-   Linux - Networking (
-   -   Bind configuration for multiple sub-domains on multiple sites (

JF1980 08-31-2006 11:13 AM

Bind configuration for multiple sub-domains on multiple sites
Hi there, let me first describe our network layout. We have our main office network of 192.21.x.x with machines configured to live on then have international offices running as 192.41.x.x/ , 192.85.x.x/ , 192.97.x.x/

Each site has it's own gateway running bind (as well as VPN links) being the master of it's own subdomain.

This works great on a per site basis, so for example the mail server in Switzerland may be called an internally on the Swiss site that will resolve to -- great, and as far as internet based requests go, anything on will resolve to the router IP of the Swiss site (where the router will direct traffic depending on type, source etc). So where is the issue? Lets say we have an internal web server on the main site, / -- if a user in the Swiss office types in their web browser it trys to access that address via the internet rather than resolving it internally (therefore access is denied).

I suppose we could run all DNS from the main office but then takes away the resilience (e.g. if any one site falls over the other sites continue to run). The only interim solution I have found (and tested on one site it seems without problems) is to have the branch site running it's own subdomain as the master, and then to have and other subdomains of running as slaves. This works well on the one site where I ran a pilot, but I'm concerned that this may be seen as sloppy or have consequences of which I am not aware.

I'm hoping some DNS guru's can give their opinions. If possible I would like to avoid completely restructuring the companies DNS configuration as overall it works (and if it's not broken don't fix it!).

I hope that all made sense and look forward to some replys.

ramram29 08-31-2006 12:38 PM

I would create forward statements in named.conf for each of those domains on each remote dns server. Then add two views; one view for public internet use and another view to allow permission only for the static network addresses that you have.

In the named.conf of each server you can create the zone definition with an file declaring the SOA and at the bottom of the zone definition simply add:

zone " {
forward {;} ;

That way if someone in tries to query

then it will forward that query to the assigned dns server for that zone. Since the local zone file will be empty then it will alwasy forward there. Make sure you setup the views with the correct permission.

JF1980 08-31-2006 12:55 PM

Thanks, I'll need to read up on views because I have never heard of them :newbie:

Is there an inherrent problem with the method I described? I thought one bonus with it would be that even if the DNS service on a site went down, the other sites could still resolve machines on that site using their cached slave zones?

ramram29 08-31-2006 01:28 PM

The 5th edition of BIND/DNS by Cricket is out. It just came out a few months ago. I would highly recommend it.

Views allow you to set different permissions according to the network addresses. This is useful when you want branch offices to be able to query intranet servers. For further security you can use DNSSEC with key encryption. You can then create a separate public view for everybody else that may need to access only your public mail and web server, for example.

Instead of using forward {} statement as I described above you can also create slave servers. Additionally, you can colocate two slave servers on separate colocations as the central servers for all your company domains and then have all your unresolved queries for your domains point to them.

All times are GMT -5. The time now is 02:34 AM.