Private DNS architecture?



  • We have servers and clients at a few locations that are tied together with site-to-site VPNs. Workloads are moving to our colo datacenter though.

    We use static IPs for everything except clients and we are not a windows shop so no AD. DNS requests are handled by a DNS resolver/cache (unbound) at each location.

    How should we handle DNS for our internal resources?
    Should we setup one or several DNS servers?

    Right now we just manually have some internal hosts configured in each DNS resolver. I guess we could replicate those around as well.



  • My first thought is that one at each site, syned together, makes the most sense.



  • How about something like this?

    If we skip DNS servers at office locations, we don't have to host them there and the resolver caches them.

    At the datacenters we could have two for redundancy. The firewalls and DNS resolver are already HA there.

    And we put our internal resources in a subdomain.

    dns_architecture.png



  • Or maybe it's enough to have DNS servers at Data Center 1?

    Or perhaps have private DNS in two subdomains? One for the Data Center 1 network which is served from DC1 and another subdomain for Data Center 2 which would have it's own primary and secondary as well.



  • This all sounds very complicated. Why not use the DNS and DHCP at your datacenter and turn off all the others, and then give the routers an ip helper address config? Does your network hardware not support that?



  • @Grey said in Private DNS architecture?:

    This all sounds very complicated. Why not use the DNS and DHCP at your datacenter and turn off all the others, and then give the routers an ip helper address config? Does your network hardware not support that?

    @Grey It may very well be too complicated. At the same time it has to be fast, robust and the parts have to be able to work independently if a VPN link goes down.

    I'm not exactly sure what you mean with your suggestion. IP helper address is for forwarding LAN broadcasts to other LANs. Do you mean that we should use DHCP in the datacenter and forward that to the other locations?

    Also, just to clarify the DNS resolver is inside the firewall so no extra hardware for that. From the point of the clients, a resolver works like a forwarder but it's smarter.



  • BTW, I think below is what @scottalanmiller had in mind.

    As always, the secondary DNS' will sync it's records from the primary DNS (authoritative).

    dns_architecture2.png



  • @Pete-S said in Private DNS architecture?:

    @Grey said in Private DNS architecture?:

    This all sounds very complicated. Why not use the DNS and DHCP at your datacenter and turn off all the others, and then give the routers an ip helper address config? Does your network hardware not support that?

    @Grey It may very well be too complicated. At the same time it has to be fast, robust and the parts have to be able to work independently if a VPN link goes down.

    I'm not exactly sure what you mean with your suggestion. IP helper address is for forwarding LAN broadcasts to other LANs. Do you mean that we should use DHCP in the datacenter and forward that to the other locations?

    Also, just to clarify the DNS resolver is inside the firewall so no extra hardware for that. From the point of the clients, a resolver works like a forwarder but it's smarter.

    But if the vpn link is down, don't you have bigger problems than just a loss of DNS? Your DHCP settings can set a 2nd or 3rd DNS to use a public address, if you're worried that a location would lose internet access, which actually brings me back to: why is the vpn down unless the the whole fucking thing is dead.
    SDWAN is what you need to look at here, with reliable vpn at the edge routers, not some bullshit dns/dhcp that's going to make management more difficult when things actually break.



  • @Pete-S said in Private DNS architecture?:

    @Grey said in Private DNS architecture?:

    This all sounds very complicated. Why not use the DNS and DHCP at your datacenter and turn off all the others, and then give the routers an ip helper address config? Does your network hardware not support that?

    @Grey It may very well be too complicated. At the same time it has to be fast, robust and the parts have to be able to work independently if a VPN link goes down.

    Ok, cut the line to the internet. Can they still function? What doesn't work? What gets cached at your app server? How much data is transferred when the line returns?
    How much actual resilience does the business need vs what they can sustain, and what's the risk? Has anyone answered these questions before?



  • @Grey said in Private DNS architecture?:

    @Pete-S said in Private DNS architecture?:

    @Grey said in Private DNS architecture?:

    This all sounds very complicated. Why not use the DNS and DHCP at your datacenter and turn off all the others, and then give the routers an ip helper address config? Does your network hardware not support that?

    @Grey It may very well be too complicated. At the same time it has to be fast, robust and the parts have to be able to work independently if a VPN link goes down.

    Ok, cut the line to the internet. Can they still function? What doesn't work? What gets cached at your app server? How much data is transferred when the line returns?
    How much actual resilience does the business need vs what they can sustain, and what's the risk? Has anyone answered these questions before?

    The diagram is a simplified. It's only internal company traffic that goes over the VPN in the drawing. The data centers also serves other clients that are not connected over VPN. That actually their primary job - they are serving customers, not just internal workloads.

    When it comes to resilience and risk, it's the data centers that have to be up and running. So they have redundant everything. The rest is just ordinary SMB stuff.

    PS. Also in the data center we are doing HA in the application layer and not the hypervisor layer. So having two DNS servers made sense to me since that will be natural HA in the application layer.


Log in to reply