LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 08-31-2006, 12:13 PM   #1
JF1980
LQ Newbie
 
Registered: Mar 2003
Posts: 26

Rep: Reputation: 15
Question Bind configuration for multiple sub-domains on multiple sites


Hi there, let me first describe our network layout. We have our main office network of 192.21.x.x with machines configured to live on domain.com--we then have international offices running as 192.41.x.x/ch.domain.com , 192.85.x.x/hkg.domain.com , 192.97.x.x/dbx.domain.com

Each site has it's own gateway running bind (as well as VPN links) being the master of it's own subdomain.

This works great on a per site basis, so for example the mail server in Switzerland may be called mail.ch.domain.com an internally on the Swiss site that will resolve to 192.41.0.1 -- great, and as far as internet based requests go, anything on ch.domain.com will resolve to the router IP of the Swiss site (where the router will direct traffic depending on type, source etc). So where is the issue? Lets say we have an internal web server on the main site, 192.21.0.100 / internal.domain.com -- if a user in the Swiss office types internal.domain.com in their web browser it trys to access that address via the internet rather than resolving it internally (therefore access is denied).

I suppose we could run all DNS from the main office but then takes away the resilience (e.g. if any one site falls over the other sites continue to run). The only interim solution I have found (and tested on one site it seems without problems) is to have the branch site running it's own subdomain as the master, and then to have domain.com and other subdomains of domain.com running as slaves. This works well on the one site where I ran a pilot, but I'm concerned that this may be seen as sloppy or have consequences of which I am not aware.

I'm hoping some DNS guru's can give their opinions. If possible I would like to avoid completely restructuring the companies DNS configuration as overall it works (and if it's not broken don't fix it!).

I hope that all made sense and look forward to some replys.
 
Old 08-31-2006, 01:38 PM   #2
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
I would create forward statements in named.conf for each of those domains on each remote dns server. Then add two views; one view for public internet use and another view to allow permission only for the static network addresses that you have.

In the named.conf of each server you can create the zone definition with an file declaring the SOA and at the bottom of the zone definition simply add:

zone "ch.domain.com {
...
...
forward {192.41.0.1;} ;
};

That way if someone in dbx.domain.com tries to query

mainprinter.ch.domain.com

then it will forward that query to the assigned dns server for that zone. Since the local zone file will be empty then it will alwasy forward there. Make sure you setup the views with the correct permission.
 
Old 08-31-2006, 01:55 PM   #3
JF1980
LQ Newbie
 
Registered: Mar 2003
Posts: 26

Original Poster
Rep: Reputation: 15
Thanks, I'll need to read up on views because I have never heard of them

Is there an inherrent problem with the method I described? I thought one bonus with it would be that even if the DNS service on a site went down, the other sites could still resolve machines on that site using their cached slave zones?
 
Old 08-31-2006, 02:28 PM   #4
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
The 5th edition of BIND/DNS by Cricket is out. It just came out a few months ago. I would highly recommend it.

Views allow you to set different permissions according to the network addresses. This is useful when you want branch offices to be able to query intranet servers. For further security you can use DNSSEC with key encryption. You can then create a separate public view for everybody else that may need to access only your public mail and web server, for example.

Instead of using forward {} statement as I described above you can also create slave servers. Additionally, you can colocate two slave servers on separate colocations as the central servers for all your company domains and then have all your unresolved queries for your domains point to them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind/DNS with multiple domains, one IP dmarkow Linux - Networking 1 12-18-2003 01:07 PM
Multiple Apache Sites, on Multiple IP's, on Same Box?? RickyJ Linux - General 1 06-19-2003 11:55 AM
Multiple Apache Sites, on Multiple IP's, on Same Box?? RickyJ Linux - Software 0 06-19-2003 10:50 AM
RH 8.0 Multiple domains brif8 Linux - Networking 3 01-27-2003 07:08 PM
Multiple Domains? cic Linux - Networking 2 01-23-2002 07:38 AM


All times are GMT -5. The time now is 07:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration