In our private network we have services that are served to the internet and should also be used by the users sitting inside the network (physically or via VPN). We have a main DNS servers in a cloud provider and it is serving service.example.com pointing to our firewall internet facing address and an internal DNS server with all the same records duplicated except service.example.com that is pointing to its address reachable in the private network.<\/p>\n\n\n\n
This arrangement causes some maintenance trouble because every time we add a new domain to the main DNS, we need to duplicate this entry in the internal server.<\/p>\n\n\n\n
Some time ago I looked up how to solve this a little more elegantly and found out about response-policy-zone feature in BIND. With this set up we can have our internal server configured to only have entries for the domains that need to have different responses in our private network without the need to duplicate all other entries.<\/p>\n\n\n\n
Step-by-step<\/p>\n\n\n\n
Configure a response-policy in the options:<\/p>\n\n\n\n
options {\n [...]\n response-policy { zone \"rpz\"; };\n}<\/code><\/pre>\n\n\n\nCreate the zone you referenced in the response-policy (\"rpz\"<\/code>)<\/p>\n\n\n\nzone \"rpz\" {\n type master;\n file \"rpz.db\";\n};<\/code><\/pre>\n\n\n\nThen populate the zone file referenced (\"rpz.db\"<\/code>)<\/p>\n\n\n\n$TTL 300\n@ IN SOA localhost. root.localhost. (\n 2023091201 ; serial\n 86400 ; refresh, seconds\n 7200 ; retry, seconds\n 3600000 ; expire, seconds\n 86400 ; minimum, seconds\n)\n\n@ IN NS dns.google.\n\n; you need the full domain here, without ending with a period\nproduction.example.com IN A 192.168.0.10\ndev.example.com IN A 192.168.0.10\n\nbad.ads.example.com IN A 127.0.0.1\nevil.domain.example.com IN A 127.0.0.1<\/code><\/pre>\n\n\n\nreload the configs and you should be good to go.<\/p>\n\n\n\n
References:
https:\/\/www.redpill-linpro.com\/sysadvent\/2015\/12\/08\/dns-rpz.html<\/a><\/p>\n\n\n\n