DNS Infrastructure: #1 Overview

Here’s an Overview about the setup I’ve built.

Involved systems

  • dns1.ip-minds.eu — Primary Slave
  • dns3.ip-minds.eu — Hidden Master
  • dns-de1.ip-minds.eu — Failover Resolver
  • dns2.ip-minds.eu — Secondary Slave
  • dns-de2.ip-minds.eu — Failover Resolver
  • dns-cache.ip-minds.eu — Primary Resolver

Involved software

Overview

Authoritatives

dns3.ip-minds.eu acts as master for the slaves dns1.ip-minds.eu and dns2.ip-minds.eu which both are publicly advertised as authoritative nameserver. dns3.ip-minds.eu is a so-called hidden-master and not publicly advertised.

Bad internet DNS traffic/attacks will therefore only reach dns1.ip-minds.eu and dns2.ip-minds.eu. A hidden master increases security and reliability. All three nameservers use BIND9 as DNS software.

Resolving

dns-de1.ip-minds.eu and dns-de2.ip-minds.eu are resolving/caching nameservers. Additionally a resolver dns-cache.ip-minds.eu is available.

Since dns-cache.ip-minds.eu contains a bigger sized cache and is shared with another company it is used primarily to benefit from its cache. dns-de1.ip-minds.eu and dns-de2.ip-minds.eu are failover resolvers which jump in if dns-cache.ip-minds.eu serves too many queries or if dns-cache.ip-minds.eu is down. All resolvers use Unbound.

Hosts

Every host has dnsdist installed which is configured to accept dns queries from the host itself and its virtual machines. Those dns queries are forwarded to dns-cache.ip-minds.eu. In case dns-cache.ip-minds.eu reached the configured queries per seconds limit or has an outage the queries are forwarded to dns-de1.ip-minds.eu and dns-de2.ip-minds.eu.

Virtual Systems

All virtual machines have configured their host as primary nameserver in resolv.conf.

Resources

No Comments

Post a Comment