Saturday, December 17, 2011

Split Horizon BIND9 DNS Setup


Lets dive into DNS awesomeness.....
  • This is Split Horizon type DNS setup which helps to maintain only one DNS server across all the zones.
  • As you can see, only DNS server present is 192.168.1.50 connected to Internal zone of firewall.
  • DNS server's port 53 UDP/TCP is allowed for all zones in firewall for resolution of IP addresses.
  • Internal clients have their own internal Apache server residing in Internal zone of firewall.
  • Internal Apache server is connected to Tomcat server within Internal zone.
  • External clients or VPN clients will be directed to DMZ Apache server for security.
  • DMZ Apache server is allowed to connect to Tomcat server at specific port number only.
  • Thus External clients will be served application data through DMZ Apache server.
  • Generally, two DNS servers i.e. DMZ DNS & Internal DNS server is required, as this reduces security risk.
  • View Clause capability in BIND9 DNS server is used to serve respective results to clients.
  • "match-clients" statement in View clause matches the query source address & related zone file is referred for answering the DNS query.
  • Separate zone files are maintained for External & Internal regions.
  • Recursion capability is only allowed for Internal clients.
  • Configuration snippet shows View clause based recursion statement, Access list based recursion restriction is also possible (Shown below in named.conf file).
  • In this kind of setup, it is highly recommended to implement DNSSEC capability into BIND9 so that client-server DNS transactions are encrypted. DNSSEC is not implemented here, it will require another post. :)
  • Bind working directory for my test setup is /var/lib/named. 
  • Zone files kept at /var/lib/named/zone.
named.conf file -
#Split Horizon DNS Setup for DMZ
#Internal IP range
acl Internal { 192.168.0.0/16; };
options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
#Query source addresses allowed
allow-query { 127.0.0.1; 172.20.0.0/16; 192.168.0.0/16; };
#Recursion only for Internal clients
allow-recursion { Internal; localhost; };
};

logging {
channel query_logging {
file "/var/log/named_querylog"
versions 3 size 100M;
print-time yes;
};
category queries {
query_logging;
};
};

view "External" {
#match client IP address
match-clients { 172.20/16; };
zone "server.com" {
type master;
#Refer to External zone file
file "zone/master.server.com.External";
};
};

view "Internal" {
#match client IP address
match-clients { 192.168/16; };
zone "server.com" {
type master;
#Refer to Internal zone file
file "zone/master.server.com.Internal";
};
};

include "/etc/named.conf.include"

Zone files - 
master.server.com.External -
$TTL    86400 ;
$ORIGIN server.com.
@  1D  IN     SOA ns1.server.com.    pd.server.com. (
                  2009082600 ;
                  3H ;
                  15 ;
                  1w ;
                  3h ;
                 )
       IN  NS     ns1.server.com. ;
;
ns1    IN  A      192.168.1.50 ;
pd     IN  A      10.101.1.1 ; 
master.server.com.Internal -
$TTL    86400 ;
$ORIGIN server.com.
@  1D  IN     SOA ns1.server.com.    pd.server.com. (
                  2009082600 ;
                  3H ;
                  15 ;
                  1w ;
                  3h ;
                 )
       IN  NS     ns1.server.com. ;
;
ns1    IN  A      192.168.1.50 ;
pd     IN  A      192.168.1.100 ;