Saturday, December 17, 2011

Split Horizon BIND9 DNS Setup


Lets dive into DNS awesomeness.....
  • This is Split Horizon type DNS setup which helps to maintain only one DNS server across all the zones.
  • As you can see, only DNS server present is 192.168.1.50 connected to Internal zone of firewall.
  • DNS server's port 53 UDP/TCP is allowed for all zones in firewall for resolution of IP addresses.
  • Internal clients have their own internal Apache server residing in Internal zone of firewall.
  • Internal Apache server is connected to Tomcat server within Internal zone.
  • External clients or VPN clients will be directed to DMZ Apache server for security.
  • DMZ Apache server is allowed to connect to Tomcat server at specific port number only.
  • Thus External clients will be served application data through DMZ Apache server.
  • Generally, two DNS servers i.e. DMZ DNS & Internal DNS server is required, as this reduces security risk.
  • View Clause capability in BIND9 DNS server is used to serve respective results to clients.
  • "match-clients" statement in View clause matches the query source address & related zone file is referred for answering the DNS query.
  • Separate zone files are maintained for External & Internal regions.
  • Recursion capability is only allowed for Internal clients.
  • Configuration snippet shows View clause based recursion statement, Access list based recursion restriction is also possible (Shown below in named.conf file).
  • In this kind of setup, it is highly recommended to implement DNSSEC capability into BIND9 so that client-server DNS transactions are encrypted. DNSSEC is not implemented here, it will require another post. :)
  • Bind working directory for my test setup is /var/lib/named. 
  • Zone files kept at /var/lib/named/zone.
named.conf file -
#Split Horizon DNS Setup for DMZ
#Internal IP range
acl Internal { 192.168.0.0/16; };
options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
#Query source addresses allowed
allow-query { 127.0.0.1; 172.20.0.0/16; 192.168.0.0/16; };
#Recursion only for Internal clients
allow-recursion { Internal; localhost; };
};

logging {
channel query_logging {
file "/var/log/named_querylog"
versions 3 size 100M;
print-time yes;
};
category queries {
query_logging;
};
};

view "External" {
#match client IP address
match-clients { 172.20/16; };
zone "server.com" {
type master;
#Refer to External zone file
file "zone/master.server.com.External";
};
};

view "Internal" {
#match client IP address
match-clients { 192.168/16; };
zone "server.com" {
type master;
#Refer to Internal zone file
file "zone/master.server.com.Internal";
};
};

include "/etc/named.conf.include"

Zone files - 
master.server.com.External -
$TTL    86400 ;
$ORIGIN server.com.
@  1D  IN     SOA ns1.server.com.    pd.server.com. (
                  2009082600 ;
                  3H ;
                  15 ;
                  1w ;
                  3h ;
                 )
       IN  NS     ns1.server.com. ;
;
ns1    IN  A      192.168.1.50 ;
pd     IN  A      10.101.1.1 ; 
master.server.com.Internal -
$TTL    86400 ;
$ORIGIN server.com.
@  1D  IN     SOA ns1.server.com.    pd.server.com. (
                  2009082600 ;
                  3H ;
                  15 ;
                  1w ;
                  3h ;
                 )
       IN  NS     ns1.server.com. ;
;
ns1    IN  A      192.168.1.50 ;
pd     IN  A      192.168.1.100 ;

2 comments:

  1. hiii..
    We have to configure Bind to map the requests for our service(example.com) to different proxy servers. Can you please suggest how to write zone file for the same.

    Thanks

    ReplyDelete
  2. Hi Shweta,

    Can you explain your scenario in bit more detail way, so that I can assist you for zone file.

    ReplyDelete