DNS architecture configuration in a splitted network

Question

I'm currently configuring DNS in my network with Bind9.

This network is splitted in VLANs and it should have 2 DNS zones : an internal zone (internal servers, users VLAN...) and an external zone (DMZ).

Of course the DNS mustn't give internal records to an external request.

I have just configured my DNS master (storing external and internal records) in "internal servers" VLAN and I'm asking myself how to deal with this problem :

-> My DNS master will not reply to an external request since it is in the internal zone (though 802.11Q is enabled), even with external records. Is it right?

-> My DNS mustn't be in the DMZ.

-> If I configure a slave on the DMZ to manage the external zone, who will just store external records, then I have to configure another slave to replicate the master (so 3 servers...).

Initially I just planned to configure 2 servers, a master and a slave which would just be a full replicate.

Am I missing something? Is there any better solution?

Answer 1

The architecture that you will follow depends on what you want to serve and where (internal clients, external both)?

In general, yes you need internal DNS servers these will have at least all the necessary entries for you internal network.

As for the servers in DMZ who will have access to them and from which path? If you need access to them from the internal network directly through firewall, it makes sense to have entries for them also in your internal dns servers.

If you serve also from servers in DMZ to external users you have two solutions either you declare them in public DNS if the external users are from internet or you should have another DNS server on your DMZ.

The key point here is to think who will visit your server and from which path, then it will become kind of obvious how you will configure DNS for them.