A DNS server on the perimeter network, or even hosted at the ISP, would host the version of the zone that returned hostnames with public IP addresses. A DNS server on an internal network would host a version of the zone that had all hostname mappings with the IP addresses that should be returned to internal clients. In the past, some organizations would deploy separate DNS servers hosting different copies of the same zone to achieve a split-brain configuration. For example, a DNS query for the host might return a public IP address result for a host on the internet and a private IP address for hosts on the organization’s internal network. Split-Brain or Split-Horizon DNS provides different information about the contents of a DNS zone based on the location that the DNS query originates. To avoid the need to maintain duplicate zone information for zones that are equal regardless of where the request came from, we will import the zone configuration for all zones.Organizations that use a public DNS zone name, such as, for their organization’s internal host names, perhaps even using it with their organization’s Active Directory instance, generally have to configure what is known as split-brain DNS. We’ll start by changing our /etc/nf drastically. For now we will ignore the slave and correct the configuration of the slave later to avoid too much complexity. Taking the previous example (from the previous post), we will use zone blaat.test which will be different for internal and external and zone miauw.test which will be common to internal and external.Īs a first step, we will create the split horizon master DNS. Some zones should return equal information for internal and external IP’s. When the same query is initiated by a machine outside that subnet (let’s call that external), the DNS-server should return another IP-address. So if a host with an IP in the subnet 192.168.202.0/24 (let’s call that internal) queries our DNS, he should be returned an internal IP-address as answer. What we would like to create is two different answers for some zones, based on the source IP of a request. In this example, I’m assuming that a basic knowledge of bind exists and I will use the example that was set up in a previous post about master/slave DNS. To set up split horizon with bind, we will use acl’s and views. Split horizon allows you to have only one DNS-server, with or without a slave, that replies different based on some conditions (usually the source of a request) Set up split horizon Not to mention having slave-servers would require you to have another two machines extra. This works fine but creates a lot of administrative overhead. One to use internally, another to be public. One way to accomplish the above scenario would be to set up two DNS-servers. Besides security there are also examples where resolving a certain name needs to return an internal IP while externally that IP is useless and it’s better to return something else. When your DNS is publicly available, you really don’t want to enable recursion to the outside world but internally it could be handy. A common use-case is when using the same DNS-server for internal and external queries. Split horizon is the ability for a DNS-server to give a different answer to a query based on the source of the query.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |