Internal and External DNS

Issues related to configuring your network
Post Reply
ShadowKitten
Posts: 1
Joined: 2019/10/25 10:15:47

Internal and External DNS

Post by ShadowKitten » 2019/10/25 10:22:29

I have a server which requires external internet access, however our internal DNS does not resolve external addresses (as per best practice). I can ping external addresses by IP, but I cannot find a good guide on setting up an internal and external DNS.

What is the best way of doing this?

tunk
Posts: 611
Joined: 2017/02/22 15:08:17

Re: Internal and External DNS

Post by tunk » 2019/10/25 11:47:55

I don't know if it will work, but you can have
several DNS definitions in the ifcfg-file(s), e.g.:
DNS1=ip.address.internal.dns
DNS2=ip.address.external.dns

Edit: you may also look at /etc/resolv.conf

User avatar
jlehtone
Posts: 2383
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Internal and External DNS

Post by jlehtone » 2019/10/25 12:16:34

tunk wrote:
2019/10/25 11:47:55
I don't know if it will work, but you can have
several DNS definitions in the ifcfg-file(s), e.g.:
DNS1=ip.address.internal.dns
DNS2=ip.address.external.dns

Edit: you may also look at /etc/resolv.conf
The glibc isn't very efficient at resolving. It will try servers in same order and probably won't move to next if one responds.

You can configure NetworkManager to use a different resolver. Several options, including dnsmasq and systemd-resolved. Haven't tested, but supposedly anything is better than the default.

User avatar
TrevorH
Forum Moderator
Posts: 26942
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Internal and External DNS

Post by TrevorH » 2019/10/25 15:21:33

Using two different DNS servers does not work for this as the resolver ONLY checks them one at a time until one of them responds with an answer. Any answer, even if it says "dunno", and that is treated as the last and final answer.

Any DNS server on linux has to be able to answer any query, even if that means configuring a forwarder on the server. About the only thing you can do with nameservers is to rotate them so that it consults #1 for the first query, #2 for the 2nd etc and then back to #1. That's really only of use to distribute traffic as it doesn't help if one of your DNS servers only has half the answers. Whichever one it picks, it still has to answer the question it's asked. The only time it uses a second nameserver entry is if the first one fails to respond at all.

Could you perhaps point me to the best practice doc you've found about keeping internal and external nameservers separate? I can see that this is wise if you mean you need to keep your internal servers separate from the ones that the rest of internet use to resolve your own domain names to ip addresses. But I can't see how it would work if you need to resolve both internal and external names on an internal system. The DNS server you ask your questions to has to know all the answers.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

aks
Posts: 2844
Joined: 2014/09/20 11:22:14

Re: Internal and External DNS

Post by aks » 2019/10/27 18:14:56

keeping internal and external nameservers separate
Different subnets and routes I guess.

User avatar
TrevorH
Forum Moderator
Posts: 26942
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Internal and External DNS

Post by TrevorH » 2019/10/27 21:36:42

Yes but... if you have a nameserver specifed and it answers a query then it HAS to know ALL the answers. It can't just know the internal ones and think that the next nameserver will supply the missing pieces because if it answers at all then its answer is taken as the definitive one and the next nameservers will never be asked at all.

Nameservers are not connection specific. They are system wide. A nameserver is not bound to an interface, it applies to any and all interfaces on the system.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 2383
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Internal and External DNS

Post by jlehtone » 2019/10/28 06:20:12

That is very true for a client that wlii ask: "Who is X?"

On the other hand a host can run a DNS server that could give different answer depending on who asks. However, it should answer all questions of all its clients. (Telling external client that internal name does not exist is a valid answer.)

Post Reply

Return to “CentOS 7 - Networking Support”