OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Misc questionning about DNS

From: Adriaan (misc.adriaangmail.com)
Date: Wed Jan 14 2015 - 01:50:26 CST


In
https://kb.isc.org/article/AA-00874/0/Best-Practices-for-those-running-Recursive-Servers.html
one of the recommendations is to separate the two roles:

"Do not combine authoritative and recursive nameserver functions -- have
each function performed by separate server sets"

On Wed, Jan 14, 2015 at 4:10 AM, Nick Holland <nickholland-consulting.net>
wrote:

> On 01/13/15 16:26, sven falempin wrote:
> > Dear OpenBSD users,
> >
> > Recently unbound made his way in base, pushing the complex bind/named
> > out for our own good.
> >
> > I would like to internally and externally solve some domain names
> > differently (so some service are accessible from inside and outside
> > without some fancy NAT or worse), I found out 'some' call this setup a
> > 'split-dns', often use for internal mail server.
> >
> > I also found out BIND got a feature for this and internet gossip
> >
> > <<
> > Unbound doesn't support split-horizon DNS. It's primarily meant as a
> > recursive and caching nameserver, and has only limited support for
> > serving authoritative answers.
> >>>
> >
> > Of course i imagine ran two unbound with two different IP address
> binding ....
> >
> > I feel like I am missing something.
>
> yes. you are stuck thinking like BIND.
>
> > If I want to manage my domain , shall I use bind on the 'main' server ?
>
> no. :)
>
> You are designing around a BIND "feature", then declaring other products
> unsuitable because they don't match the spec you designed around.
>
> Start with the basic rule: BIND's design is bad. Almost everything
> about it is wrong -- file formats, zone transfers, etc. Once you
> realize that, things get much easier. If you find an alternative
> "lacks" a "feature" of BIND, it's probably best you don't use that
> feature. Really.
>
> Read Dan Bernstein's writeups on DNS, in addition to the BIND fanboy
> stuff. Having managed a lot of DNS for a lot of domains for a few
> employers, I'm quite satisfied that Bernstein's much more right than
> wrong on DNS.
>
> There are two roles for DNS servers -- finding answers about a random
> domain, and providing answers about SPECIFIC domains. The first is
> sometimes called "Resolvers", the second is sometimes called an
> authoritative server. BIND mushed those two roles together stupidly,
> and people have been stuck thinking like that for decades now. Separate
> them in your head.
>
> unbound is the resolver, nsd is the authoritative server.
>
> Want to find answers for your user's DNS queries? That's unbound, the
> resolver. That's the only thing users talk to. Resolution is pretty
> complicated, not the kind of code you want to trust too blindly.
>
> Want to answer authoritatively about a domain? That's the authoritative
> server...but you should never ask an authoritative server about anything
> other than what they are authoritative for. Authoritative servers are
> relatively simple -- you ask a question, they either have the answer
> right there ready to give you, or they don't, but it all boils down to
> question, a single lookup, respond. No need to talk elsewhere for info.
>
> Keep in mind, one computer can have LOTS of separate IP addresses to
> connect server processes to (don't forget you got all of 127.0.0.0/8!).
> You also have lots of ports you can connect services to, and on an
> OpenBSD box, you have PF which can direct traffic from exposed ports and
> IP addresses to internal ones. You seem to be uncomfortable with the
> idea of running multiple servers...why? Your box is quite capable of
> multi-tasking!
>
> You can also have one BIG cache on a resolving server, and a bunch of
> minimal resolvers that act as message routers to either the big caching
> resolver or authoritative servers.
>
> So...assuming you really want to put internal and external DNS on the
> same box (not a really good idea), you can put NSD with your internal
> info on 127.0.0.2, NSD with external info on 127.0.0.1, and unbound on
> your internal facing NIC, configured to refer your internally hosted
> domains to 127.0.0.2. External queries for your authoritative server
> get redirected to 127.0.0.1...and the outside world never touches your
> resolver.
>
> Why would you want the outside world touching your internal DNS servers
> anyway? Talk about an unneeded hole in the firewall. If you are doing
> enough with DNS that you need to host your own external authoritative
> server, you can justify a couple old computers for that. Otherwise, I'd
> suggest letting your registrar handle your dns for you.
>
> Design your network properly, it gets really easy -- all my internal
> systems are in the zone "in.nickh.org", my local DNS resolver knows to
> pass *.in.nickh.org to my local authoritative server, the rest is
> resolved as "normal".
>
> Nick.