Here’s an Overview about the setup I’ve built.
- dns1.ip-minds.eu — Primary Slave
- dns3.ip-minds.eu — Hidden Master
- dns-de1.ip-minds.eu — Failover Resolver
- dns2.ip-minds.eu — Secondary Slave
- dns-de2.ip-minds.eu — Failover Resolver
- dns-cache.ip-minds.eu — Primary Resolver
dns3.ip-minds.eu acts as master for the slaves
dns2.ip-minds.eu which both are publicly advertised as authoritative nameserver.
dns3.ip-minds.eu is a so-called hidden-master and not publicly advertised.
Bad internet DNS traffic/attacks will therefore only reach
dns2.ip-minds.eu. A hidden master increases security and reliability. All three nameservers use BIND9 as DNS software.
dns-de2.ip-minds.eu are resolving/caching nameservers. Additionally a resolver
dns-cache.ip-minds.eu is available.
dns-cache.ip-minds.eu contains a bigger sized cache and is shared with another company it is used primarily to benefit from its cache.
dns-de2.ip-minds.eu are failover resolvers which jump in if
dns-cache.ip-minds.eu serves too many queries or if
dns-cache.ip-minds.eu is down. All resolvers use Unbound.
Every host has dnsdist installed which is configured to accept dns queries from the host itself and its virtual machines. Those dns queries are forwarded to
dns-cache.ip-minds.eu. In case
dns-cache.ip-minds.eu reached the configured queries per seconds limit or has an outage the queries are forwarded to
All virtual machines have configured their host as primary nameserver in resolv.conf.