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On Fri, 12 Nov 2021 16:48:23 + lejeczek via bind-users wrote: > Hi guys. > > I'm looking to setup my subdomin in-house and I'm hoping for > some wise advises from experts, it's my first foray into > this thus go easy on me please. > > zone.top - is hosted by a public registrar > priv.zone.top - I want to delegate to my own bind > I'd hope for some generic recipe and pointer to docs, thanks. > > Now what I think might be the tricky part though I get that > an expert might say - trivial. > I am thinking of 'views' or split-horizon or whatever other > nomenclature applies, though I hear that that/those are > discouraged by experts? > Or! might that above be unnecessary(?) if, it's possible and > allowed that such public, mine bind will resolve to IPs > which are 'private' - all that so my 'priv.zone.top' will > resolve to whole www but resources of the zone/domain will > be available, as they are, only in/via private networks. > > Does that make sense? > many thanks for all the help. L > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users So long as you control the dns client configuration of your company's in-house systems, you can do whatever you like. The client connects to an internal dns server, which believes itself to be authoritative for priv.zone.top and responds to queries as expected for that zone. IF you want the public internet to query that subdomain, you'll need that delegation setup in the public dns server for zone.top ( e.g. as obtained via whois ). If for some reason it's not practical to have the local dns server handle all queries for these in-house systems, you can use something like dnsmasq to route just the priv.zone.top to the internal dns servers. ( off topic for here, but easy enough to find online should you need to ) -- Harry Waddell ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
On 12/11/2021 17:14, Reindl Harald wrote: Am 12.11.21 um 17:48 schrieb lejeczek via bind-users: Hi guys. I'm looking to setup my subdomin in-house and I'm hoping for some wise advises from experts, it's my first foray into this thus go easy on me please. zone.top - is hosted by a public registrar priv.zone.top - I want to delegate to my own bind I'd hope for some generic recipe and pointer to docs, thanks. needs to be done in the parent zone by whoever hosts it Now what I think might be the tricky part though I get that an expert might say - trivial. I am thinking of 'views' or split-horizon or whatever other nomenclature applies, though I hear that that/those are discouraged by experts? Or! might that above be unnecessary(?) if, it's possible and allowed that such public, mine bind will resolve to IPs which are 'private' - all that so my 'priv.zone.top' will resolve to whole www but resources of the zone/domain will be available, as they are, only in/via private networks. Does that make sense? wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else i mean when it's private and not www why does the world need to know about the subdomain? Because I might not be able to control nor have input into local-private bind(s) and thus... clients/nodes on private networks would query www/public bind and only then would learn of 'priv.zone.top' and then, via that delegation to my own binds, 'priv.zone.top' would be served to local-private networks. - here is where 'views' come to mind, on my binds... but to make it even more tricky - but some expert may still say, trivial - currently deployed binds of mine do not support "split-horizon" So.. the easiest way out of which I can think would be to have my binds to simply point to those private/local IPs - here I wonder, as a newbie has to, if that would make DNS protocols unhappy or perhaps I get kicked in the teeth right at start. thanks, L. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host your subdomain on your own ?
Am 12.11.21 um 17:48 schrieb lejeczek via bind-users: Hi guys. I'm looking to setup my subdomin in-house and I'm hoping for some wise advises from experts, it's my first foray into this thus go easy on me please. zone.top - is hosted by a public registrar priv.zone.top - I want to delegate to my own bind I'd hope for some generic recipe and pointer to docs, thanks. needs to be done in the parent zone by whoever hosts it Now what I think might be the tricky part though I get that an expert might say - trivial. I am thinking of 'views' or split-horizon or whatever other nomenclature applies, though I hear that that/those are discouraged by experts? Or! might that above be unnecessary(?) if, it's possible and allowed that such public, mine bind will resolve to IPs which are 'private' - all that so my 'priv.zone.top' will resolve to whole www but resources of the zone/domain will be available, as they are, only in/via private networks. Does that make sense? wouldn't it be easier to setup two different subdomains in which case you don't need delegation at all - your local named would hist the internal subdomain and doing recursion for everything else i mean when it's private and not www why does the world need to know about the subdomain? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users