Hi.
I’m doing some game planning on setting up internal dns for our company networks and have a couple of questions. Currently the vms use the vyos routers for dns queries. The vyos router is set up as a recursive dns server. Up to this point, there has not been any centrally managed dns infrastructure on the internal side, it was do what’s needed via host files. Now we want to use split horizon dns and set up names for all the servers.
There are 3 sites linked together via vpn and the dns names should be available on all 3 sites.
So my question is,
how can we sync the dns config on the vyos routers?
is the above method the best way to do it? or should we be spinning up deticated dns servers and then use forwarding? But that still doesn’t take care of the sync need as each sites router will still need to know what to forward?
is there something i’m missing here?
Split dns is not a problem for single sites, i can just set up static host mappings for the records we need. It’s the multi site config that’s got me stumped.
I would have BIND at each site. Designate one as the primary to have the primary copy of the zone file and configure the others as secondaries. I’d use VyOS to link each site and then redirect all DNS queries to the site-respective BIND server so you don’t have to change any client configuration.
Are they physically separate sites? It also sounds like you’d like the clients to update their DNS records as well?
You will do your normal internal DNS via typical means (e.g. active directory+dns or stand-alone DNS servers)
after you will forward only internal domains to these new DNS servers
but can keep the normal resolution on the VyOS forwarders.
Now you manage your domains on the master server.
You will need to make sure that negative answers not cached, had a lot of problems because of this another day
So let me make sure i have this straight. According to @syncer and @bcstechdept above i should run separate standalone dns servers at each site for my internal dns and then forward the internal domains via a dns forwarding setting in vyos? Do i have that correct? I’m new to internal domain management, so please excuse what is probably a newby question.
Another question, is it best to run a separate domain for internal sites? like internal.lan for the local domain instead of something like internal.io which would be resolvable on the net?
For some context i’ll answer a couple questions above.
Are they physically separate sites?
Yes, they are 3 separate sites, for the same company and therefore should probably be on the same domain.
You will do your normal internal DNS via typical means (e.g. active directory+dns or stand-alone > DNS servers)
And, here in is the issue, there is no normalized internal dns, that’s what this is supposed to accomplish. We don’t use active directory, we’re a completely linux based operation.
This is why i hardly even know what i’m asking for.
All thoughts and suggestions are greatly appreciated.
I think you have it correct. I’d set up standalone DNS servers to handle however you want your internal domain to be laid out. You don’t necessarily need one at each site but it would certainly help if the links between the sites ever goes out. Then point VyOS at the DNS server(s).
Current best practice is to have the internal domain be different than the public-facing one; it will save you a lot of DNS headache. You don’t necessarily have to use “internal.lan”, you could use something akin to “corp.internal.io”.
Thanks for all the responses here. I think my questions have been answered in the vyos context. I have more questions, about dns but it would be off topic for this forum as it no longer really relates to vyos.