Solved Domain with public and private address: best practices?

rigoletto@

rigoletto@

Developer
Hi.

I have a registered domain (let's call it example.org) and until now I've just used it with private address and one subdomain (cloud.example.org) with a public address.

The private address are set on my home server using dns/nsd and the public one at my register.

I do use dns/unbound as resolver and there are those stub-zones:

Code: 
stub-zone:
    name: "example.org."
    stub-addr: 10.0.1.11@53
    stub-addr: 10.0.1.12@53

stub-zone:
    name: "0.10.in-addr.arpa."
    stub-addr: 10.0.1.11@53
    stub-addr: 10.0.1.12@53
   
stub-zone:
    name: "cloud.example.org."
    stub-host: dns1.register.com
    stub-host: dns2.register.com

I will use many more subdomains with public address and I do not want to have to add a stub-zone for each of those subdomains nor set private address at the register dns server or something like that (I do not want they leaking).

What do you recommend to accomplish that? :-/

Thanks!
 
Why you need "example.org" to be inside your network?
The best way is to have two separate domains for inside and outside "example.local" and "example.org". If you need some single sign on from inside and outside to work then you need to setup a split-horizon DNS configuration where you create a stub zone for each static host that must be resolved whit it's local address from inside and with it's public address from outside and then forward all other sub domains to the public DNS at "dns1.register.com"

If you don't want to use "example.local" for inside then the other option is to have a sub domain for all local computers for example "private.example.org" and place them inside this sub domain then you can forward all other sub domains to the public DNS at "dns1.register.com".

For example you have "ftp.example.org" with two NIC and you want to access it on the same hostname when you are inside the LAN and when you are in INTERNET. So you need this hostname to be resolved differently when you are inside the LAN and outside. To do this you need to create a stub-zone "ftp.example.org" on your internal dns where you put A record to the internal IP address of your "ftp.example.org" and you create another A record on the public dns "dns1.register.com" where you put the public ip address for "ftp.example.org" in that way when you are inside your LAN the ftp.example.org will be resolved to it's local IP address and when you are outside the network it will be resolved from the public DNS to it's public IP address.
 
This is why Bind provides views, which would be my recommendation. Of course I'm talking about a situation where you'd actually host the domains yourself...

First I set up a view called IntraNet in which I also include all the local domain and IP specifications. In specific I use:

Code: 
view IntraNet {
        match-clients { localhost; intranet; };
        allow-transfer { unicron; key intranet.lan; };
        notify no;
I also have a view InterNet which provides global access. So the idea is that this specific view is only usable by the internal LAN.

Now, for a real domain in "mirror mode" I'm using a specific setup:

Code: 
        zone mydutchdomain.nl {
                type master;
                file "/usr/local/etc/namedb/master/mydutchdomain.lan";
        };
This file contains nothing more but:
Code: 
$TTL 24h
$ORIGIN mydutchdomain.nl.
$INCLUDE /usr/local/etc/namedb/master/zone.lan
Whereas zone.lan contains the actual data to "mirror" the domain:
Code: 
@       IN      SOA     ns.intranet.lan. hostmaster.intranet.lan. (
        201803291       ; Serial
        1H              ; Refresh
        15              ; Retry
        1w              ; Expire
        3h              ; Negative cache TTL
)
;
        IN      NS      ns1.intranet.lan.
        IN      NS      ns2.intranet.lan.
        IN      MX      10 smtp.intranet.lan.
;
@       IN      A       10.0.0.5
*       IN      A       10.0.0.5
As a direct result I can now use the domains in 2 ways. Whenever I'm inside the LAN which hosts the domains then those names will resolve to the internal local IP (10.0.0.5) while from the outside the real IP's are used. I've really came to favor this way of working. Of course, as said it helps that I'm hosting the domains myself so there is not much extra work involved here.

For your situation I can't help wonder if /etc/hosts can't help. If you only need to override specific addresses then just add them to the local hosts file and the system will do the rest.
 
Some domains of mine are as well spilt for private and public use, and I manage this all within unbound.conf(5), thanks to the transparent option of the local-zone directive.
man unbound.conf said:
transparent
If there is a match from local data, the query is answered.
Otherwise if the query has a different name, the query is
resolved normally. If the query is for a name given in
localdata but no such type of data is given in localdata,
then a noerror nodata answer is returned. If no local-zone
is given local-data causes a transparent zone to be created
by default.
Click to expand...

So you could place the following in your unbound.conf:
Code: 
...
local-zone: "example.com" transparent
local-data: "local-service1.example.com IN A 10.0.0.1"
local-data: "local-service2.example.com IN A 10.0.0.2"
local-data: "local-service3.example.com IN A 10.0.0.3"
...
local-zone:   "0.0.10.in-addr.arpa" static
local-data: "1.0.0.10.in-addr.arpa IN PTR local-service1.example.com"
local-data: "2.0.0.10.in-addr.arpa IN PTR local-service2.example.com"
local-data: "3.0.0.10.in-addr.arpa IN PTR local-service3.example.com"
...

No need for setting up dns/nsd, only add a few lines to the resolver config.

I got also a public service running on the internet gateway, and in this case the public IP is resolved for the local clients as well and I leave it to NAT on the gateway to take care for this.
 
lebarondemerde, I've wondered about this at various times also; thanks for making the thread.

Those who have already responded are more educated in this area than I am. But I'll describe how I roll just for the heck of it.

I choose my LAN addresses from RFC 1918, and my LAN domain name from one of the reserved single-letter second level domain names.

Today, my internal addresses are in 192.168.32.0/24, and my internal domain name is h.net.

I really like those reserved single-letter domains 'cause their shortness makes 'em stand out visually against Internet-facing domains.

Then, I have a pair of jails running BIND (a master and a slave) for h.net. These have recursion enabled and aren't accessible from the Internet.

I also have another pair of jails running BIND (another master and slave) for all of my Internet-facing domains. One of these jails runs on my main computer at home, and the other runs on a DigitalOcean VM supposedly located in New York.

Neither of these Internet-facing BIND instances have recursion enabled (actually, I did make the mistake of turning that on a few years ago, and quickly learned how long such a service survives on the Internet before getting hammered by abuse--about a day hahaha).
 
Hi.

Sorry for the later reply, but the VladiBG, ShelLuser, and obsigna posts are all perfectly applicable, and I was waiting to tell what solution I choose but I actually didn't chose one. For now I will went with obsigna because that would be the quicker to do, but later I may avail rework everything.

Thanks! :)
 
You must log in or register to reply here.
Back
Top