Take the following setup:
- I run a private network behind a NAT router
- Systems on the private network can connect to any resource on the Internet and hence need DNS name resolution for any Internet resource
- I own a domain (say,
example.com
) which has resources out on the Internet and a name server managed by the provider. - The provider manages public resources and may update DNS records to reflect changes. That is, the
MX
forexample.com
might point to a different server tomorrow, or the IP address forwww.example.com
might change overnight, without me getting notified. - I want to use the same domain for resources on my internal network; internal resources are on a subdomain (e.g.
fileserver.internal.example.com
). However, I do not want to expose these DNS records to the Internet.
The last item means I need to run my own DNS server internally, and have it answer queries for my zone. However, I need to ensure queries for any public resources are answered by the provider’s DNS servers.
So far I have been using the DNS Forwarder feature in pfSense, which does just what I need. I can add records for internal systems (or even have the DHCP server insert them automatically for any lease it grants), which will be returned if the DNS server gets a request for any of them. Any other requests will get forwarded to the respective external name server.
Now I am trying to accomplish the same with a Linux server, possibly using BIND. I am envisioning a setup like the following:
- Configure BIND to operate in recursive/caching mode, as an ISP DNS would.
- Set it up to be the authoritative name server for
internal.example.com
. - Configure RRs for internal systems in the
internal.example.com
zone.
Would this work as intended, given that nobody in the outside world knows about the internal.example.com
zone? Does BIND give preference to any zones for which it is authoritative (rather than trying to locate it by querying the root zone first), or can it be configured to do that?