Thursday, July 31, 2014

DNS internal root

A DNS internal root is a DNS configuration for an internal root domain ".". The DNS internal root servers are positioned within the organization's network and behind a firewall. Their configuration somewhat mimics that of a standard DNS root hints but deals only with internal servers and internal top-level domains.

Using an internal root is more flexible and secure.
It's also more scalable than extensively forwarding.

As an example, assume that:

  • The internal DNS domain is business.corp.
    The company's name is Business Corp.
     
  • The following networks are used:
    • 192.168.0.0/16    (branch offices)
    • 10.0.0.0/8        (headquarters)
       
  • The internal root servers are:
    • A.business.corp
    • B.business.corp
    • C.business.corp
    • D.business.corp 
       
  • The top-level (below root) internal servers are:
    • NS00.business.corp
    • NS01.business.corp
    • NS02.business.corp
    
The internal root file conventionally called db.root could be:
   
;
;       Business Corp.
;
;       Internal DNS root and domains.
;       last update:    July 31, 2014.

;
 
$TTL 1d


.  IN  SOA  A.business.corp.  hostmaster.business.corp.  (
            1    ; serial
            3h   ; refresh
            1h   ; retry
            1w   ; expire
            1h ) ; negative caching TTL

  
; The internal root servers.

   IN  NS  A.business.corp.
   IN  NS  B.business.corp.

   IN  NS  C.business.corp.
   IN  NS  D.business.corp.


; The internal root servers addresses.

A.business.corp.    IN  A  10.0.0.10
B.business.corp.    IN  A  10.0.0.20
C.business.corp.    IN  A  10.0.0.30
D.business.corp.    IN  A  10.0.0.4 

; The internal domains and their authoritative servers.

business.corp.            IN  NS  NS00.business.corp. 
                          IN  NS  NS01.business.corp. 
                          IN  NS  NS02.business.corp.
  
10.in-addr.arpa.          IN  NS  NS00.business.corp.
                          IN  NS  NS01.business.corp.
                          IN  NS  NS02.business.corp. 
  
168.192.in-addr.arpa.     IN  NS  NS00.business.corp.
                          IN  NS  NS01.business.corp.
                          IN  NS  NS02.business.corp. 
  
; End of File.
  
Naturally, NS00 thru NS02 further delegate as necessary.
In this particular case, the /etc/named.conf of the root servers has:

zone "." in {
  type master;
  file "db.root";

  recursion no;
};


NOTE
Not all of the root servers must be master for the "." zone.
Of course, at a minimum, just one of them needs to be, as usual.
Other internal DNS servers must use these internal DNS root servers.
These specifics are covered on another post: internal DNS servers.