need Bind9 architecture advices

Question

i need your advices for a DNS architecture.

DNS architecture proposal

In my company, every desktops/laptops are configured with DNS of the LAN (10.1.1.1), which is a Microsoft AD/DNS and i don't have the hand on it. Others DNS are Bind9 where i am admin. My purpose is to add other DNS servers for new projects (in a separated network) without change anything on laptops and on the LAN DNS and of course, i want developpers laptops (in LAN) can query and receive answer for fqdn of those new projects.

From DNS (fqdn) point of vue, there is ONE domain (project.com) and MANY sub-domains (subX.project.com). And each sub-domain is in a separated network. Example: on each vlan, i will have a web server and i want it answers to its DNS sub-domain:

• web.project.com for the web server of the project zone.
• web.sub1.project.com for the web server of the sub-project zone
• web.sub2.project.com ...

So, my understanding of Bind9 let me think that the LAN DNS server (10.1.1.1) can forward requests to the project DNS server (10.100.1.1). And project DNS can forward requests to sub-project DNS servers (10.200.1.1 / 10.250.1.1).

Endly, all VMs of a network, can resolve public fqdn if the zone DNS forward their requests to the upper level DNS. I just want to resaid that i don't have the hand on the main DNS (in the LAN).

Bellow, you will find the named.conf.options file which represents the architecture describes in the schema:

• DNS project.com (10.100.1.1/10.100.1.2)

{
    allow-query     { 127.0.0.1; 10.1.1.1; 10.1.1.2; 10.200.1.1; 10.200.1.2; 10.250.1.1; 10.250.1.2; 10.100.1.0/24; };
    recursion yes;
    notify yes;
    allow-transfer { 10.100.1.2; }; # the slave
    forwarders {
        10.1.1.1;
        10.1.1.2;
    };
}

• DNS sub1.project.com (10.200.1.1/10.200.1.2)

{
    allow-query     { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.200.1.0/24; }; queries from VMs in this network and DNS from upper zone
    recursion yes;
    notify yes;
    allow-transfer { 10.200.1.2; };
    forwarders {
        10.100.1.1;
        10.100.1.2;
    };
}

• DNS sub2.project.com (10.250.1.1/10.250.1.2)

{
    allow-query     { 127.0.0.1; 10.100.1.1; 10.100.1.2; 10.250.1.0/24; }; queries from VMs in this network and DNS from upper zone
    recursion yes;
    notify yes;
    allow-transfer { 10.250.1.2; };
    forwarders {
        10.100.1.1;
        10.100.1.2;
    };
}

What do you think about this architecture ? Do you see any drawbacks or mistakes or mis-understanding ?

Regards.

Answer 1

You will want to start by taking control of the 'first hop DNS servers'

• Create DNS forwarders that you control (bind)
• Map out every zone in your environment, and their authoritative nameservers
• Create Forwarded zones in Bind, for each zone/subzone and send it to the IP of the authoritative nameserver

Next, make sure all your DNS traffic is directed to your 'first hop DNS servers'.

This means updating any DHCP server options, as well as all statically configured DNS IPs on servers.

Lastly, build a process such that any time a new zone or subzone is added to the environment, that they also get added to your 'first hop servers' as additional forwarded zones.

Note : You can do all of this without making any changes to the Windows DNS servers.